Jump to content

Hello4 Virus

Dreamx

By Dreamx
in Resolved Malware Removal Logs

 Share

Recommended Posts

Dreamx

Dreamx

Posted
Posted

I allowed my brother to use my old PC. He gave it back to me because he couldn't do anything on it. I need help cleaning it up, my normal methods arn't working.

Here is the ComboFix log after I ran it.

ComboFix 11-11-16.02 - ~Devon~ 11/17/2011 0:39.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.800 [GMT -5:00]

Running from: c:\documents and settings\~Devon~\Desktop\Combo-Fix.exe

AV: avast! antivirus 4.8.0 [VPS 000000-0] *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe

c:\program files\QuickTime\qttask .exe

c:\program files\QuickTime\qttask .exe

c:\windows\TEMP\ter1mw32.dll

.

---- Previous Run -------

.

c:\documents and settings\~Devon~\Application Data\dwm.exe

c:\documents and settings\~Devon~\Application Data\Microsoft\conhost.exe

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\1.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\a.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\b.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\c.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\d.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\e.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\f.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\g.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\h.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\i.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\J.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\k.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\l.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\m.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\n.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\o.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\p.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\q.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\r.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\s.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\t.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\u.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\v.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\w.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\x.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\y.xml

c:\documents and settings\~Devon~\Application Data\PriceGong\Data\z.xml

c:\documents and settings\~Devon~\Local Settings\Application Data\{213AD529-E6CF-43D4-990B-78917EEEDFE4}\chrome.manifest

c:\documents and settings\~Devon~\Local Settings\Application Data\{213AD529-E6CF-43D4-990B-78917EEEDFE4}\chrome\content\_cfg.js

c:\documents and settings\~Devon~\Local Settings\Application Data\{213AD529-E6CF-43D4-990B-78917EEEDFE4}\chrome\content\overlay.xul

c:\documents and settings\~Devon~\Local Settings\Application Data\{213AD529-E6CF-43D4-990B-78917EEEDFE4}\install.rdf

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

c:\documents and settings\NetworkService\Local Settings\Application Data\pgyxxwv.exe

c:\program files\DealScout\dealscout.dll

c:\program files\iTunes\iTunesHelper.exe

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome.manifest

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\constants.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\convertvideo.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\convertvideodlg.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\convertvideodlg.xul

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\events.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\savetomp3popup.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\savetomp3popup.xul

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\tbcore.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\toolbar.xul

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\weather.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\weatherLoc.js

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\content\weatherLoc.xul

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\arrow-grey.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\arrow_partner.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\arrow_small.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\bg.jpg

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\arrow.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\arrow_big.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\btn_close.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\dailyhotdeals.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\divider.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\facebook.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\games.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\icon-RSS.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\news.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\plainbutton.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\savemp3.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\savemp3_disabled.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\savemp3popup-musicicon.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\savemp3popup.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\saveyoutubevideos.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\screensaver.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\search.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\searchbar-grey-250.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\searchbox.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\separator_line.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\shopping.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\Thumbs.db

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\watermark.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\buttons\youtube.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\feeditem.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\logo.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\news_refresh.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\popupSearchMp3.css

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\popupWindow.css

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\SaveMp3_bg_hover.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\SaveMp3_bg_normal.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\savetomp3PopUp.css

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\Thumbs.db

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\toolbar.css

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\chance_of_rain.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\chance_of_snow.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\chance_of_storm.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\chance_of_tstorm.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\cloudy.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\flurries.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\hazy.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\mist.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\mostly_cloudy.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\mostly_sunny.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\rain.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\sleet.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\snow.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\storm.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\sunny.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\Thumbs.db

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\thunderstorm.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\weatherbug.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\chrome\skin\weather\windy.png

c:\program files\Mozilla Firefox\extensions\mp3tubetoolbar@mp3tubetoolbar.com\install.rdf

c:\program files\Mozilla Firefox\Plugins\npclntax_HBLiteSA.dll

c:\program files\Mp3Tube Toolbar\ffmpeg.exe

c:\program files\Mp3Tube Toolbar\Mp3TubeSvc.exe

c:\program files\Mp3Tube Toolbar\mp3Tubetb.dll

c:\program files\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe

c:\program files\Mp3Tube Toolbar\ShowMsg.exe

c:\program files\Mp3Tube Toolbar\uninstall.exe

c:\program files\QuickTime\qttask.exe

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\windows\$xntuninstall643$\ppjxq.dll

c:\windows\$xntuninstall643$\rhlqh.dll

c:\windows\bdodler2.dll

c:\windows\Downloaded Program Files\IDropPTB.dll

c:\windows\kb913800.exe

E:\Autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_TERMSERVICES

-------\Service_TermServices

.

.

((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))

.

.

2011-11-17 05:34 . 2011-11-17 05:34 37888 ----a-w- c:\windows\system32\mwusbw32.dll

2011-11-17 05:34 . 2011-11-17 05:34 161792 ----a-w- c:\windows\system32\vmusbw32.dll

2011-11-17 03:52 . 2011-11-17 03:52 -------- d-----w- c:\documents and settings\~Devon~\Application Data\U3

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask .exe
</pre>

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-26 39432]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [N/A]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]

"Octoshape Streaming Services"="c:\documents and settings\~Devon~\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [N/A]

"FreeRandomPasswordGenerator"="c:\program files\FreeRandomPasswordGenerator\password.exe" [N/A]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2011-08-06 39428]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [N/A]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [N/A]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [N/A]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [N/A]

"ErrorTeck"="c:\program files\ErrorTeck\ErrorTeck.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-08-06 39428]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-08-06 39428]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-08-06 39428]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

"nwiz"="nwiz.exe" [2008-10-07 1630208]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide3"="rundll32 advpack.dll" [N/A]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-09-24 232912]

.

c:\documents and settings\~Devon~\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2010-10-9 0]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-03-20 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-03-25 22:32 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mwusbw32]

2011-11-17 05:34 37888 ----a-w- c:\windows\system32\mwusbw32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vmwusb]

2011-11-17 05:34 37888 ----a-w- c:\windows\system32\mwusbw32.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Program Files\\directx\\DirectX\\dplaysvr.exe"=

"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

"c:\\Documents and Settings\\~Devon~\\Local Settings\\Apps\\2.0\\RMVXK979.AQB\\5MXJNACE.BY5\\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\\CurseClient.exe"=

.

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2009 12:58 PM 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 11:53 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 10:39 AM 67656]

R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [6/28/2009 9:49 PM 78848]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2009 12:58 PM 20560]

S1 bckd;bckd;c:\windows\system32\drivers\bckd.sys --> c:\windows\system32\drivers\bckd.sys [?]

S2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe --> c:\program files\Blue Coat K9 Web Protection\k9filter.exe [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate1c9d4e5577abf52;Google Update Service (gupdate1c9d4e5577abf52);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 5:43 PM 133104]

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2/19/2008 4:16 PM 20160]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 3:51 PM 12872]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - VMUSB

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vmwareusb REG_MULTI_SZ vmusb

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-09 c:\windows\Tasks\At1.job

- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]

.

2011-10-10 c:\windows\Tasks\At2.job

- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]

.

2011-10-09 c:\windows\Tasks\At3.job

- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]

.

2011-10-09 c:\windows\Tasks\At4.job

- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-06-14 21:07]

.

2011-11-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-14 23:40]

.

2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 22:42]

.

2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 22:42]

.

2011-10-09 c:\windows\Tasks\hpwebreg_CN0AM292JD05HX.job

- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\hpwebreg.exe [2010-06-14 21:10]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.myspace.com/

TCP: DhcpNameServer = 192.168.2.1

DPF: {3DE051B7-CE1E-4149-A39E-3037F29068E1} - hxxps://secure.adrentech.com/PCConfigtool/PCConfigTool.CAB

FF - ProfilePath - c:\documents and settings\~Devon~\Application Data\Mozilla\Firefox\Profiles\mudqtl66.default\

FF - prefs.js: browser.startup.homepage - hxxp://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ff&clid=3cf193f1bd7542879f2dc9a9f2fb6f43&subid=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60283

FF - prefs.js: network.proxy.type - 1

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=

FF - user.js: keyword.enabled - 1

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{5E72625C-99E3-4644-BFF0-315AA91294FA} - (no file)

BHO-{26A7CA19-7D58-411D-B2DA-F1B0324CBFFC} - c:\program files\Gamers Unite! Snag Bar\Toolbar.dll

BHO-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\Zynga\tbZyng.dll

Toolbar-Locked - (no file)

Toolbar-{25515A79-C1C7-4B97-97F8-31A711694487} - c:\program files\Gamers Unite! Snag Bar\Toolbar.dll

Toolbar-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\Zynga\tbZyng.dll

WebBrowser-{25515A79-C1C7-4B97-97F8-31A711694487} - c:\program files\Gamers Unite! Snag Bar\Toolbar.dll

WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - c:\program files\Zynga\tbZyng.dll

Notify-termsvces - ter1mw32.dll

AddRemove-AVS Update Manager_is1 - c:\program files\AVS4YOU\AVSUpdateManager\unins000.exe

AddRemove-AVS4YOU Software Navigator_is1 - c:\program files\AVS4YOU\AVSSoftwareNavigator\unins000.exe

AddRemove-AVS4YOU Video Converter 6_is1 - c:\program files\AVS4YOU\AVSVideoConverter6\unins000.exe

AddRemove-Blue Coat K9 Web Protection - c:\program files\Blue Coat K9 Web Protection\uninst.exe

AddRemove-Freemake Video Converter_is1 - c:\program files\Freemake\Freemake Video Converter\Uninstall\unins000.exe

AddRemove-Freemake Video Downloader_is1 - c:\program files\Freemake\Freemake Video Downloader\Uninstall\unins000.exe

AddRemove-Google Chrome - c:\program files\Google\Chrome\Application\7.0.517.44\Installer\setup.exe

AddRemove-IspAssistant-Mp3Tube - c:\program files\Mp3Tube Toolbar\uninstall.exe

AddRemove-Pro Media Director_is1 - c:\program files\Pelican Performance\Pro Media Director\unins000.exe

AddRemove-SystemRequirementsLab - c:\program files\SystemRequirementsLab\Uninstall.exe

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\~Devon~\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

AddRemove-Octoshape Streaming Services - c:\documents and settings\~Devon~\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-17 00:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST380215A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A47E31B

user & kernel MBR OK

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(624)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\ter1mw32.dll

.

- - - - - - - > 'lsass.exe'(684)

c:\windows\system32\WININET.dll

.

Completion time: 2011-11-17 01:07:19

ComboFix-quarantined-files.txt 2011-11-17 06:07

.

Pre-Run: 9,744,814,080 bytes free

Post-Run: 9,691,168,768 bytes free

.

- - End Of File - - F12ED2D38D9528D5C3F38A2F2D38056C

Link to post
Share on other sites
Maniac

Maniac

Posted
Posted

Hello Dreamx! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Please do not use ComboFix without supervision from a trained helper. It is very powerful tool and could cause such a mess. Please read this article:

http://www.bleepingcomputer.com/forums/topic273628.html

Now, manually delete your copy of ComboFix and then follow the intructions here to download and run it:

www.bleepingcomputer.com/combofix/how-to-use-combofix#use

When you are ready please post the log file with content of Add or Remove Programs.txt which is located at C:\Qoobox directory.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.