Jump to content

Possible Malware

Binzapped

By Binzapped
in Resolved Malware Removal Logs

 Share

Recommended Posts

Binzapped

Binzapped

Posted
  • Author
Posted

I figured out how to disable the Windows Security Center, can't delete it since it's part of the Control Panel. As far as I can tell, running Combofix a 2nd time didn't seem to fix anything beyond what it did lsat night. The QuickLaunch bar still doesn't have it's icons, Dropbox is still missing from the Systray, some of my desktop shortcuts are still missing. Firefox no longer has an icon on the desktop & when I try to start it, I get the same error message posted previously.

Here's the Combofix log:

ComboFix 12-09-18.07 - Compaq_Administrator 09/19/2012 21:44:48.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.473 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((( Files Created from 2012-08-20 to 2012-09-20 )))))))))))))))))))))))))))))))

.

.

2012-09-17 23:56 . 2012-09-18 00:53 399264 ----a-w- c:\windows\unhide.exe

2012-09-17 23:54 . 2012-09-17 23:54 -------- d-----w- c:\documents and settings\Compaq_Administrator\Downloads

2012-09-17 11:08 . 2012-09-17 11:08 -------- d-----w- C:\_OTL

2012-09-15 01:19 . 2012-09-15 01:19 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2012-09-13 01:52 . 2012-09-13 01:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2012-09-13 01:52 . 2012-09-13 01:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2012-09-11 02:05 . 2012-09-11 02:08 -------- d-----w- C:\MGtools

2012-09-11 01:49 . 2012-09-11 01:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-09-11 01:40 . 2012-09-11 01:40 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-09-11 01:14 . 2012-09-11 01:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ

2012-09-11 01:08 . 2012-09-11 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2012-09-10 23:14 . 2012-09-10 23:14 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2012-09-10 23:14 . 2012-09-10 23:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2012-09-10 01:56 . 2012-01-09 22:59 11352 ----a-w- c:\windows\system32\drivers\kl2.sys

2012-09-10 01:56 . 2012-01-09 22:59 133208 ----a-w- c:\windows\system32\drivers\kl1.sys

2012-09-07 15:07 . 2012-09-07 15:07 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-11 02:08 . 2012-09-11 02:05 210925 ----a-w- C:\MGlogs.zip

2012-09-07 21:04 . 2010-04-05 13:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-01 13:04 . 2012-04-06 02:11 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-01 13:04 . 2011-05-15 01:53 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-06 13:58 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-06 02:07 . 2007-05-02 02:04 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-07-06 02:06 . 2012-08-04 22:33 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-06 02:06 . 2011-05-29 16:06 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-04 14:05 . 2004-08-10 04:00 139784 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05 . 2004-08-10 04:00 385024 ------w- c:\windows\system32\html.iec

2012-07-21 19:03 . 2011-05-14 15:33 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{da3116fa-099a-5814-4183-e1a9eeb94f35}"= "c:\program files\Bucksbee Loyalty Plugin - Air Installer\Helper.dll" [2012-05-13 361984]

.

[HKEY_CLASSES_ROOT\clsid\{da3116fa-099a-5814-4183-e1a9eeb94f35}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]

[HKEY_CLASSES_ROOT\TypeLib\{58A52AA3-40A4-B184-E12A-7F02C33D6D41}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86A5A4F7-990C-F0B4-096E-6B6BFDC90EC9}]

2012-02-09 04:19 13632 ----a-w- c:\program files\Bucksbee Loyalty Plugin - Air Installer\BucksBee Loyalty Plugin.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-10 39408]

"PlaxoUpdate"="c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]

"PlaxoSysTray"="c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2009-04-15 54712]

"STC"="c:\program files\Innovative Solutions\System Tray Cleaner\stc.exe" [2011-11-04 2618288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-07-22 73392]

"Reader Application Helper"="c:\program files\Sony\ReaderDesktop\appHelper\ReaderAppHelper.exe" [2012-07-12 892928]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-07-14 738984]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-08 180269]

.

c:\documents and settings\Mary Gainey-Sutton\Start Menu\Programs\Startup\

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-8 27136]

.

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]

Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [N/A]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless Connection Manager.lnk - c:\program files\eHome\Wireless G EH102\wirelesscm.exe [2007-1-20 10244096]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-8 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-8 27136]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bucksbee Loyalty Plugin - Air Installer\\TroubleShooter.exe"=

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/1/2010 10:10 PM 28552]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [9/9/2012 9:56 PM 11352]

R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [8/9/2012 10:06 PM 228376]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [9/7/2012 11:07 AM 71480]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [9/7/2012 11:07 AM 166840]

R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27056]

R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [9/7/2012 11:07 AM 976728]

R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/28/2012 4:40 PM 21520]

S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]

S2 gupdate1c9d17f8aa53c4a;Google Update Service (gupdate1c9d17f8aa53c4a);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 10:56 AM 133104]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 10:11 PM 250568]

S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [11/4/2007 7:46 PM 11648]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 10:56 AM 133104]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 11:15 AM 31125880]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/7/2012 8:27 PM 113120]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 14336]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 13:04]

.

2011-05-29 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-10-31 01:55]

.

2012-09-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-10 01:06]

.

2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 14:56]

.

2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 14:56]

.

2012-09-20 c:\windows\Tasks\User_Feed_Synchronization-{1CDB8788-0302-498C-A121-64AE4E2D6ADD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = about:blank

uStart Page = hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

uInternet Settings,ProxyOverride = *.r5.attbi.com;<local>;*.local

uInternet Settings,ProxyServer = sas.r5.attbi.com:8000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: {{0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\Yapta\YaptaSettings.exe

IE: {{0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\Yapta\YaptaSidebar.dll

Trusted Zone: aol.com\free

Trusted Zone: trymedia.com

TCP: DhcpNameServer = 192.168.2.1 75.75.76.76 75.75.75.75

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB

DPF: {EB533642-0AFC-4559-A494-8CFFA296ACAE} - hxxps://mail.alticor.com/images/whlcache.cab?egap=internal

FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\5uykrio1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm

FF - prefs.js: browser.startup.homepage - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21&q={searchTerms}

FF - prefs.js: network.proxy.ftp - sas.r5.attbi.com

FF - prefs.js: network.proxy.ftp_port - 8000

FF - prefs.js: network.proxy.http - sas.r5.attbi.com

FF - prefs.js: network.proxy.http_port - 8000

FF - prefs.js: network.proxy.socks - sas.r5.attbi.com

FF - prefs.js: network.proxy.socks_port - 8000

FF - prefs.js: network.proxy.ssl - sas.r5.attbi.com

FF - prefs.js: network.proxy.ssl_port - 8000

FF - prefs.js: network.proxy.type - 0

FF - user.js: extensions.zonealarm.autoRvrt - false

FF - user.js: extensions.zonealarm_i.hmpg - true

FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.dfltSrch - true

FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21&q={searchTerms}

FF - user.js: extensions.zonealarm_i.dnsErr - true

FF - user.js: extensions.zonealarm_i.newTab - true

FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=c056723000000000000000195b04ab21&q=

FF - user.js: extensions.zonealarm.id - c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.instlDay - 15552

FF - user.js: extensions.zonealarm.vrsn - 1.6.4.5

FF - user.js: extensions.zonealarm.vrsni - 1.6.4.5

FF - user.js: extensions.zonealarm_i.vrsnTs - 1.6.4.522:35

FF - user.js: extensions.zonealarm.prtnrId - checkpoint

FF - user.js: extensions.zonealarm.prdct - zonealarm

FF - user.js: extensions.zonealarm.aflt - 1001

FF - user.js: extensions.zonealarm_i.smplGrp - none

FF - user.js: extensions.zonealarm.tlbrId - base

FF - user.js: extensions.zonealarm.instlRef - ZLN00212370455149-1001

FF - user.js: extensions.zonealarm.dfltLng - en

FF - user.js: extensions.zonealarm.excTlbr - false

FF - user.js: extensions.zonealarm.admin - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-19 22:09

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1015641442-117758955-2228853932-1007\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

@SACL=

"Policy"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(856)

c:\windows\system32\Ati2evxx.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(912)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(5004)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-09-19 22:17:47

ComboFix-quarantined-files.txt 2012-09-20 02:17

ComboFix2.txt 2012-09-20 01:03

ComboFix3.txt 2012-09-19 02:47

.

Pre-Run: 194,557,706,240 bytes free

Post-Run: 194,535,858,176 bytes free

.

- - End Of File - - 3D94F418B427EAB72B5A7338079A14FA

Link to post
Share on other sites
Binzapped

Binzapped

Posted
  • Author
Posted

I did what you recommended & ran Combofix again. It doesn't look like anything changed. The same things listed above (The QuickLaunch bar still doesn't have it's icons, Dropbox is still missing from the Systray, some of my desktop shortcuts are still missing. Firefox no longer has an icon on the desktop & when I try to start it, I get the same error message posted previously.) still aren't back the way they were before the malware damaged my computer.

Here's the Combofix log:

ComboFix 12-09-20.02 - Compaq_Administrator 09/20/2012 21:28:38.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.319 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((( Files Created from 2012-08-21 to 2012-09-21 )))))))))))))))))))))))))))))))

.

.

2012-09-17 23:56 . 2012-09-18 00:53 399264 ----a-w- c:\windows\unhide.exe

2012-09-17 23:54 . 2012-09-17 23:54 -------- d-----w- c:\documents and settings\Compaq_Administrator\Downloads

2012-09-17 11:08 . 2012-09-17 11:08 -------- d-----w- C:\_OTL

2012-09-15 01:19 . 2012-09-15 01:19 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb

2012-09-13 01:52 . 2012-09-13 01:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp

2012-09-13 01:52 . 2012-09-13 01:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2012-09-11 02:05 . 2012-09-11 02:08 -------- d-----w- C:\MGtools

2012-09-11 01:49 . 2012-09-11 01:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2012-09-11 01:40 . 2012-09-11 01:40 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-09-11 01:14 . 2012-09-11 01:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ

2012-09-11 01:08 . 2012-09-11 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2012-09-10 23:14 . 2012-09-10 23:14 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2012-09-10 23:14 . 2012-09-10 23:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2012-09-10 01:56 . 2012-01-09 22:59 11352 ----a-w- c:\windows\system32\drivers\kl2.sys

2012-09-10 01:56 . 2012-01-09 22:59 133208 ----a-w- c:\windows\system32\drivers\kl1.sys

2012-09-07 15:07 . 2012-09-07 15:07 65848 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-11 02:08 . 2012-09-11 02:05 210925 ----a-w- C:\MGlogs.zip

2012-09-07 21:04 . 2010-04-05 13:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-01 13:04 . 2012-04-06 02:11 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-01 13:04 . 2011-05-15 01:53 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-07-06 13:58 . 2004-08-10 04:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-06 02:07 . 2007-05-02 02:04 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-07-06 02:06 . 2012-08-04 22:33 772544 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-07-06 02:06 . 2011-05-29 16:06 687544 ----a-w- c:\windows\system32\deployJava1.dll

2012-07-04 14:05 . 2004-08-10 04:00 139784 ------w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2004-08-10 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys

2012-07-02 17:49 . 2004-08-10 04:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-07-02 17:49 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-07-02 17:49 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-07-02 12:05 . 2004-08-10 04:00 385024 ------w- c:\windows\system32\html.iec

2012-07-21 19:03 . 2011-05-14 15:33 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{da3116fa-099a-5814-4183-e1a9eeb94f35}"= "c:\program files\Bucksbee Loyalty Plugin - Air Installer\Helper.dll" [2012-05-13 361984]

.

[HKEY_CLASSES_ROOT\clsid\{da3116fa-099a-5814-4183-e1a9eeb94f35}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]

[HKEY_CLASSES_ROOT\TypeLib\{58A52AA3-40A4-B184-E12A-7F02C33D6D41}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86A5A4F7-990C-F0B4-096E-6B6BFDC90EC9}]

2012-02-09 04:19 13632 ----a-w- c:\program files\Bucksbee Loyalty Plugin - Air Installer\BucksBee Loyalty Plugin.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ---ha-w- c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-10 39408]

"PlaxoUpdate"="c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]

"PlaxoSysTray"="c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2009-04-15 54712]

"STC"="c:\program files\Innovative Solutions\System Tray Cleaner\stc.exe" [2011-11-04 2618288]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]

"ftutil2"="ftutil2.dll" [2004-06-07 106496]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"RTHDCPL"="RTHDCPL.EXE" [2006-06-14 16239616]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ISUSScheduler"="c:\program files\common files\installshield\updateservice\issch.exe" [2004-07-28 81920]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-07-22 73392]

"Reader Application Helper"="c:\program files\Sony\ReaderDesktop\appHelper\ReaderAppHelper.exe" [2012-07-12 892928]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Anti-phishing Domain Advisor"="c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2011-07-29 217256]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-07-14 738984]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-08 180269]

.

c:\documents and settings\Mary Gainey-Sutton\Start Menu\Programs\Startup\

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-8 27136]

.

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]

Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [N/A]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless Connection Manager.lnk - c:\program files\eHome\Wireless G EH102\wirelesscm.exe [2007-1-20 10244096]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-8-8 27136]

PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-8 27136]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Documents and Settings\\Compaq_Administrator\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Bucksbee Loyalty Plugin - Air Installer\\TroubleShooter.exe"=

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/1/2010 10:10 PM 28552]

R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [9/9/2012 9:56 PM 11352]

R1 RapportCerberus_42020;RapportCerberus_42020;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_42020.sys [8/9/2012 10:06 PM 228376]

R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [9/7/2012 11:07 AM 71480]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [9/7/2012 11:07 AM 166840]

R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27056]

R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497320]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [9/7/2012 11:07 AM 976728]

R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\39624\RapportIaso.sys [5/28/2012 4:40 PM 21520]

S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys --> c:\windows\system32\drivers\dwprot.sys [?]

S2 gupdate1c9d17f8aa53c4a;Google Update Service (gupdate1c9d17f8aa53c4a);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 10:56 AM 133104]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/5/2012 10:11 PM 250568]

S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [11/4/2007 7:46 PM 11648]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/10/2009 10:56 AM 133104]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [6/12/2011 11:15 AM 31125880]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/7/2012 8:27 PM 113120]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 14336]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-21 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 13:04]

.

2011-05-29 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-10-31 01:55]

.

2012-09-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-10 01:06]

.

2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 14:56]

.

2012-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-10 14:56]

.

2012-09-21 c:\windows\Tasks\User_Feed_Synchronization-{1CDB8788-0302-498C-A121-64AE4E2D6ADD}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = about:blank

uStart Page = hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop

uInternet Settings,ProxyOverride = *.r5.attbi.com;<local>;*.local

uInternet Settings,ProxyServer = sas.r5.attbi.com:8000

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: {{0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\Yapta\YaptaSettings.exe

IE: {{0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\Yapta\YaptaSidebar.dll

Trusted Zone: aol.com\free

Trusted Zone: trymedia.com

TCP: DhcpNameServer = 192.168.2.1 75.75.76.76 75.75.75.75

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB

DPF: {EB533642-0AFC-4559-A494-8CFFA296ACAE} - hxxps://mail.alticor.com/images/whlcache.cab?egap=internal

FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\5uykrio1.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm

FF - prefs.js: browser.startup.homepage - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - prefs.js: keyword.URL - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21&q={searchTerms}

FF - prefs.js: network.proxy.ftp - sas.r5.attbi.com

FF - prefs.js: network.proxy.ftp_port - 8000

FF - prefs.js: network.proxy.http - sas.r5.attbi.com

FF - prefs.js: network.proxy.http_port - 8000

FF - prefs.js: network.proxy.socks - sas.r5.attbi.com

FF - prefs.js: network.proxy.socks_port - 8000

FF - prefs.js: network.proxy.ssl - sas.r5.attbi.com

FF - prefs.js: network.proxy.ssl_port - 8000

FF - prefs.js: network.proxy.type - 0

FF - user.js: extensions.zonealarm.autoRvrt - false

FF - user.js: extensions.zonealarm_i.hmpg - true

FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?Source=Homepage&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.dfltSrch - true

FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?Source=Browser&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21&q={searchTerms}

FF - user.js: extensions.zonealarm_i.dnsErr - true

FF - user.js: extensions.zonealarm_i.newTab - true

FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?Source=Newtab&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan=en&utid=c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN00212370455149-1001&toolbarId=base&affiliateId=1001&Lan={dfltLng}&utid=c056723000000000000000195b04ab21&q=

FF - user.js: extensions.zonealarm.id - c056723000000000000000195b04ab21

FF - user.js: extensions.zonealarm.instlDay - 15552

FF - user.js: extensions.zonealarm.vrsn - 1.6.4.5

FF - user.js: extensions.zonealarm.vrsni - 1.6.4.5

FF - user.js: extensions.zonealarm_i.vrsnTs - 1.6.4.522:35

FF - user.js: extensions.zonealarm.prtnrId - checkpoint

FF - user.js: extensions.zonealarm.prdct - zonealarm

FF - user.js: extensions.zonealarm.aflt - 1001

FF - user.js: extensions.zonealarm_i.smplGrp - none

FF - user.js: extensions.zonealarm.tlbrId - base

FF - user.js: extensions.zonealarm.instlRef - ZLN00212370455149-1001

FF - user.js: extensions.zonealarm.dfltLng - en

FF - user.js: extensions.zonealarm.excTlbr - false

FF - user.js: extensions.zonealarm.admin - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-20 21:59

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1015641442-117758955-2228853932-1007\Software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

@SACL=

"Policy"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(852)

c:\windows\system32\Ati2evxx.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'lsass.exe'(908)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'explorer.exe'(1028)

c:\windows\system32\WININET.dll

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\documents and settings\Compaq_Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-09-20 22:08:18

ComboFix-quarantined-files.txt 2012-09-21 02:08

ComboFix2.txt 2012-09-20 02:17

ComboFix3.txt 2012-09-20 01:03

ComboFix4.txt 2012-09-19 02:47

.

Pre-Run: 194,304,757,760 bytes free

Post-Run: 194,356,985,856 bytes free

.

- - End Of File - - B9CEAB9016BB1AEBD8B15B1918405987

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

I can only suggest you re-install firefox:

http://www.mozilla.com/firefox/

Re-install Dropbox

Recreate the shortcuts.

Be sure to uninstall Combofix.

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Here's my usual final post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Securing Your Web Browser
    This paper will help you configure your web browser for safer internet surfing.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites
Binzapped

Binzapped

Posted
  • Author
Posted

Thanks for getting rid of the malware. fyi, I was able to restore all of the shortcuts, Firefox & Dropbox that were missing when I followed the instructions on this site:

http://www.pchell.com/support/unhidefiles.shtml

I used the following commands:

For Windows XP

1) Click on Start, Run

2) Type CMD and press Enter

3) At the command prompt type the following and press Enter

CD \

4) Now the command prompt should show the root folder of the hard drive. Most likely C:\

5) At the command prompt type the following and press Enter

ATTRIB -H *.* /S /D

This command will unhide the files that are currently hidden. Because the important system files have a system attribute attached to them as well, the above command will not work for them and they will be skipped and kept hidden from prying eyes.

This command will take some time, so dont be afraid if it takes anywhere from a few minutes to half an hour to finish. What the command does is simple. It removes the hidden attribute from all files on the hard drive. The /S parameter tells it to search the current folder and all subfolders, while the /D parameter processes tthe folders as well.

6) Type Exit and press Enter when the procedure is complete. Then reboot your computer

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.