Jump to content

ComboFix log

J. David Boyd
 Share

Recommended Posts

J. David Boyd

J. David Boyd

Posted
Posted

I've read many other posts here, and we have the problem also where malware bytes and hijack this refuse to run, the browser is being redirected away from any anti-virus sites, and we can't run any software that might attempt to remove whatever the problem is.

So, here is our combofix log file. Hopefully this will tell someone something that I can do to fix this computer!

----------------------------------------------------------------------------------

ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]

Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions

)))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\JAMESB~1\LOCALS~1\Temp\catchme.dll

c:\documents and settings\James Brownrigg\Local Settings\Temp\catchme.dll

c:\windows\system32\kdpini.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18

)))))))))))))))))))))))))))))))

.

2009-08-18 22:50 . 2009-08-18 22:50 149522 ------w-

c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and

settings\James Brownrigg\Local Settings\Application Data\Opera

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera

2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and

settings\Administrator\IETldCache

2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w-

C:\avg_free_stb_all_8_32_cnet.exe

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w-

c:\windows\system32\drivers\mouhid.sys

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w-

c:\windows\system32\dllcache\mouhid.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w-

c:\windows\system32\drivers\hidusb.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w-

c:\windows\system32\dllcache\hidusb.sys

2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w-

c:\windows\system32\dllcache\msoe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report

))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-18 17:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and

settings\All Users\Application Data\Google Updater

2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w-

c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w-

c:\windows\system32\edfbcebdddea.dll

2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w-

c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and

settings\All Users\Application Data\NOS

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS

2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w-

c:\windows\system32\wininet.dll

2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common

Files\Adobe

2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common

Files\Adobe AIR

2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All

Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James

Brownrigg\Local Settings\Application Data\fusioncache.dat

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w-

c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w-

c:\windows\system32\fontsub.dll

2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w-

c:\windows\system32\kusers.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w-

c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32

)))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-18 22:45 . 2009-08-18 22:45 16384

c:\windows\temp\Perflib_Perfdata_6e8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30

385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

[2004-09-01 339968]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04

606208]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe"

[2005-01-27 86016]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"

[2007-11-15 16384]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[2004-09-14 131072]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14

53248]

"ISUSScheduler"="c:\program files\Common

Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27

221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23

53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader

9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter

Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2

24576]

QuickBooks Update Agent.lnk - c:\program files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\afaeeddeafa]

2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\edfbcebdddea]

2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows

nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program

files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader

8.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz

edApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed

components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe"

"c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe

[2007-06-29 23:57]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe

HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourcei

d=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net

Rootkit scan 2009-08-18 18:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys 39936 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffd

cc]

"ImagePath"="system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\windows\system32\afaeeddeafa.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\edfbcebdddea.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-08-18 19:01

ComboFix-quarantined-files.txt 2009-08-18 23:01

ComboFix2.txt 2009-08-18 20:12

ComboFix3.txt 2009-08-18 19:41

Pre-Run: 24,066,068,480 bytes free

Post-Run: 24,026,931,200 bytes free

131 --- E O F --- 2009-08-15 20:32

----------------------------------------------------------------------------------

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted
I've read many other posts here, and we have the problem also where malware bytes and hijack this refuse to run, the browser is being redirected away from any anti-virus sites, and we can't run any software that might attempt to remove whatever the problem is.

So, here is our combofix log file. Hopefully this will tell someone something that I can do to fix this computer!

----------------------------------------------------------------------------------

ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86

...

131 --- E O F --- 2009-08-15 20:32

----------------------------------------------------------------------------------

Maybe I can format that better, here we go ---

----------------------------------------------------------------------------------

ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]

Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\JAMESB~1\LOCALS~1\Temp\catchme.dll

c:\documents and settings\James Brownrigg\Local Settings\Temp\catchme.dll

c:\windows\system32\kdpini.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))

.

2009-08-18 22:50 . 2009-08-18 22:50 149522 ------w- c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera

2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w- C:\avg_free_stb_all_8_32_cnet.exe

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys

2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-18 17:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w- c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w- c:\windows\system32\edfbcebdddea.dll

2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w- c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS

2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-18 22:45 . 2009-08-18 22:45 16384 c:\windows\temp\Perflib_Perfdata_6e8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]

2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]

2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe

HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-18 18:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys 39936 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]

"ImagePath"="system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\windows\system32\afaeeddeafa.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\edfbcebdddea.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

.

Completion time: 2009-08-18 19:01

ComboFix-quarantined-files.txt 2009-08-18 23:01

ComboFix2.txt 2009-08-18 20:12

ComboFix3.txt 2009-08-18 19:41

Pre-Run: 24,066,068,480 bytes free

Post-Run: 24,026,931,200 bytes free

131 --- E O F --- 2009-08-15 20:32

----------------------------------------------------------------------------------

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hello and welcome to Malwarebytes.

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe

C:\avg_free_stb_all_8_32_cnet.exe

c:\windows\system32\edfbcebdddea.dll

c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

C:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

Post the results in your reply.

After that, disconnect from the Internet so this infection can't call its friends over.

Download any required tools from a known clean computer and transfer them via removable media (CD/flash drive).

-screen317

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted
Hello and welcome to Malwarebytes.

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe

C:\avg_free_stb_all_8_32_cnet.exe

c:\windows\system32\edfbcebdddea.dll

c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

C:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

Post the results in your reply.

After that, disconnect from the Internet so this infection can't call its friends over.

Download any required tools from a known clean computer and transfer them via removable media (CD/flash drive).

-screen317

Getting errors trying to upload the results. Perhaps I can put them in a file attachment...

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hello,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22129
Driver::
fef7a3a5ebf10090ceb6d820b1fffdcc
Collect::
C:\avg_free_stb_all_8_32_cnet.exe
c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe
c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP
c:\windows\system32\edfbcebdddea.dll
c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP
c:\windows\system32\afaeeddeafa.dll
C:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted
Hello,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22129
Driver::
fef7a3a5ebf10090ceb6d820b1fffdcc
Collect::
C:\avg_free_stb_all_8_32_cnet.exe
c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe
c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP
c:\windows\system32\edfbcebdddea.dll
c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP
c:\windows\system32\afaeeddeafa.dll
C:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys
KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

-screen317

I've attached a file that contains the results. Hope this helps!

Dave

ComboFix 09-08-24.01 - James Brownrigg 08/24/2009 15:44.4.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.251 [GMT -4:00]

Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))

.

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera

2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w- C:\avg_free_stb_all_8_32_cnet.exe

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys

2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-24 01:36 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w- c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w- c:\windows\system32\edfbcebdddea.dll

2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w- c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS

2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat

2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll

+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe

+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll

- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll

+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys

+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll

+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll

+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll

+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll

+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]

2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]

2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-24 15:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

CFLog.txt

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Dave,

Please don't attach logs; post them here instead.

Also don't quote my reply; use ADDREPLY instead of "REPLY.

Looks like my script wasn't executed correctly.

Please delete all CFScript.txt files you have on your Desktop.

Let's try this again.

Please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22129

Driver::

fef7a3a5ebf10090ceb6d820b1fffdcc

Collect::

C:\avg_free_stb_all_8_32_cnet.exe

c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe

c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

c:\windows\system32\edfbcebdddea.dll

c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

c:\windows\system32\afaeeddeafa.dll

C:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

KILLALL::

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted

Here's the results: I actually had to boot into Ubuntu from a CD, then copy the notepad file to the desktop, then boot back into windows, then drop the file on top of Combofix, then boot back into the Ubuntu cd to copy the file back to a flash drive, to get it to a system so I could send it here. If we even looked at it, or tried to move it around in Windows, whatever is running on that box kept corrupting the file......

ComboFix 09-08-24.01 - James Brownrigg 08/26/2009 19:58.6.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.267 [GMT -4:00]

Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txt

file zipped: C:\avg_free_stb_all_8_32_cnet.exe

file zipped: c:\windows\system32\afaeeddeafa.dll

file zipped: c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

file zipped: c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

file zipped: c:\windows\system32\edfbcebdddea.dll

file zipped: c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\avg_free_stb_all_8_32_cnet.exe

c:\windows\system32\afaeeddeafa.dll

c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP

c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP

c:\windows\system32\edfbcebdddea.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))

.

2009-08-24 19:49 . 2009-08-27 00:03 39936 ----a-w- c:\windows\system32\_fef7a3a5ebf10090ceb6d820b1fffdcc.sys_.vir

2009-08-18 22:51 . 2009-08-26 23:58 39936 ----a-w- c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera

2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys

2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-26 18:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS

2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll

2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat

2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-27 00:06 . 2009-08-27 00:06 16384 c:\windows\temp\Perflib_Perfdata_28c.dat

+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll

+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe

- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll

+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll

+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys

+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll

+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll

+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll

+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll

+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-26 20:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3952)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\fxssvc.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-27 20:11 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-27 00:11

ComboFix2.txt 2009-08-26 19:06

ComboFix3.txt 2009-08-24 19:54

ComboFix4.txt 2009-08-18 23:01

ComboFix5.txt 2009-08-26 23:55

Pre-Run: 23,842,361,344 bytes free

Post-Run: 23,788,453,888 bytes free

184 --- E O F --- 2009-08-18 23:08

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Looks like we're winning; slowly but surely.

Please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Rootkit::

c:\windows\system32\_fef7a3a5ebf10090ceb6d820b1fffdcc.sys_.vir

C:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys

KILLALL::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted

Here's the ComboFix log, Hijack this coming next:

ComboFix 09-08-24.01 - James Brownrigg 08/27/2009 19:24.7.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -4:00]

Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txt

.

((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))

.

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera

2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera

2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys

2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-27 23:19 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS

2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll

2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe

2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat

2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll

2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-27 23:31 . 2009-08-27 23:31 16384 c:\windows\temp\Perflib_Perfdata_290.dat

+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe

+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll

+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe

- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll

+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll

+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys

+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll

+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll

+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll

+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll

+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll

+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll

+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]

"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-27 19:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3924)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

c:\windows\system32\ati2evxx.exe

c:\windows\system32\scardsvr.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\fxssvc.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-27 19:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-27 23:36

ComboFix2.txt 2009-08-27 00:11

ComboFix3.txt 2009-08-26 19:06

ComboFix4.txt 2009-08-24 19:54

ComboFix5.txt 2009-08-27 23:23

Pre-Run: 23,776,481,280 bytes free

Post-Run: 23,738,761,216 bytes free

169 --- E O F --- 2009-08-27 23:21

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:40:59 PM, on 8/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)

O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted

Here's the results from the FSecure spyware scan:

Scanning Report

Friday, August 28, 2009 19:51:07 - 08:25:50

Computer name: BUDDHA

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

57 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Adtech (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Clickbank (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

Trojan.Generic.1785280 (spyware)

System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Trojan.Generic.1785280 (virus)

C:\WINDOWS\SYSTEM32\KUSERS.DLL (Not cleaned)

Trojan.Generic.1942892 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0060200.DLL (Renamed & Submitted)

Worm.Generic.44360 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0060199.DLL (Renamed)

Trojan.Generic.1333556 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0059801.EXE (Renamed & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059317.EXE (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059315.EXE (Not cleaned)

Trojan.CryptRedol.Gen.3 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059319.EXE (Renamed & Submitted)

Trojan.Generic.2192870 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059320.EXE (Renamed & Submitted)

Gen:Trojan.Heur.TDSS.fqW@fSBTnkci (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059321.EXE (Renamed & Submitted)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059322.EXE (Renamed & Submitted)

Trojan-Downloader:W32/Bredolab.gen!B (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059323.EXE (Renamed & Submitted)

Trojan.Generic.IS.604419 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059325.EXE (Renamed & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059332.EXE (Not cleaned & Submitted)

Trojan.Agent.ANDM (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059333.EXE (Renamed & Submitted)

Trojan.Generic.IS.595345 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0058941.EXE (Renamed & Submitted)

Trojan.Generic.1942892 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0058436.DLL (Renamed & Submitted)

Trojan.Generic.1942892 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0058435.DLL (Renamed & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054489.EXE (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054488.EXE (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054501.DLL (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054529.DLL (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054519.EXE (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054531.EXE (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054528.DLL (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054530.DLL (Not cleaned & Submitted)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054390.DLL (Not cleaned)

Trojan.Generic.1854546 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054386.BAT (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054424.DLL (Not cleaned)

Trojan.Generic.1785280 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054436.DLL (Not cleaned)

Trojan.Generic.1854546 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054448.BAT (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054453.DLL (Not cleaned)

Trojan.Generic.1854546 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054449.BAT (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP277\A0054354.DLL (Not cleaned)

Trojan.Generic.1758226 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP277\A0054368.DLL (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054256.DLL (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054281.DLL (Not cleaned)

Rogue:W32/SpyGuard.gen!A (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054304.DLL (Not cleaned)

Statistics

Scanned:

Files: 53311

System: 3116

Not scanned: 6

Actions:

Disinfected: 20

Renamed: 13

Deleted: 0

Not cleaned: 24

Submitted: 22

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Copyright

Link to post
Share on other sites
J. David Boyd

J. David Boyd

Posted
  • Author
Posted

and here's checkup.txt.

Results of screen317's Security Check version 0.98.9

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 11

Java 2 Runtime Environment, SE v1.4.2_03

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 9.1

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 11

Java 2 Runtime Environment, SE v1.4.2_03

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.