J. David Boyd Posted August 20, 2009 ID:112608 Share Posted August 20, 2009 I've read many other posts here, and we have the problem also where malware bytes and hijack this refuse to run, the browser is being redirected away from any anti-virus sites, and we can't run any software that might attempt to remove whatever the problem is.So, here is our combofix log file. Hopefully this will tell someone something that I can do to fix this computer!----------------------------------------------------------------------------------ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00] Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\JAMESB~1\LOCALS~1\Temp\catchme.dll c:\documents and settings\James Brownrigg\Local Settings\Temp\catchme.dll c:\windows\system32\kdpini.dll . ((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 ))))))))))))))))))))))))))))))) . 2009-08-18 22:50 . 2009-08-18 22:50 149522 ------w- c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe 2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera 2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera 2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w- C:\avg_free_stb_all_8_32_cnet.exe 2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys 2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys 2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys 2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys 2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-18 17:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w- c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP 2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w- c:\windows\system32\edfbcebdddea.dll 2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w- c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP 2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS 2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat 2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll 2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-18 22:45 . 2009-08-18 22:45 16384 c:\windows\temp\Perflib_Perfdata_6e8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304] "mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa] 2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea] 2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-18 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57] . - - - - ORPHANS REMOVED - - - - HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe HKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-18 18:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys 39936 bytes executable scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc] "ImagePath"="system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\afaeeddeafa.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\edfbcebdddea.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2009-08-18 19:01 ComboFix-quarantined-files.txt 2009-08-18 23:01 ComboFix2.txt 2009-08-18 20:12 ComboFix3.txt 2009-08-18 19:41 Pre-Run: 24,066,068,480 bytes free Post-Run: 24,026,931,200 bytes free 131 --- E O F --- 2009-08-15 20:32 ---------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
J. David Boyd Posted August 20, 2009 Author ID:112610 Share Posted August 20, 2009 I've read many other posts here, and we have the problem also where malware bytes and hijack this refuse to run, the browser is being redirected away from any anti-virus sites, and we can't run any software that might attempt to remove whatever the problem is.So, here is our combofix log file. Hopefully this will tell someone something that I can do to fix this computer!----------------------------------------------------------------------------------ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86 ... 131 --- E O F --- 2009-08-15 20:32 ----------------------------------------------------------------------------------Maybe I can format that better, here we go -------------------------------------------------------------------------------------ComboFix 09-08-10.06 - James Brownrigg 08/18/2009 18:51.3.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.250 [GMT -4:00]Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\docume~1\JAMESB~1\LOCALS~1\Temp\catchme.dllc:\documents and settings\James Brownrigg\Local Settings\Temp\catchme.dllc:\windows\system32\kdpini.dll.((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 ))))))))))))))))))))))))))))))).2009-08-18 22:50 . 2009-08-18 22:50 149522 ------w- c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exe2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w- C:\avg_free_stb_all_8_32_cnet.exe2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-18 17:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w- c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w- c:\windows\system32\edfbcebdddea.dll2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w- c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll.((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 ))))))))))))))))))))))))))))))))))))))))).+ 2009-08-18 22:45 . 2009-08-18 22:45 16384 c:\windows\temp\Perflib_Perfdata_6e8.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe""SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-08-18 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57].- - - - ORPHANS REMOVED - - - -HKLM-Run-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exeHKLM-Run-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe.------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-18 18:58Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...scanning hidden autostart entries ...scanning hidden files ...c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys 39936 bytes executablescan completed successfullyhidden files: 1**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]"ImagePath"="system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(948)c:\windows\system32\afaeeddeafa.dllc:\windows\system32\WININET.dllc:\windows\system32\Ati2evxx.dllc:\windows\system32\edfbcebdddea.dllc:\program files\Intel\Wireless\Bin\LgNotify.dll.Completion time: 2009-08-18 19:01ComboFix-quarantined-files.txt 2009-08-18 23:01ComboFix2.txt 2009-08-18 20:12ComboFix3.txt 2009-08-18 19:41Pre-Run: 24,066,068,480 bytes freePost-Run: 24,026,931,200 bytes free131 --- E O F --- 2009-08-15 20:32---------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
Staff screen317 Posted August 23, 2009 Staff ID:113922 Share Posted August 23, 2009 Hello and welcome to Malwarebytes.Please go to VirusTotal, and upload the following files for analysis:c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exeC:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\edfbcebdddea.dllc:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPC:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysPost the results in your reply.After that, disconnect from the Internet so this infection can't call its friends over.Download any required tools from a known clean computer and transfer them via removable media (CD/flash drive).-screen317 Link to post Share on other sites More sharing options...
J. David Boyd Posted August 24, 2009 Author ID:113961 Share Posted August 24, 2009 Hello and welcome to Malwarebytes.Please go to VirusTotal, and upload the following files for analysis:c:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exeC:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\edfbcebdddea.dllc:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPC:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysPost the results in your reply.After that, disconnect from the Internet so this infection can't call its friends over.Download any required tools from a known clean computer and transfer them via removable media (CD/flash drive).-screen317Getting errors trying to upload the results. Perhaps I can put them in a file attachment... Link to post Share on other sites More sharing options...
J. David Boyd Posted August 24, 2009 Author ID:113962 Share Posted August 24, 2009 Getting errors trying to upload the results. Perhaps I can put them in a file attachment...I've added the info in an attachment.info_for_mb.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted August 24, 2009 Staff ID:113965 Share Posted August 24, 2009 Hello,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:http://www.malwarebytes.org/forums/index.php?showtopic=22129Driver::fef7a3a5ebf10090ceb6d820b1fffdccCollect::C:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exec:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPc:\windows\system32\edfbcebdddea.dllc:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMPc:\windows\system32\afaeeddeafa.dllC:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysKILLALL::Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]Save this as CFScript.txtRefering to the picture above, drag CFScript.txt into ComboFix.exeWhen finished, it shall produce a log for you. Post that log in your next reply.**Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.Ensure you are connected to the internet and click OK on the message box.-screen317 Link to post Share on other sites More sharing options...
J. David Boyd Posted August 25, 2009 Author ID:114384 Share Posted August 25, 2009 Hello,Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:http://www.malwarebytes.org/forums/index.php?showtopic=22129Driver::fef7a3a5ebf10090ceb6d820b1fffdccCollect::C:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exec:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPc:\windows\system32\edfbcebdddea.dllc:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMPc:\windows\system32\afaeeddeafa.dllC:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysKILLALL::Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]Save this as CFScript.txtRefering to the picture above, drag CFScript.txt into ComboFix.exeWhen finished, it shall produce a log for you. Post that log in your next reply.**Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.Ensure you are connected to the internet and click OK on the message box.-screen317I've attached a file that contains the results. Hope this helps!DaveComboFix 09-08-24.01 - James Brownrigg 08/24/2009 15:44.4.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.251 [GMT -4:00]Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txt * Created a new restore point.((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 ))))))))))))))))))))))))))))))).2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-08-15 21:22 . 2009-08-15 20:49 848712 ----a-w- C:\avg_free_stb_all_8_32_cnet.exe2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-24 01:36 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll2009-07-16 10:44 . 2009-07-16 10:44 312847 ------w- c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMP2009-07-16 10:44 . 2007-04-23 03:30 312847 ------w- c:\windows\system32\edfbcebdddea.dll2009-07-16 10:44 . 2009-07-16 10:44 278033 ------w- c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMP2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS2009-07-03 17:09 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll.((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 ))))))))))))))))))))))))))))))))))))))))).+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa]2009-05-18 03:49 278033 ------w- c:\windows\system32\afaeeddeafa.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea]2009-07-16 10:44 312847 ------w- c:\windows\system32\edfbcebdddea.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe""SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-08-24 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-24 15:51Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... CFLog.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted August 25, 2009 Staff ID:114749 Share Posted August 25, 2009 Hi Dave,Please don't attach logs; post them here instead.Also don't quote my reply; use ADDREPLY instead of "REPLY.Looks like my script wasn't executed correctly.Please delete all CFScript.txt files you have on your Desktop.Let's try this again.Please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the quotebox below into Notepad:http://www.malwarebytes.org/forums/index.php?showtopic=22129Driver::fef7a3a5ebf10090ceb6d820b1fffdccCollect::C:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\da4992ce7f772f5cdced9c69faa08afa.exec:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPc:\windows\system32\edfbcebdddea.dllc:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMPc:\windows\system32\afaeeddeafa.dllC:\Windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysKILLALL::Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\afaeeddeafa][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\edfbcebdddea][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fef7a3a5ebf10090ceb6d820b1fffdcc]Save this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.-screen317 Link to post Share on other sites More sharing options...
J. David Boyd Posted August 25, 2009 Author ID:114759 Share Posted August 25, 2009 Ok, I will do that. Sorry about the " reply. I never even noticed the quote markers, and didn't think much about it. It won't happen again.I'll post the correct stuff later on tonight.Thanks,Dave Link to post Share on other sites More sharing options...
J. David Boyd Posted August 27, 2009 Author ID:115395 Share Posted August 27, 2009 Here's the results: I actually had to boot into Ubuntu from a CD, then copy the notepad file to the desktop, then boot back into windows, then drop the file on top of Combofix, then boot back into the Ubuntu cd to copy the file back to a flash drive, to get it to a system so I could send it here. If we even looked at it, or tried to move it around in Windows, whatever is running on that box kept corrupting the file......ComboFix 09-08-24.01 - James Brownrigg 08/26/2009 19:58.6.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.267 [GMT -4:00]Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txtfile zipped: C:\avg_free_stb_all_8_32_cnet.exefile zipped: c:\windows\system32\afaeeddeafa.dllfile zipped: c:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMPfile zipped: c:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPfile zipped: c:\windows\system32\edfbcebdddea.dllfile zipped: c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\avg_free_stb_all_8_32_cnet.exec:\windows\system32\afaeeddeafa.dllc:\windows\system32\bcfa641acb9b1fa199c53255d5b56b7d.TMPc:\windows\system32\c28be957c975aefb5e27b3f339b69606.TMPc:\windows\system32\edfbcebdddea.dll.((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 ))))))))))))))))))))))))))))))).2009-08-24 19:49 . 2009-08-27 00:03 39936 ----a-w- c:\windows\system32\_fef7a3a5ebf10090ceb6d820b1fffdcc.sys_.vir2009-08-18 22:51 . 2009-08-26 23:58 39936 ----a-w- c:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sys2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-26 18:54 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll.((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 ))))))))))))))))))))))))))))))))))))))))).+ 2009-08-27 00:06 . 2009-08-27 00:06 16384 c:\windows\temp\Perflib_Perfdata_28c.dat+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe""SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-08-27 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-26 20:06Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(952)c:\windows\system32\Ati2evxx.dllc:\program files\Intel\Wireless\Bin\LgNotify.dll- - - - - - - > 'explorer.exe'(3952)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\ati2evxx.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Intel\Wireless\Bin\WLKEEPER.exec:\program files\Intel\Wireless\Bin\ZCfgSvc.exec:\windows\system32\ati2evxx.exec:\windows\system32\scardsvr.exec:\progra~1\Intel\Wireless\Bin\1XConfig.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\NicConfigSvc\NicConfigSvc.exec:\program files\Apoint\ApntEx.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\fxssvc.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-08-27 20:11 - machine was rebootedComboFix-quarantined-files.txt 2009-08-27 00:11ComboFix2.txt 2009-08-26 19:06ComboFix3.txt 2009-08-24 19:54ComboFix4.txt 2009-08-18 23:01ComboFix5.txt 2009-08-26 23:55Pre-Run: 23,842,361,344 bytes freePost-Run: 23,788,453,888 bytes free184 --- E O F --- 2009-08-18 23:08 Link to post Share on other sites More sharing options...
Staff screen317 Posted August 27, 2009 Staff ID:115522 Share Posted August 27, 2009 Hi,Looks like we're winning; slowly but surely.Please open Notepad - don't use any other text editor than notepad or the script will fail.Copy/paste the text in the quotebox below into Notepad:Rootkit::c:\windows\system32\_fef7a3a5ebf10090ceb6d820b1fffdcc.sys_.virC:\windows\system32\fef7a3a5ebf10090ceb6d820b1fffdcc.sysKILLALL::Save this as CFScript Then drag the CFScript into ComboFix.exe as you see in the screenshot below.This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.-screen317 Link to post Share on other sites More sharing options...
J. David Boyd Posted August 27, 2009 Author ID:115600 Share Posted August 27, 2009 Great! I'll do that sometime today. Thanks for all your efforts. I really appreciate the time and energy you are putting in to this. Link to post Share on other sites More sharing options...
J. David Boyd Posted August 27, 2009 Author ID:115915 Share Posted August 27, 2009 Here's the ComboFix log, Hijack this coming next:ComboFix 09-08-24.01 - James Brownrigg 08/27/2009 19:24.7.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.255 [GMT -4:00]Running from: c:\documents and settings\James Brownrigg\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\James Brownrigg\Desktop\CFScript.txt.((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 ))))))))))))))))))))))))))))))).2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\Opera2009-08-18 18:34 . 2009-08-18 18:34 -------- d-----w- c:\program files\Opera2009-08-16 23:01 . 2009-08-16 23:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2009-08-15 20:29 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys2009-08-15 20:29 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys2009-08-12 04:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-08-27 23:19 . 2008-05-08 00:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-07-03 22:07 . 2009-07-01 15:25 -------- d-----w- c:\program files\NOS2009-07-03 17:09 . 2004-08-10 17:51 915456 ------w- c:\windows\system32\wininet.dll2009-07-01 15:32 . 2007-02-03 00:17 -------- d-----w- c:\program files\Common Files\Adobe2009-07-01 15:26 . 2009-07-01 15:26 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-07-01 15:25 . 2009-07-01 15:25 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe2009-07-01 10:11 . 2009-07-01 10:11 138 ----a-w- c:\documents and settings\James Brownrigg\Local Settings\Application Data\fusioncache.dat2009-06-25 08:25 . 2004-08-10 17:51 54272 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:25 . 2004-08-10 17:51 56832 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:25 . 2004-08-10 17:51 147456 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:25 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:25 . 2004-08-10 17:51 730112 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:25 . 2004-08-10 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-24 11:18 . 2004-08-10 17:51 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll2009-06-12 12:31 . 2004-08-10 17:51 76288 ----a-w- c:\windows\system32\telnet.exe2009-06-10 14:13 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll2009-06-10 13:19 . 2004-08-10 18:01 2066432 ----a-w- c:\windows\system32\mstscax.dll2009-06-10 06:14 . 2004-08-10 17:51 132096 ----a-w- c:\windows\system32\wkssvc.dll2009-06-03 20:17 . 2009-05-28 22:32 205840 ----a-w- c:\windows\system32\kusers.dll2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll.((((((((((((((((((((((((((((( SnapShot@2009-08-18_19.38.32 ))))))))))))))))))))))))))))))))))))))))).+ 2009-08-27 23:31 . 2009-08-27 23:31 16384 c:\windows\temp\Perflib_Perfdata_290.dat+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll+ 2009-04-15 10:18 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll+ 2009-06-10 13:19 . 2009-06-10 13:19 2066432 c:\windows\system32\dllcache\mstscax.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll+ 2004-08-10 17:51 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 68856][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-01-31 155648]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-09-14 131072]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-02 26112]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 98304]"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-2 24576]QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe""SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"=[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP.Contents of the 'Scheduled Tasks' folder2009-08-27 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 23:57]..------- Supplementary Scan -------.uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-08-27 19:31Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(952)c:\windows\system32\Ati2evxx.dllc:\program files\Intel\Wireless\Bin\LgNotify.dll- - - - - - - > 'explorer.exe'(3924)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\ati2evxx.exec:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Intel\Wireless\Bin\WLKEEPER.exec:\program files\Intel\Wireless\Bin\ZCfgSvc.exec:\windows\system32\ati2evxx.exec:\windows\system32\scardsvr.exec:\progra~1\Intel\Wireless\Bin\1XConfig.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\program files\Dell\NicConfigSvc\NicConfigSvc.exec:\program files\Apoint\ApntEx.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\system32\fxssvc.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-08-27 19:36 - machine was rebootedComboFix-quarantined-files.txt 2009-08-27 23:36ComboFix2.txt 2009-08-27 00:11ComboFix3.txt 2009-08-26 19:06ComboFix4.txt 2009-08-24 19:54ComboFix5.txt 2009-08-27 23:23Pre-Run: 23,776,481,280 bytes freePost-Run: 23,738,761,216 bytes free169 --- E O F --- 2009-08-27 23:21 Link to post Share on other sites More sharing options...
J. David Boyd Posted August 27, 2009 Author ID:115917 Share Posted August 27, 2009 Here's the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:40:59 PM, on 8/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Digital Line Detect\DLG.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\internet explorer\iexplore.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllO2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dllO3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dllO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exeO23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeO23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exeO23 - Service: WLANKEEPER - Intel Link to post Share on other sites More sharing options...
Staff screen317 Posted August 28, 2009 Staff ID:116069 Share Posted August 28, 2009 Doing the scan next....Okay. Link to post Share on other sites More sharing options...
J. David Boyd Posted August 28, 2009 Author ID:116427 Share Posted August 28, 2009 Here's the results from the FSecure spyware scan:Scanning ReportFriday, August 28, 2009 19:51:07 - 08:25:50Computer name: BUDDHAScanning type: Scan system for malware, spyware and rootkitsTarget: C:\ 57 malware foundTrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.Adinterax (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Adtech (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Specificclick (spyware) System (Disinfected) TrackingCookie.Clickbank (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Xiti (spyware) System (Disinfected) TrackingCookie.Webtrends (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) Trojan.Generic.1785280 (spyware) System (Disinfected) TrackingCookie.Tradedoubler (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Trojan.Generic.1785280 (virus) C:\WINDOWS\SYSTEM32\KUSERS.DLL (Not cleaned) Trojan.Generic.1942892 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0060200.DLL (Renamed & Submitted) Worm.Generic.44360 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0060199.DLL (Renamed) Trojan.Generic.1333556 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0059801.EXE (Renamed & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059317.EXE (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059315.EXE (Not cleaned) Trojan.CryptRedol.Gen.3 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059319.EXE (Renamed & Submitted) Trojan.Generic.2192870 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059320.EXE (Renamed & Submitted) Gen:Trojan.Heur.TDSS.fqW@fSBTnkci (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059321.EXE (Renamed & Submitted) Trojan-Downloader:W32/Renos.gen!C (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059322.EXE (Renamed & Submitted) Trojan-Downloader:W32/Bredolab.gen!B (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059323.EXE (Renamed & Submitted) Trojan.Generic.IS.604419 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059325.EXE (Renamed & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059332.EXE (Not cleaned & Submitted) Trojan.Agent.ANDM (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP306\A0059333.EXE (Renamed & Submitted) Trojan.Generic.IS.595345 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0058941.EXE (Renamed & Submitted) Trojan.Generic.1942892 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0058436.DLL (Renamed & Submitted) Trojan.Generic.1942892 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP298\A0058435.DLL (Renamed & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054489.EXE (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054488.EXE (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054501.DLL (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054529.DLL (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054519.EXE (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054531.EXE (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054528.DLL (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP279\A0054530.DLL (Not cleaned & Submitted) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054390.DLL (Not cleaned) Trojan.Generic.1854546 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054386.BAT (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054424.DLL (Not cleaned) Trojan.Generic.1785280 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054436.DLL (Not cleaned) Trojan.Generic.1854546 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054448.BAT (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054453.DLL (Not cleaned) Trojan.Generic.1854546 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP278\A0054449.BAT (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP277\A0054354.DLL (Not cleaned) Trojan.Generic.1758226 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP277\A0054368.DLL (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054256.DLL (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054281.DLL (Not cleaned) Rogue:W32/SpyGuard.gen!A (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP274\A0054304.DLL (Not cleaned) StatisticsScanned: Files: 53311 System: 3116 Not scanned: 6 Actions: Disinfected: 20 Renamed: 13 Deleted: 0 Not cleaned: 24 Submitted: 22 Files not scanned:C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM OptionsScanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristicsCopyright Link to post Share on other sites More sharing options...
J. David Boyd Posted August 28, 2009 Author ID:116429 Share Posted August 28, 2009 and here's checkup.txt.Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! `````````````````````````````` Anti-malware/Other Utilities Check: HijackThis 2.0.2 Java 6 Update 11 Java 2 Runtime Environment, SE v1.4.2_03 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9.1 `````````````````````````````` Process Check: objlist.exe by Laurent ``````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` Link to post Share on other sites More sharing options...
Staff screen317 Posted August 29, 2009 Staff ID:116991 Share Posted August 29, 2009 Hi,Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /uThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Java™ 6 Update 11Java 2 Runtime Environment, SE v1.4.2_03 Restart your computer.Get the latest version of Java.Let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted September 6, 2009 Staff ID:121491 Share Posted September 6, 2009 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts