Jump to content

RootKit Infections


Recommended Posts

Hello Group,

I am very grateful to Mike in NC from the Motley Fool site (I think he may have a different handle here) for refering me to this site with my problem.

He has worked with me for over day now ,but it seems to be a Rootkit issue? I don't even know what that means I have to say, but the symptoms are an extremely slugglish start-up and launching into any shortcut program or folder on the desktop can take 5 or 10 minutes to launch. The "START" button takes the longest to load sometimes up to 5 or 10 minutes as well. This happened rather suddenly while working along with no warning or other slow down symptoms.

We have run the Combo fix and several HJT logs, cleared out a ton of unnessary stuff as well as Malwarebytes. The interesting thing is when HJT is done (and also MBAM) the machine seems to run relativly close to "normal" Once re-booted however, the slug returns. I found a site that gives removal procedures for Rootkit TDSS involving stopping the processes on a number of exe files and deleteing the DLLs associated with them, however none of the exe files they mention are on my machine so it seems as if they've have changed names since that write up...?

I am attaching the latest MBAM log and HJT log. I have noticed that these 2 Rootkit.TDSS infections in the MBAM log have appeared almost immediatly after starting each of the last 3 MBAM scans. Almost as if it clears them out them they come back? I appreciate this forum, all its efforts and hope to be a contributing member. Thanks for any help...110 Here are the logs:

Malwarebytes' Anti-Malware 1.41

Database version: 2865

Windows 5.1.2600 Service Pack 3

9/27/2009 1:22:25 PM

mbam-log-2009-09-27 (13-22-25).txt

Scan type: Full Scan (C:\|I:\|J:\|)

Objects scanned: 174695

Time elapsed: 35 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\iaStor0\ijxtumdt\ijxtumdt\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\Device\Ide\iaStor0\ijxtumdt\ijxtumdt\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:37:31 PM, on 9/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\StkASv2K.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fool.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080118

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1253545539640

O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: USB2.0 VIDBOX NW02 Service (StkASSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkASv2K.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--

End of file - 7950 bytes

Link to post
Share on other sites

I'm not allowed to give malware removal advice in this forum. But I fixed a similar TDSS rootkit problem the other day on a customer's computer. Your problem is very similar because of the iaStor0 text in your MBAM results log.

\\?\globalroot\Device\Ide\iaStor0\ijxtumdt\ijxtumdt\tdlwsp.dll

The iaStor0 text above is related to iastor.sys which is a storage controller driver. The iastor.sys file on my customer's computer had been altered and this was causing the problem. I had to replace the altered file with a new iastor.sys file.

I hope this info might help a qualified expert to assist you with this problem.

Link to post
Share on other sites

Welcome 110intheshade

As marktreg mentions it is probaly iaStor

Are you still in need of assistance ?

Hello LonnyRJ

Yes, I still have very sluggish start up and odd little things occuring..

It seems once it gets "warmed up' (for lack of a better word) it runs reasonably well...maybe just a false sense of security I don't know, but I haven't gone to my bank site or other password sensitive sites since for fear of what I've read. As well as the 2 Rootkits show up at every MBAM scan.

Any assitance would greatly be appreciated...

110

Link to post
Share on other sites

Download catchme.exe and the mbr.exe program's from http://www.gmer.net/#files

Place them both in the C:\windows folder

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

edited out

A text should open post it.

Link to post
Share on other sites

Download catchme.exe and the mbr.exe program's from http://www.gmer.net/#files

Place them both in the C:\windows folder

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

edited out

A text should open post it.

Link to post
Share on other sites

Thanks LonnyRJ...

I seem to be missing a whole step involving the code and that. I went to the site and downloaded the two pgms you cited. They opened and ran and produced these two flimsy logs below. Please have patience for an apparent dummie here. I appreciate there has to be more to it than this...

Many thanks 110intheshade,

Kevin in Seattle.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-30 16:28:28

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

Link to post
Share on other sites

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

For /F "TOKENS=*" %%g IN ('dir /s/a-d/b %systemdrive%\iaStor.sys'
) Do @echo "%%~g" %%~zg %%~tg >>report.txt 2>nul
start notepad report.txt & exit

Run check.bat then A text should open post it.

Link to post
Share on other sites

[

Run check.bat then A text should open post it.

Here's what opened up....

"C:\drivers\storage\R130118\iastor.sys" 246784 10/10/2006 12:03 PM

"C:\i386\iaStor.sys" 246784 07/06/2006 05:59 AM

"C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys" 246784 07/06/2006 05:59 AM

"C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys" 484864 07/06/2006 06:01 AM

"C:\WINDOWS\system32\drivers\iaStor.sys" 246784 07/06/2006 05:59 AM

"C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys" 246784 10/10/2006 12:03 PM

Link to post
Share on other sites

Go start run type cmd and press enter, type

copy C:\i386\iaStor.sys c:\

If that when ok, no error messages type exit and continue >

Download The Avenger2 by SwanDog46. http://swandog46.geekstogo.com/avenger.zip

Unzip avenger.exe to your desktop.

Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

(dont include the word code)

Comment: 
files to move:
C:\iaStor.sys |C:\WINDOWS\system32\drivers\iaStor.sys

Now start The Avenger2 by double clicking avenger.exe on your desktop.

Read the prompt that appears, and press OK.

Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

(the word comment: must be in the top left corner) Press the "Execute" button.

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Paste that log here in your next post.

=======================

Run Mbam do a quickscan and post a log please.

Link to post
Share on other sites

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Paste that log here in your next post.

=======================

Run Mbam do a quickscan and post a log please.

Well, here is the AVENGER log. A popup window exclaimed some errorss. "Try again" didn't work so I "continued" Start up on re-boot was 8 minutes long.

I had to leave for work so I copied this onto a flash drive to post here. While looking just now I see you wanted a MBAM scan also. I did not get to that.

Please advise...many thanks....Avenger:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\iaStor.sys" not found!

File move operation "C:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Lets do it without the cmd command

Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

(dont include the word code)

Comment: 
files to move:
C:\i386\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

Now start The Avenger2 by double clicking avenger.exe on your desktop.

Read the prompt that appears, and press OK.

Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

(the word comment: must be in the top left corner) Press the "Execute" button.

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Paste that log here in your next post.

Note: the above code was created specifically for this user.

If you are not this user, do NOT follow these directions as they could cause your PC to be unbootable.

Link to post
Share on other sites

.

Paste that log here in your next post.

Heres the lastest AVENGER log....also did a Quick MBAM scan after that, not sure if you still need it....

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\i386\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Malwarebytes' Anti-Malware 1.41

Database version: 2889

Windows 5.1.2600 Service Pack 3

10/2/2009 4:50:51 PM

mbam-log-2009-10-02 (16-50-51).txt

Scan type: Quick Scan

Objects scanned: 93116

Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\Device\Ide\iaStor0\xbqfnnee\xbqfnnee\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Link to post
Share on other sites

Odd, please restart the PC do another Mbam scan and post its log.

Holy Cow! Can it be true....!!??

I rebooted and did a QUICK MBAM scan...nothing showed up.

I thought, "well now I should do a FULL scan..." 3 items showed up on the FULL. No Rootkits, but "Worm agents" - (1 from combo fix)

I deleted them and restarted...It seemed to boot up at a normal rate...I ran MBAM FULL scan once again and it seems clean!!

Here is the latest MBAM;

Malwarebytes' Anti-Malware 1.41

Database version: 2897

Windows 5.1.2600 Service Pack 3

10/2/2009 6:41:22 PM

mbam-log-2009-10-02 (18-41-22).txt

Scan type: Full Scan (C:\|I:\|J:\|)

Objects scanned: 177470

Time elapsed: 31 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Run combofix let it update, when its finished post its log

In the furture do not use the program unless asked to by an analyst.

Many thanks LonnyRJ....I did notice an autorun inf got deleted and when I plugged my flash drive in to copy this log the usual window popup of options didn't come up (ie Take no action; copy folders, etc etc...) I wonder if thats something affected here...?

In any case here is the updated Combo fix log....

ComboFix 09-10-01.05 - KgK 10/03/2009 16:57.2.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1249 [GMT -7:00]

Running from: c:\documents and settings\KgK\Desktop\ComboFix.exe

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

J:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))

.

2009-10-02 23:25 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe

2009-09-24 17:22 . 2009-09-24 17:22 -------- d-----w- c:\program files\iPod

2009-09-24 17:22 . 2009-09-24 17:22 -------- d-----w- c:\program files\iTunes

2009-09-19 22:08 . 2009-09-19 22:32 -------- d-----w- C:\32788R22FWJFW.1.tmp

2009-09-19 19:57 . 2009-09-19 19:57 -------- d-----w- c:\program files\Microsoft

2009-09-19 19:56 . 2009-09-19 19:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-19 16:46 . 2009-09-19 16:46 -------- d-----w- c:\windows\system32\wbem\Repository

2009-09-17 17:21 . 2009-09-19 16:45 -------- d-----w- c:\program files\iPod(3)

2009-09-17 17:21 . 2009-09-19 16:45 -------- d-----w- c:\program files\iTunes(3)

2009-09-17 17:21 . 2009-09-17 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-14 03:29 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-06 21:29 . 2009-09-06 21:29 -------- d-----w- c:\documents and settings\KgK\Application Data\HpUpdate

2009-09-06 21:29 . 2009-09-06 21:29 -------- d-----w- c:\windows\Hewlett-Packard

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-02 01:08 . 2008-01-31 00:47 -------- d-----w- c:\program files\DivX

2009-10-02 01:04 . 2008-01-25 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-02 00:02 . 2008-06-11 22:00 -------- d-----w- c:\program files\SpywareBlaster

2009-09-24 17:22 . 2008-02-12 23:58 -------- d-----w- c:\program files\Common Files\Apple

2009-09-22 23:34 . 2009-01-11 21:34 -------- d-----w- c:\program files\Common Files\Real

2009-09-22 23:34 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2009-09-22 23:34 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2009-09-22 19:47 . 2008-03-03 02:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-21 23:56 . 2008-01-25 00:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-21 23:21 . 2008-04-08 22:57 -------- d-----w- c:\program files\QuickTime

2009-09-21 18:25 . 2008-01-30 01:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-20 15:46 . 2008-01-25 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-09-20 15:45 . 2008-01-25 00:59 -------- d-----w- c:\program files\HP

2009-09-19 19:56 . 2008-01-18 07:17 -------- d-----w- c:\program files\Java

2009-09-19 18:21 . 2009-06-06 23:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-19 18:05 . 2008-01-24 04:52 28648 ----a-w- c:\documents and settings\KgK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-19 17:37 . 2008-01-18 07:21 -------- d-----w- c:\program files\Common Files\Roxio Shared

2009-09-19 17:37 . 2008-01-18 07:21 -------- d-----w- c:\program files\Common Files\Sonic Shared

2009-09-19 17:37 . 2008-01-18 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio

2009-09-10 21:54 . 2009-06-06 23:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 21:53 . 2009-06-06 23:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-03 14:59 . 2008-02-04 03:11 -------- d-----w- c:\program files\Savings Bond Wizard

2009-08-13 17:16 . 2008-03-18 22:59 -------- d-----w- c:\program files\Safari

2009-08-13 14:52 . 2009-08-13 14:52 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-13 14:52 . 2009-08-13 14:52 -------- d-----w- c:\program files\Real

2009-08-07 02:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2007-07-31 01:19 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2004-08-10 19:02 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2008-01-25 00:58 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-07 02:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-07 02:23 . 2007-07-31 03:18 215904 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-06 22:51 . 2009-06-02 17:32 129981 ----a-w- c:\windows\hpqins00.dat

2009-07-06 17:40 . 2008-05-13 16:10 512 ----a-w- C:\drmHeader.bin

2008-09-09 14:02 . 2008-09-09 14:02 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2006-10-11 08:04 . 2008-01-26 04:52 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-10-11 08:04 . 2008-01-26 04:52 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-10-11 08:05 . 2008-01-26 04:52 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2006-10-11 08:05 . 2008-01-26 04:52 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2006-10-11 08:04 . 2008-01-26 04:52 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-19_23.27.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-22 22:12 . 2006-09-26 00:58 14640 c:\windows\system32\spmsg.dll

+ 2009-09-27 19:20 . 2009-08-07 02:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll

+ 2009-09-21 16:51 . 2009-04-18 00:46 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7085.142\wups2.dll

+ 2009-09-27 19:20 . 2009-08-07 02:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll

+ 2009-09-21 16:51 . 2009-04-18 00:46 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7085.142\wups.dll

+ 2009-09-21 23:19 . 2009-08-29 02:42 40448 c:\windows\system32\DRVSTORE\usbaapl_6DA28B91FF48C57089E4D2436654AFA4ECAD0622\usbaapl.sys

+ 2009-09-21 23:22 . 2009-05-18 21:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys

+ 2008-01-29 19:01 . 2009-05-18 21:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys

+ 2004-08-10 19:02 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll

+ 2004-08-10 19:02 . 2009-08-07 02:24 53472 c:\windows\system32\dllcache\wuauclt.exe

+ 2004-08-10 18:50 . 2009-08-07 02:24 96480 c:\windows\system32\dllcache\cdm.dll

+ 2008-01-24 04:48 . 2009-10-02 23:32 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2008-01-24 04:48 . 2009-09-19 23:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-24 04:48 . 2009-10-02 23:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-24 04:48 . 2009-09-19 23:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-24 04:48 . 2009-09-19 23:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2008-01-24 04:48 . 2009-10-02 23:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-05-15 16:18 . 2009-08-13 14:52 5632 c:\windows\system32\pndx5032.dll

+ 2008-05-15 16:18 . 2009-09-22 23:34 5632 c:\windows\system32\pndx5032.dll

- 2008-05-15 16:18 . 2009-08-13 14:52 6656 c:\windows\system32\pndx5016.dll

+ 2008-05-15 16:18 . 2009-09-22 23:34 6656 c:\windows\system32\pndx5016.dll

+ 2009-09-21 16:51 . 2009-04-18 00:46 574176 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.4.7085.142\wuapi.dll

- 2008-05-15 16:18 . 2009-08-13 14:52 185920 c:\windows\system32\rmoc3260.dll

+ 2008-05-15 16:18 . 2009-09-22 23:34 185920 c:\windows\system32\rmoc3260.dll

+ 2008-05-15 16:18 . 2009-09-22 23:34 278528 c:\windows\system32\pncrt.dll

- 2008-05-15 16:18 . 2009-08-13 14:52 278528 c:\windows\system32\pncrt.dll

+ 2004-08-10 18:51 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll

- 2004-08-10 18:51 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll

+ 2008-01-29 19:02 . 2008-04-17 20:12 107368 c:\windows\system32\GEARAspi.dll

- 2008-01-29 19:02 . 2008-04-17 19:12 107368 c:\windows\system32\GEARAspi.dll

+ 2009-09-21 23:22 . 2008-04-17 20:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll

+ 2004-08-10 19:02 . 2009-08-07 02:24 209632 c:\windows\system32\dllcache\wuweb.dll

+ 2004-08-10 19:02 . 2009-08-07 02:24 327896 c:\windows\system32\dllcache\wucltui.dll

+ 2004-08-10 19:02 . 2009-08-07 02:23 575704 c:\windows\system32\dllcache\wuapi.dll

+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll

- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll

+ 2009-09-21 23:20 . 2009-09-21 23:20 694272 c:\windows\Installer\81103a.msi

+ 2009-09-21 00:00 . 2009-09-21 00:00 177664 c:\windows\Installer\70c131.msi

+ 2009-09-24 17:22 . 2009-09-24 17:22 102400 c:\windows\Installer\{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}\iTunesIco.exe

+ 2004-08-10 18:51 . 2009-05-20 11:56 2458112 c:\windows\system32\wmvcore.dll

- 2004-08-10 18:51 . 2008-06-18 13:03 2458112 c:\windows\system32\WMVCore.dll

+ 2009-09-21 23:19 . 2009-08-29 02:42 2065696 c:\windows\system32\DRVSTORE\usbaapl_6DA28B91FF48C57089E4D2436654AFA4ECAD0622\usbaaplrc.dll

+ 2004-08-10 19:02 . 2009-08-07 02:23 1929952 c:\windows\system32\dllcache\wuaueng.dll

+ 2004-08-10 18:51 . 2009-05-20 11:56 2458112 c:\windows\system32\dllcache\wmvcore.dll

- 2004-08-10 18:51 . 2008-06-18 13:03 2458112 c:\windows\system32\dllcache\WMVCore.dll

+ 2009-09-21 23:20 . 2009-09-21 23:20 9013760 c:\windows\Installer\8110cc.msi

+ 2009-09-21 23:19 . 2009-09-21 23:19 1679872 c:\windows\Installer\81102e.msi

+ 2009-09-21 23:19 . 2009-09-21 23:19 3310592 c:\windows\Installer\810ff5.msi

+ 2009-09-24 17:22 . 2009-09-24 17:22 4405248 c:\windows\Installer\3d5e31.msi

+ 2008-01-24 15:04 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]

"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624]

c:\documents and settings\KgK\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-18 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-20 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 2:53 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 74480]

R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 2:17 PM 439616]

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [11/8/2007 6:19 PM 345696]

R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/8/2007 6:19 PM 923216]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [11/8/2007 6:20 PM 36368]

R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [11/8/2007 6:19 PM 566872]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/8/2007 6:20 PM 280392]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [1/11/2009 1:54 PM 23096]

S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [1/11/2009 1:54 PM 3768]

S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 3:47 PM 20640]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]

S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]

S4 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/18/2008 12:30 AM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.fool.com/

mStart Page = hxxp://www.comcast.net/

mWindow Title = Windows Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\KgK\Application Data\Mozilla\Firefox\Profiles\bwaof5dy.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.fool.com/

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-03 17:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP0000009C9B82960B4BE24F7D

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]

"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"

.

Completion time: 2009-10-04 17:01

ComboFix-quarantined-files.txt 2009-10-04 00:01

ComboFix2.txt 2009-09-19 23:33

Pre-Run: 466,597,138,432 bytes free

Post-Run: 466,562,740,224 bytes free

232 --- E O F --- 2009-10-02 23:25

Link to post
Share on other sites

Go start run type

sc delete yeddef

press enter

Looks to be a leftover driver, no bid deal.

Find that Autorun file within combofix's quarantine folder c:\qoobox\quarantine open it with notepad and post the contents

You renabled your antivirus after running combofix i hope ?

Link to post
Share on other sites

sc delete yeddef

.

Find that Autorun file within combofix's quarantine folder c:\qoobox\quarantine open it with notepad and post the contents

You renabled your antivirus after running combofix i hope ?

Deleted yeddef...and definitely reenabled antivirus ASAP...

Here is the combo quarantine folder:

2009-10-04 00:00:14 . 2009-10-04 00:00:14 313 ----a-w- C:\Qoobox\Quarantine\J\av1.zip

2009-10-04 00:00:13 . 2004-07-16 16:51:42 31 ----a-w- C:\Qoobox\Quarantine\J\autorun.inf.vir

2009-09-19 23:32:37 . 2009-09-19 23:32:37 1,182 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{7B63B2922B174135AFC0E1377DD81EC2}.reg.dat

2009-09-19 23:29:27 . 2009-09-19 23:29:27 218 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Desktop Software.reg.dat

2009-09-19 23:29:21 . 2009-10-04 00:00:49 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat

2009-09-19 23:24:47 . 2002-10-17 16:56:50 36 ----a-w- C:\Qoobox\Quarantine\I\autorun.inf.vir

2009-09-19 23:05:01 . 2009-10-03 23:58:59 6,961 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-09-19 22:48:46 . 2009-10-03 23:56:31 153 ----a-w- C:\Qoobox\Quarantine\catchme.log

2008-07-03 15:04:29 . 2008-07-03 15:04:29 532,992 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\10f6da.msi.vir

2007-06-05 23:07:33 . 2007-06-05 23:07:33 506,749 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir

l

Link to post
Share on other sites

Lets get a peak at the one that was in the system32 folder

Go start run type (or copy paste)

notepad "C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir"

press enter

Post the contents

That Notepad opens a HUGE file with what looks like 1000's of lines of stuff..so big this site wouldn't let me post it...

Is there another way to post it or determine what might be relevent or not?

110

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.