Jump to content

Cannot remove rootkit.TDSS or Trojan.DNSChange


tweis
 Share

Recommended Posts

After several scans with mbam, I cannot get rid of these two. The most notable effect is my system will hang unless I boot into safe mode. Following the instructions in the master thread, I ran DeFogger, DDS, and the Rootkit Scanner, and am attaching all the relevant log files. FWIW, I am also having problems removing something called Rogue.SmartProtector when running SuperAntiSpyware.

Thanks for your help!

Most recent malwarebytes log:

-------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.43

Database version: 3482

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

1/2/2010 3:27:19 PM

mbam-log-2010-01-02 (15-27-19).txt

Scan type: Quick Scan

Objects scanned: 256343

Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINPRO\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------------------------------------------------------------

DDS.txt:

-------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by todd at 17:56:53.67 on Sat 01/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.3005 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINPRO\system32\svchost -k DcomLaunch

svchost.exe

C:\WINPRO\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINPRO\Explorer.EXE

C:\WINPRO\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\todd.DRBUNNY.003\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [ctfmon.exe] c:\winpro\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\winpro\system32\macromed\flash\FlashUtil10c.exe

mRun: [DNS7reminder] "e:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users.winpro\application data\nuance\naturallyspeaking9\Ereg.ini

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [stxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [NeroFilterCheck] c:\winpro\system32\NeroCheck.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\winpro\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\winpro\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Tvoxaxaga] rundll32.exe "c:\winpro\adiyosamavabowin.dll",Startup

mRun: [MSConfig] c:\winpro\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\Copy of mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\todddr~1.003\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe

StartupFolder: c:\docume~1\todddr~1.003\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\documents and settings\todd.drbunny.003\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vpncli~1.lnk - c:\winpro\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab

DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5841/mcfscan.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winpro\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = scecli fsdcocl.dll

============= SERVICES / DRIVERS ===============

R1 Ext2fs;Ext2fs;c:\winpro\system32\drivers\ext2fs.sys [2006-5-13 131840]

R3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\winpro\system32\drivers\ma101rnd.sys [2006-4-26 80000]

S0 qfyfiwn;qfyfiwn;c:\winpro\system32\drivers\sujcio.sys --> c:\winpro\system32\drivers\sujcio.sys [?]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-2 11608]

S1 IfsDrives;IfsDrives;c:\winpro\system32\drivers\IfsDrives.sys [2006-5-13 4608]

S1 mfehidk;McAfee Inc. mfehidk;c:\winpro\system32\drivers\mfehidk.sys [2009-11-4 214664]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-2 108289]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-2 185089]

S2 avgntflt;avgntflt;c:\winpro\system32\drivers\avgntflt.sys [2010-1-2 55656]

S2 mpich_mpd;MPICH Daemon © 2001 Argonne National Lab;c:\program files\mpich\mpd\bin\mpd.exe [2006-6-7 184320]

S3 mferkdk;McAfee Inc. mferkdk;c:\winpro\system32\drivers\mferkdk.sys [2009-12-22 34248]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

S3 TCNear;TC Near;c:\winpro\system32\drivers\TCNear.sys [2007-10-17 124800]

S3 TCNearAudio;TC Near Audio;c:\winpro\system32\drivers\TCNearAudio.sys [2007-10-17 20864]

S3 TCNearMidi;TC Near MIDI;c:\winpro\system32\drivers\TCNearMidi.sys [2007-10-17 20480]

S3 VisorUsb;Handspring USB;c:\winpro\system32\drivers\visorusb.sys --> c:\winpro\system32\drivers\VisorUsb.sys [?]

S3 vsdatant;vsdatant;c:\winpro\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-03 01:55:32 202 ----a-w- c:\winpro\system32\srcr.dat

2010-01-03 01:50:58 0 ----a-w- c:\documents and settings\todd.drbunny.003\defogger_reenable

2010-01-02 23:29:56 869 ----a-w- c:\winpro\system32\krl32mainweq.dll

2010-01-02 18:34:19 0 d-----w- c:\winpro\LastGood.Tmp

2010-01-02 18:34:11 55656 ----a-w- c:\winpro\system32\drivers\avgntflt.sys

2010-01-02 18:34:06 0 d-----w- c:\program files\Avira

2010-01-02 18:34:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira

2010-01-02 02:06:45 0 --sha-w- c:\winpro\nvDrv.sy

2009-12-29 07:48:20 0 d-----w- c:\program files\CCleaner

2009-12-29 07:22:36 0 d-----w- c:\docume~1\todddr~1.003\applic~1\McAfee

2009-12-29 00:43:26 0 d-----w- c:\docume~1\todddr~1.003\applic~1\Malwarebytes

2009-12-26 18:27:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com

2009-12-26 18:16:58 38224 ----a-w- c:\winpro\system32\drivers\mbamswissarmy.sys

2009-12-26 18:16:57 19160 ----a-w- c:\winpro\system32\drivers\mbam.sys

2009-12-26 18:16:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-26 18:16:57 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2009-12-26 18:15:32 0 d-----w- c:\program files\SUPERAntiSpyware

2009-12-26 18:15:32 0 d-----w- c:\docume~1\todddr~1.003\applic~1\SUPERAntiSpyware.com

2009-12-23 08:13:12 0 d-----w- c:\winpro\McAfee.com

2009-12-23 07:04:48 0 d-----w- c:\program files\McAfee.com

2009-12-23 07:04:48 0 d-----w- c:\program files\common files\McAfee

2009-12-23 07:04:37 0 d-----w- c:\program files\McAfee

2009-12-23 07:01:59 34248 ----a-w- c:\winpro\system32\drivers\mferkdk.sys

2009-12-22 15:30:12 120 ----a-w- c:\winpro\Gjeweziwa.dat

2009-12-22 15:30:12 0 ----a-w- c:\winpro\Tcetogilime.bin

2009-12-22 15:26:25 471552 -c----w- c:\winpro\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-11-05 00:54:12 214664 ----a-w- c:\winpro\system32\drivers\mfehidk.sys

2009-10-29 07:45:38 916480 ----a-w- c:\winpro\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\winpro\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\winpro\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\winpro\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\winpro\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\winpro\system32\raschap.dll

2009-10-12 00:43:57 41504 ---ha-w- c:\winpro\system32\mlfcache.dat

2007-07-31 04:01:14 604 ---ha-w- c:\program files\STLL Notifier

2008-09-04 04:06:00 32768 --sha-w- c:\winpro\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 17:58:08.34 ===============

Attach.zip

Link to post
Share on other sites

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Thanks. I've attached the combofix log and here is the subsequent hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:53:53 PM, on 1/5/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINPRO\System32\smss.exe

C:\WINPRO\system32\winlogon.exe

C:\WINPRO\system32\services.exe

C:\WINPRO\system32\lsass.exe

C:\WINPRO\system32\svchost.exe

C:\WINPRO\system32\svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINPRO\explorer.exe

C:\WINPRO\system32\ctfmon.exe

C:\Documents and Settings\todd.DRBUNNY.003\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O4 - HKLM\..\Run: [DNS7reminder] "E:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINPRO\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [stxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINPRO\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINPRO\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Copy of mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINPRO\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINPRO\system32\Macromed\Flash\FlashUtil10c.exe

O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINPRO\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINPRO\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...841/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: MPICH Daemon © 2001 Argonne National Lab (mpich_mpd) - Unknown owner - C:\Program Files\MPICH\mpd\bin\mpd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\system32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--

End of file - 8781 bytes

combolog.txt

Link to post
Share on other sites

Please make sure you have a fresh Copy of ComboFix. The current version is out of date.

Please download a fresh copy from here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\winpro\system32\drivers\ext2fs.sys
c:\winpro\system32\drivers\sujcio.sys
DeQuarantine::
C:\Qoobox\Quarantine\program files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir
DirLook::
C:\winpro
Driver::
Ext2fs
qfyfiwn

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

I ran a full system scan and found nothing!

Malwarebytes' Anti-Malware 1.44

Database version: 3524

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/9/2010 8:55:25 AM

mbam-log-2010-01-09 (08-55-25).txt

Scan type: Full Scan (C:\|E:\|H:\|)

Objects scanned: 646396

Time elapsed: 1 hour(s), 57 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.