Jump to content

Infected..please help!


Recommended Posts

While I was away my husband got something on our computer that i can't get rid of...MalwareBytes and Norton both scan clean and say there is nothing. However, the malwarebytes pop-up keeps coming up saying that it blocked my computer from accessing a malicious website (ex. 94.228.209.200 or 91.212.226.59 or 85.12.46.155)

I did as instructed on pinned topics by installing the defogger (still enabled as instructed) and dds. I attempted to run the gmer. It runs for at least 16 hours...and each time I go back to save the log when it completes the sceen is blue and says "kgncypob.sys -page fault in a nonpaged area". Hence I have never been able to save the log! It does run, and if I stopped it at some point and then saved I likely could if needed.

Also noted yesterday (before I unplugged the cable to computer) that agent.exe has started appearing in the task window and using tons of memory. Pop-ups not happening yet today (I just plugged cable back into computer) .

Any assistance is greatly appreciated. Thank you!

DDS.zip

Attach.zip

mbam_log_2010_08_01__10_54_58_.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes,

In the future please post all logs directly into your reply instead of attaching them.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes,

In the future please post all logs directly into your reply instead of attaching them.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Here is the new DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lisa at 20:02:30.51 on Mon 08/02/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.337 [GMT -5:00]

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\AOL\1195175906\ee\AOLSoftware.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\AOL 9.5a\waol.exe

C:\Program Files\TechSmith\Snagit 9\Snagit32.exe

C:\Program Files\Southwest Airlines\Ding\Ding.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe

C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe

C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\AOL 9.5a\shellmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Lisa\Desktop\dds.com

============== Pseudo HJT Report ===============

Here is the combofix:

ComboFix 10-08-02.01 - Lisa 08/02/2010 19:33:54.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.431 [GMT -5:00]

Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe

AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Lisa\GoToAssistDownloadHelper.exe

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\system32\BSTIEPrintCtl1.dll

.

((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))

.

2010-08-03 00:27 . 2010-08-03 00:27 -------- d-----w- c:\windows\LastGood

2010-07-31 02:17 . 2010-07-31 02:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-31 02:14 . 2010-07-31 02:14 -------- d-sh--w- c:\documents and settings\Lisa\IETldCache

2010-07-30 23:08 . 2010-07-30 23:10 -------- dc-h--w- c:\windows\ie8

2010-07-28 23:29 . 2009-10-01 01:22 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2010-07-28 23:28 . 2010-07-28 23:39 -------- d-----w- C:\Netgear

2010-07-28 15:59 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys

2010-07-28 15:59 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys

2010-07-28 15:59 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys

2010-07-28 15:59 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2010-07-28 15:59 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys

2010-07-28 15:59 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys

2010-07-28 15:50 . 2010-07-28 15:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-07-28 15:50 . 2010-07-28 15:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-07-28 15:50 . 2010-07-28 15:59 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-28 15:50 . 2010-07-28 15:50 -------- d-----w- c:\program files\Symantec

2010-07-28 15:49 . 2010-07-28 23:28 -------- d-----w- c:\windows\system32\drivers\N360

2010-07-28 15:49 . 2010-07-28 15:49 -------- d-----w- c:\program files\Norton Security Suite

2010-07-28 15:49 . 2010-07-28 15:49 -------- d-----w- c:\program files\Windows Sidebar

2010-07-28 15:49 . 2010-07-28 15:49 -------- d-----w- c:\program files\NortonInstaller

2010-07-28 15:49 . 2010-07-28 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-07-28 15:48 . 2010-07-28 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-07-27 02:19 . 2010-07-27 02:19 -------- d-----w- c:\documents and settings\Owen & Casey\Application Data\Yahoo!

2010-07-25 05:11 . 2010-07-25 05:11 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-14 00:35 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-31 03:02 . 2008-11-21 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-30 22:17 . 2010-06-06 21:23 -------- d-----w- c:\program files\Yahoo!

2010-07-28 15:50 . 2010-07-28 15:50 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-07-28 15:50 . 2010-07-28 15:50 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-06-14 14:31 . 2007-11-08 21:18 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-07 21:47 . 2010-06-07 21:46 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-07 15:45 . 2010-06-07 15:45 -------- d-----w- c:\documents and settings\Tim\Application Data\Yahoo!

2010-06-06 21:54 . 2009-01-25 03:27 -------- d-----w- c:\program files\BitComet

2010-06-06 21:38 . 2010-06-06 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-06 21:23 . 2010-06-06 21:23 -------- d-----w- c:\documents and settings\Lisa\Application Data\Yahoo!

2010-06-06 20:50 . 2007-11-16 02:04 -------- d-----w- c:\program files\Google

2010-06-04 17:01 . 2010-06-04 17:01 -------- d-----w- c:\documents and settings\Lisa\Application Data\Keynote Systems

2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-05-27 00:43 . 2010-05-27 00:43 503808 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-79a7388e-n\msvcp71.dll

2010-05-27 00:43 . 2010-05-27 00:43 499712 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-79a7388e-n\jmc.dll

2010-05-27 00:43 . 2010-05-27 00:43 348160 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-79a7388e-n\msvcr71.dll

2010-05-26 01:46 . 2010-05-26 01:46 503808 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-27021b0b-n\msvcp71.dll

2010-05-26 01:46 . 2010-05-26 01:46 499712 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-27021b0b-n\jmc.dll

2010-05-26 01:46 . 2010-05-26 01:46 348160 ----a-w- c:\documents and settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-27021b0b-n\msvcr71.dll

2010-05-07 19:38 . 2008-08-24 18:13 28588 ---ha-w- c:\windows\system32\mlfcache.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"AOL Fast Start"="c:\program files\AOL 9.5a\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"HostManager"="c:\program files\Common Files\AOL\1195175906\ee\AOLSoftware.exe" [2009-07-20 41264]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-16 26112]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-08 148888]

"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\Lisa\Start Menu\Programs\Startup\

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Snagit 9.lnk - c:\program files\TechSmith\Snagit 9\Snagit32.exe [2009-10-15 6287176]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1195175906\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\1195175906\\EE\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\AOL 9.5a\\waol.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11983:TCP"= 11983:TCP:BitComet 11983 TCP

"11983:UDP"= 11983:UDP:BitComet 11983 UDP

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [7/28/2010 10:59 AM 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [7/28/2010 10:59 AM 173104]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/9/2010 9:44 PM 691248]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [7/28/2010 10:59 AM 501888]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [7/28/2010 10:59 AM 116784]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/6/2010 4:38 PM 304464]

R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [7/28/2010 10:58 AM 126392]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2010 10:55 AM 102448]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100730.001\IDSXpx86.sys [7/30/2010 8:13 PM 331640]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/6/2010 4:38 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/11/2009 11:28 AM 133104]

S3 SCR3xx USB Smart Card Reader;SCR3xx USB Smart Card Reader;c:\windows\system32\drivers\SCR3XX2K.sys [1/31/2010 6:40 PM 47488]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/13/2010 12:51 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 16:28]

2010-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-11 16:28]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.comcast.net/

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab

FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\khc7fni4.default\

FF - prefs.js: browser.search.selectedEngine - DAEMON Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com

FF - component: c:\program files\Mozilla Firefox\extensions\firefoxextensions@keynote.com\components\FFConnectorLauncher.dll

FF - component: c:\program files\Mozilla Firefox\extensions\firefoxextensions@keynote.com\components\FFSource.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: protocol-handler.warn-external.dnUpdate - false.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-02 19:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]

"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-08-02 19:54:25

ComboFix-quarantined-files.txt 2010-08-03 00:54

Pre-Run: 47,714,148,352 bytes free

Post-Run: 47,753,920,512 bytes free

- - End Of File - - A555A87A281D41789A0938FE896FF770

THANK YOU!!!!!!

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Online Scanner - Scanning Report - Wednesday, August 4, 2010 12:46:25Scanning

Report

Wednesday, August 4, 2010 11:10:05 - 12:46:25

Computer name: VALUED-F8F8FE39

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

14 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Rootkit.Patched.TDSS.Gen (virus)

C:\QOOBOX\32788R22FWJFW\PCI.SYS (Disinfected & Submitted)

Statistics

Scanned:

Files: 75378

System: 3836

Not scanned: 20

Actions:

Disinfected: 14

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 1

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\SYSTEM VOLUME

INFORMATION\_RESTORE{C2D1A732-03C3-4D98-AD19-3E71270F55F1}\RP1032\A0071160.DLL

C:\SYSTEM VOLUME

INFORMATION\_RESTORE{C2D1A732-03C3-4D98-AD19-3E71270F55F1}\RP1032\A0071159.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_{4E9CB39A-5F78-4887-A3D6-2790DE9DDE11}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\CMNCLNT\_LCK\_{869594F6-6511-4780-AD37-49B479DA2A4F}0

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_9043ADDE-F05D-4FA4-8148-8FFF3B8B97F6

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION

DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\FC1E3851F429EA606D6FF1E01A5229F1_9043ADDE-F05D-4FA4-8148-8FFF3B8B97F6

C:\4F2370AD14148F8AF23D2FE8B06AF6EA\I386\MSXPSDRV.INF

C:\4F2370AD14148F8AF23D2FE8B06AF6EA\AMD64\MSXPSDRV.INF

C:\4F2370AD14148F8AF23D2FE8B06AF6EA\AMD64\MSXPSINC.PPD

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF

VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI

MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0

TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT

CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Copyright

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Thanks for the help...did as you asked, and Norton ran shortly after and found Backdoor.Tidserv!inf. It says it blocked it. The next time I accessed the internet I had a opo-up from malwarebytes telling me it blocked my computer from accessing a malicious website. It only happened once today though.

Just a note...I have Firefox on my desktop just in case, but use Internet Explorer .

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.