Jump to content

Followup on Malwarebytes forum response


MJN
 Share

Recommended Posts

My current situation is the computer (ASUS Eee PC Netbook) can only be started in safe mode and that start up method is requiring more and more tries each time to suceed. Computer is infected with the 'Think Point' virus. I followed the routine I was asked to and added a log file from an OLT scan. I have no internet access on the infected machine and I am no longer able to run Malwarebytes (I was running it from a memory stick). Any help will be appreciated.

See attached files.

OTL.Txt

DDS.txt

Attach___Ark.zip

Link to post
Share on other sites

Hi MJN and Welcome,

I want you to run two detection and removal programs. Download them to your USB stick and transfer them to the infected computer.

If they will not run, you can try renaming them to something innocuous like explorer.exe or iexplore.exe BEFORE transfering them to the infected PC.

Some background information on what we're planning to do first can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

==========

Some background information on what we're doing next can be found here:

http://secure-computer-solutions.com/blog/...ng_malware.html

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop:

1. 32 bit operating system version download <=== Yours

2. 64 bit operating system version download )

Rename it as You download it to iexplore.exe

Double-click iexplore.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start => Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

Note:

If you have trouble getting this to run as mrt.exe, then copy C:\windows\system32\mrt.exe from your clean computer and transfer to the USB stick. rename mrt.exe --> iexplore.exe and then transfer it to the infected computer's desktop. Double-click iexplore.exe on your desktop to launch the MSRT and paste back the scan log when it is done.

Link to post
Share on other sites

We're going to be following a slightly modified version of the Thinkpoint removal directions here:

http://www.bleepingcomputer.com/virus-remo...move-thinkpoint

Create the following items/files on your clean computer and transfer them to the infected PC's DESKTOP via USB:

1. Fix.reg

Open Notepad

Click Format and UNCheck Wordwrap (disable)

Copy/Paste the following text in the code box into Notepad

Set the "Save as Type" to "All Files", and the "Save" this file to your Desktop as Fix.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

2. Rkill.com

http://download.bleepingcomputer.com/grinler/rkill.com

Rkill.com renamed to iexplore.exe:

http://download.bleepingcomputer.com/grinler/iExplore.exe

Transfer these files (fix.reg, rkill.com, iexplore.exe to the infected PC's Desktop:

On the infected PC:

Open Task Manager (Presss CTL+ALT+DEL simultaneously)

Click the process Tab

Click on the "Image Name" collumn to arrange the Processes alphabetically

Locate Hotfix in the Process Listing

Select Hotfix and click the "End Process" Button

Confirm that You elect to terminate the Hotfix process when Prompted.

Only if they are running terminate these processes, as well:

c:\windows\gdi32.exe

c:\windows\temp\inbupaeuq\pxsqpeotsbl.exe

Now, we have to restore your desktop by doing the following:

Click File -> New Task (Run) on the Task Manager Menu:

Type or Copy/Paste the following into the Open box, and then Click OK:

C:\Windows\explorer.exe

Double-click Fix.reg and respond Yes to the prompt to add the information into the registry.

Double-click Rkill.com to run it.

As an alternative, you can also opt to use the Rkill version that has been renamed iexplore.exe.

Essentially do whatever works!!

Do not reboot your computer after running rkill as the malware programs will start again.

Now scan with MBAM:

Launch MBAM update it, perform a Quick Scan, and Check all threats found to be removed.

Post back the MBAM log when your done.

Disable the proxy settings in Internet Explorer:

1) Under

Link to post
Share on other sites

You're Welcome and Great job!

I'm glad that normal access to your computer has been restored!

Do you have internet access now or is that a remaining issue?

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

Reboot your PC.

Download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARKQ.txt and post it in your next reply. If the log is very long attach it please.

Please Run ComboFix by following the steps provided in exactly this sequence (if you don't have internet access, please download and transfer a renamed Combofix.exe via usb) :

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it before proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

If you have any other troubleshooting program on your desktop that I asked you to rename iexplore.exe, please remove that program before proceeding!!

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it iexplore.exe

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

My internet service was okay however..........After I ran the TFC program and the 'Antirootkit' program as described (I disabled MSE and turned off the Windows firewall), I proceeded to run the Combofix program (renamed it to 'iexplore.exe') and it started to run up to the point it tried to download/install the 'recovery console'. At that point an error message came up saying that I was not connected to the internet. But my connection appears as 'connected'! I tried to access iexplorer and was unable to. Now I cannot access the internet but I'm connected? I re-ran Malwarebytes and no infections were detected. I also happened to notice that in my startup two files were listed and checked that I was not familiar with, they were both C:\windows\gdi32.exe at two different locations. One @ HKLM\software\microsoft\windows\current version\run and the other @ HKCU\(same as the first). I unchecked them from the startup.

I did save the one log from the 'Antirootkit' program. see below

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit quick scan 2010-11-16 18:47:52

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0002

Running: vc63ij4v.exe; Driver: C:\DOCUME~1\JAQUEL~1\LOCALS~1\Temp\pxtdypow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Thanks again for the help.

I'll be awaiting your next instructions.

Link to post
Share on other sites

I also happened to notice that in my startup two files were listed and checked that I was not familiar with, they were both C:\windows\gdi32.exe at two different locations

Both those startups are infected items as is the file they both reference. When you say "My Startups" do You mean you openned MSConfig and saw them there or did You see them in your start-up folder?

To regain internet access, the first thing to try is to reboot your computer. If you still do not have an Internet connection after rebooting then please perform the following steps:

1. Click on the Start button.

2. Click on the Settings menu option.

3. Click on the Control Panel option.

4. When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.

5. You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.

6. Select the Repair menu option.

7. Allow the repair process to complete and when it has finished, your Internet connection should be working again.

Alternatively, if your network icon also appears on the Windows task bar, then you can repair it by right-clicking on the icon and selecting Repair.

After this step, also repeat this procedure to disable the proxy settings in Internet Explorer:

1) Under

Link to post
Share on other sites

Please copy/paste all logs into your topic reply (unless I ask you to attach them).

I want you to try running combofix in safe mode.

Reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

1. Disable all anti-malware programs.

2. Double-click iexplore.exe on your desktop to launch Combofix (do not attempt recovery Console installation if prompted)

3. When it is done scanning, please post the log that Combofix generates C:\Combofix.txt

4. Re-enable your anti-malware programs.

If that does not work, then try this

First, re-establish your internet connection,

Then, reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the option, to run Windows in Safe Mode with Networking, then press Enter.
  • Choose your usual account.

1. Disable all anti-malware programs.

2. Double-click iexplore.exe on your desktop to launch Combofix (do not attempt recovery Console installation if prompted)

3. When it is done scanning, please post the log that Combofix generates C:\Combofix.txt

4. Re-enable your anti-malware programs.

Link to post
Share on other sites

I re-booted in safe mode and ran the combofix as instructed. The scan log is listed below.

ComboFix 10-11-16.02 - Jaquelina 11/17/2010 15:32:56.1.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.795 [GMT -5:00]

Running from: c:\documents and settings\Jaquelina\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jaquelina\Application Data\install

c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}

c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome.manifest

c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome\content\_cfg.js

c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\chrome\content\overlay.xul

c:\documents and settings\Jaquelina\Local Settings\Application Data\{1EDA8181-E71B-4C88-8D90-5FFDA32E1B60}\install.rdf

c:\documents and settings\Jaquelina\Start Menu\Programs\System Tool

c:\documents and settings\Jaquelina\Start Menu\Programs\System Tool\System Tool 2011.lnk

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))

.

2010-11-17 06:50 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{ABE54CAE-2469-48CD-847A-99F2D6F30775}\mpengine.dll

2010-11-16 23:11 . 2010-11-16 23:12 -------- d-----w- C:\ARK

2010-11-16 08:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-16 08:57 . 2010-11-16 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-16 08:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-15 07:09 . 2010-11-15 07:09 -------- d-----w- c:\windows\system32\MpEngineStore

2010-11-13 23:54 . 2010-11-13 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-13 23:54 . 2010-11-13 23:54 -------- d-----w- c:\windows\Sun

2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\Jaquelina\Application Data\SUPERAntiSpyware.com

2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-11-12 07:47 . 2010-11-12 07:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-11-12 07:23 . 2010-11-12 07:23 0 ----a-w- c:\windows\Edutik.bin

2010-11-12 06:28 . 2010-11-16 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\oGeIg02041

2010-11-11 03:04 . 2010-11-11 03:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-19 20:51 . 2010-03-31 01:07 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-13 02:14 . 2010-03-31 17:52 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-10-07 23:21 . 2010-04-01 03:39 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-09-18 16:23 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2009-05-20 19:07 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2009-05-20 19:07 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2009-05-20 19:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2009-05-20 19:07 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2009-05-20 19:07 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2009-05-20 19:06 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2009-05-20 19:07 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2009-05-20 19:07 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2009-05-20 19:07 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-06-23 03:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2009-05-20 19:07 617472 ----a-w- c:\windows\system32\comctl32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoNetworkConnections"= 01000000

"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk]

backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jaquelina^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2010-03-23 14:54 29520 ----a-w- c:\program files\AOL 9.5\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer]

2009-04-17 02:46 630784 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusEPCMonitor]

2009-03-13 23:15 98304 ----a-w- c:\program files\EeePC\ACPI\AsEPCMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusTray]

2009-04-17 01:58 118784 ----a-w- c:\program files\EeePC\ACPI\AsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]

2009-06-08 14:15 397312 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1270017813\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]

2009-06-25 15:25 712704 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

2006-03-01 15:58 712704 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]

2005-10-17 20:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2009-03-27 03:22 17567744 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynAsusAcpi]

2009-03-06 08:58 79144 ----a-w- c:\program files\Synaptics\SynTP\SynAsusAcpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2009-03-06 08:57 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1270017813\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 2:26 AM 39040]

S0 xxjbepu;xxjbepu;c:\windows\system32\drivers\tkln.sys --> c:\windows\system32\drivers\tkln.sys [?]

S1 cufohxrz;cufohxrz;\??\c:\windows\system32\drivers\cufohxrz.sys --> c:\windows\system32\drivers\cufohxrz.sys [?]

S1 SASDIFSV;SASDIFSV;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 10:49 PM 1684736]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 2:26 AM 38912]

S3 SASENUM;SASENUM;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS [?]

.

Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-05-10 14:32]

2010-03-31 c:\windows\Tasks\SmartDefrag.job

- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-03-31 19:30]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-3.6 - c:\windows\gdi32.exe

MSConfigStartUp-SUPERAntiSpyware - f:\specialty programs\A-exe's\SUPERAntiSpyware\SUPERAntiSpyware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-17 15:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1920)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\ASUS\Eee Storage\XPClient.dll

c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll

c:\program files\ASUS\Eee Storage\EcaremeDLL.dll

c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll

c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

.

**************************************************************************

.

Completion time: 2010-11-17 15:52:59 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-17 20:52

Pre-Run: 68,180,480,000 bytes free

Post-Run: 68,119,875,584 bytes free

- - End Of File - - 51FCE3FABB7F8F09F53B0E86611B8969

Link to post
Share on other sites

Now, we're going to run Combofix again using a script to delete additional infected items that the log revealed.

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

KillAll::

Driver::
xxjbepu
cufohxrz

Rootkit::
c:\windows\system32\drivers\tkln.sys
c:\windows\system32\drivers\cufohxrz.sys

Folder::
c:\documents and settings\All Users\Application Data\oGeIg02041

File::
c:\windows\Edutik.bin

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (first try doing this in normal mode and if it doesn;t work, do it in safe mode, again)

This will cause ComboFix to run again.

Please post back the log (C:\Combofix.txt) that opens when it finishes.

Link to post
Share on other sites

I ran ComboFix with the script and below is the resulting log:

ComboFix 10-11-16.02 - Jaquelina 11/18/2010 1:48.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.357 [GMT -5:00]

Running from: c:\documents and settings\Jaquelina\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jaquelina\Desktop\CFScript.txt

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\Edutik.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\oGeIg02041

c:\documents and settings\All Users\Application Data\oGeIg02041\oGeIg02041

c:\windows\Edutik.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_cufohxrz

-------\Service_xxjbepu

((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))

.

2010-11-18 06:47 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D5921DE-4EF5-4D25-A78C-78B5598EA3FB}\mpengine.dll

2010-11-16 23:11 . 2010-11-16 23:12 -------- d-----w- C:\ARK

2010-11-16 08:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-16 08:57 . 2010-11-16 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-16 08:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-15 07:09 . 2010-11-15 07:09 -------- d-----w- c:\windows\system32\MpEngineStore

2010-11-13 23:54 . 2010-11-13 23:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-11-13 23:54 . 2010-11-13 23:54 -------- d-----w- c:\windows\Sun

2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\Jaquelina\Application Data\SUPERAntiSpyware.com

2010-11-12 10:55 . 2010-11-12 10:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-11-12 07:47 . 2010-11-12 07:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-11-11 03:04 . 2010-11-11 03:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-19 20:51 . 2010-03-31 01:07 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-13 02:14 . 2010-03-31 17:52 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2010-10-07 23:21 . 2010-04-01 03:39 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-09-18 16:23 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2009-05-20 19:07 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2009-05-20 19:07 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2009-05-20 19:07 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2009-05-20 19:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2009-05-20 19:07 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2009-05-20 19:07 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2009-05-20 19:06 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2009-05-20 19:07 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2009-05-20 19:07 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2009-05-20 19:07 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2009-05-20 19:07 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-06-23 03:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2009-05-20 19:07 617472 ----a-w- c:\windows\system32\comctl32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLogoff"= 01000000

"NoNetworkConnections"= 01000000

"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ SuperHybridEngine.lnk]

backup=c:\windows\pss\ SuperHybridEngine.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jaquelina^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]

backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]

2010-03-23 14:54 29520 ----a-w- c:\program files\AOL 9.5\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusACPIServer]

2009-04-17 02:46 630784 ----a-w- c:\program files\EeePC\ACPI\AsAcpiSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusEPCMonitor]

2009-03-13 23:15 98304 ----a-w- c:\program files\EeePC\ACPI\AsEPCMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusTray]

2009-04-17 01:58 118784 ----a-w- c:\program files\EeePC\ACPI\AsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eee Docking]

2009-06-08 14:15 397312 ----a-w- c:\program files\ASUS\Eee Docking\Eee Docking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2010-02-10 13:19 41800 ----a-w- c:\program files\Common Files\aol\1270017813\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-12-19 15:08 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-12-19 15:08 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]

2009-06-25 15:25 712704 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]

2006-03-01 15:58 712704 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]

2005-10-17 20:24 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-12-19 15:07 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2009-03-27 03:22 17567744 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynAsusAcpi]

2009-03-06 08:58 79144 ----a-w- c:\program files\Synaptics\SynTP\SynAsusAcpi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2009-03-06 08:57 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1270017813\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [6/1/2009 2:26 AM 39040]

S1 SASDIFSV;SASDIFSV;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASKUTIL.sys [?]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [6/22/2009 10:49 PM 1684736]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [6/1/2009 2:26 AM 38912]

S3 SASENUM;SASENUM;\??\f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS --> f:\specialty programs\A-exe's\SUPERAntiSpyware\SASENUM.SYS [?]

.

Contents of the 'Scheduled Tasks' folder

2010-09-17 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-05-10 14:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-18 01:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1200)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\ASUS\Eee Storage\XPClient.dll

c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll

c:\program files\ASUS\Eee Storage\EcaremeDLL.dll

c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll

c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Essentials\MsMpEng.exe

.

**************************************************************************

.

Completion time: 2010-11-18 01:56:06 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-18 06:56

ComboFix2.txt 2010-11-17 20:53

Pre-Run: 67,939,901,440 bytes free

Post-Run: 68,025,307,136 bytes free

- - End Of File - - 38EF182150EDC2225BFD13DD565AEEB5

Link to post
Share on other sites

That looks good now!

Please perform a scan with the ESET online virus scanner.

You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  • You must use Internet Explorer to navigate to the scanner website because you have to approve install an ActiveX add-on to conduct the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Approve the installation of the ActiveX control that's required to enable scanning
  • Make sure the box to
    • Remove found threats. is CHECKED!!
    • Click "Start"

    [*]Allow the definition data base to install

    [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Link to post
Share on other sites

I cannot run the ESET scanner. I follow the last 'routine' you posted and after I check the 'yes' box for the terms of agreement, nothing happens. I've checked my internet security settings and the active x download is set to prompt and the run active x is set to enable and the active x scripting is also set to enable. Is there something in services that I need to enable? I have not done much with the infected computer since your last post other than checking to see if I can access the internet, I open IE8 and it connects me to my home page of google.

Also, MSE was disabled as requested and I have rebooted the computer and tried a second time with the same results. I also tried in safe mode and was unable to connect.

I also tried adding the www.eset.com url to the list of trusted sites and added eset.com url to the exceptions list for cookie blocking and got the same results.

????

Link to post
Share on other sites

Well, your logs are clean now, but I generally follow that up with a full system online Antivirus scan for confirmation.

Let's see if this one works for you (using Internet Explorer):

Please run the F-Secure Online Scanner >Here< by checking the "I have read and accepted the license terms" checkbox and clicking the "Run Check" button.

When done click "Show report" and copy/paste its contents into your next reply.

Also, is SUPERAntispyware (SAS) still installed because you still have SAS drivers present.

Link to post
Share on other sites

I recently uninstalled SUPERAntispyware w/ 'RevoUninstall'. I guess not all the files are gone. Should I be concerned?

I did have a portable version of SUPERAntispyware on my USB stick that I was using on the infected computer. Might they be files from there?

Below is the report from the F-Secure Online scan.

Scanning Report

Saturday, November 20, 2010 05:06:30 - 05:14:58

Computer name: JAX

Scanning type: Quick scan

Target: System

--------------------------------------------------------------------------------

7 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 2899

System: 2899

Not scanned: 0

Actions:

Disinfected: 7

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.