Jump to content
TeraBytes

Backdoor.Bot ==> taskbar and networking issues

Recommended Posts

Open Notepad and copy and paste the text in the code box below into it:

Driver::
agqCPQ

File::
C:\WINDOWS\system32\drivers\agqCPQ.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Share this post


Link to post
Share on other sites

ComboFix 11-01-28.03 - Waheb 01/29/2011 23:52:40.7.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1256.966.1033.18.1013.339 [GMT 3:00]

Running from: c:\documents and settings\Waheb\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Waheb\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::

"c:\windows\system32\drivers\agqCPQ.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))

.

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle FaceCreator

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle

2011-01-27 17:54 . 2008-03-05 12:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll

2011-01-27 11:50 . 2011-01-27 11:53 -------- d-----w- c:\program files\fsumfrontend-1.5.5.1-bin

2011-01-26 21:05 . 2011-01-26 21:05 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip Courier

2011-01-26 20:26 . 2011-01-26 20:26 -------- d-----w- c:\windows\system32\NtmsData

2011-01-26 18:29 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-26 18:29 . 2011-01-26 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-26 18:29 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\program files\IObit

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\documents and settings\Waheb\Application Data\IObit

2011-01-25 12:01 . 2011-01-25 12:01 -------- d-----w- c:\documents and settings\Administrator

2011-01-24 19:03 . 2011-01-24 19:03 -------- d-----w- c:\documents and settings\Waheb\Application Data\Avira

2011-01-24 18:56 . 2010-12-13 05:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-24 18:56 . 2010-12-13 05:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-24 18:56 . 2010-06-17 11:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-24 18:56 . 2010-06-17 11:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\program files\Avira

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-24 17:32 . 2011-01-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipEC

2011-01-24 17:32 . 2011-01-24 17:32 -------- d-----w- c:\program files\WinZip Courier

2011-01-24 17:20 . 2011-01-24 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipSE

2011-01-24 17:20 . 2011-01-24 17:20 -------- d-----w- c:\program files\WinZip Self-Extractor

2011-01-23 10:37 . 2011-01-23 10:37 -------- d-----w- c:\windows\lhsp

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\windows\speech

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\program files\QFIT

2011-01-23 08:29 . 2011-01-23 08:29 -------- d-----w- c:\documents and settings\Waheb\Application Data\TreeCardGames

2011-01-23 08:28 . 2011-01-23 08:29 -------- d-----w- c:\program files\Sudoku Up

2011-01-23 07:58 . 2011-01-27 07:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\MahJong Suite

2011-01-23 07:57 . 2011-01-23 09:12 -------- d-----w- c:\program files\MahJong Suite

2011-01-23 07:51 . 2011-01-23 07:51 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip

2011-01-23 06:48 . 2011-01-23 06:50 -------- d-----w- c:\documents and settings\Waheb\Application Data\avidemux

2011-01-23 06:48 . 2011-01-23 06:48 -------- d-----w- c:\program files\Avidemux 2.5

2011-01-23 05:07 . 2011-01-24 16:11 -------- d-----w- c:\program files\e-Sword

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\program files\Common Files\EzTools

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Downloaded Installations

2011-01-19 17:31 . 2011-01-19 17:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\Microsoft FxCop

2011-01-19 17:15 . 2011-01-19 17:15 -------- d-----w- c:\program files\Microsoft FxCop 1.36

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\assembly

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Deployment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-17 13:02 . 2010-12-17 13:02 100843 ----a-w- c:\windows\SVCFilterDesign Uninstaller.exe

2010-12-17 13:02 . 2010-12-17 13:02 141567 ----a-w- c:\windows\PIEL Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 126948 ----a-w- c:\windows\MeterBasic Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 173041 ----a-w- c:\windows\Helical Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 219975 ----a-w- c:\windows\Diplexer Uninstaller.exe

2010-12-08 08:13 . 2010-12-08 06:55 2478272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2010-12-08 06:56 . 2010-12-08 06:56 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll

2010-12-01 10:44 . 2010-12-01 10:44 100560 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys

2010-12-01 10:44 . 2010-12-10 20:26 143248 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys

2010-12-01 10:44 . 2010-12-10 20:26 41936 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys

2010-12-01 10:44 . 2010-12-01 10:44 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll

2010-12-01 10:44 . 2010-12-01 10:44 111504 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys

2010-11-29 13:25 . 2010-11-29 13:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-29 13:25 . 2010-10-23 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-26 20:30 . 2010-11-26 19:04 67 ----a-w- c:\documents and settings\Waheb\update.bat

2010-11-22 11:30 . 2010-10-23 16:09 31744 ----a-w- c:\windows\system32\maplec.dll

2010-11-22 11:30 . 2010-10-23 16:09 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll

2010-11-22 11:30 . 2010-10-23 16:09 20480 ----a-w- c:\windows\system32\maplecompat.dll

2010-11-18 18:12 . 2010-05-16 21:59 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-11 10:48 . 2010-11-11 10:48 70768 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-11-11 10:48 . 2010-11-11 10:48 854128 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-11-11 10:48 . 2010-12-10 23:07 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-11-11 10:48 . 2010-12-10 23:07 404080 ----a-w- c:\windows\system32\vmnat.exe

2010-11-11 10:47 . 2010-12-10 23:07 760432 ----a-w- c:\windows\system32\vnetlib.dll

2010-11-11 10:47 . 2010-12-10 23:06 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-11-11 10:46 . 2010-11-11 10:46 51312 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-11-11 10:46 . 2010-11-11 10:46 32752 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-11-11 10:46 . 2010-12-10 23:07 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-11-11 09:31 . 2010-11-11 09:31 32368 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-11-11 09:04 . 2010-11-11 09:04 252528 ----a-w- c:\windows\system32\vmnc.dll

2010-11-11 07:04 . 2010-11-11 07:04 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2010-11-11 07:04 . 2010-11-11 07:04 59952 ----a-w- c:\windows\system32\vnetinst.dll

2010-11-11 07:04 . 2010-11-11 07:04 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2010-11-11 07:04 . 2010-11-11 07:04 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2010-11-09 14:52 . 2010-05-17 08:40 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-07 17:17 . 2010-10-23 16:48 333840 ----a-w- c:\windows\system32\mltcpip32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 93712 ----a-w- c:\windows\system32\mltcp32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 88080 ----a-w- c:\windows\system32\mlshm32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 167952 ----a-w- c:\windows\system32\mlmodule32.dll

2010-11-07 17:17 . 2010-10-23 16:48 79376 ----a-w- c:\windows\system32\mlmap32.mlp

2010-11-07 17:16 . 2010-10-23 16:48 369680 ----a-w- c:\windows\system32\ml32i3.dll

2010-11-07 17:16 . 2010-10-23 16:48 260112 ----a-w- c:\windows\system32\ml32i2.dll

2010-11-07 17:16 . 2010-10-23 16:48 253968 ----a-w- c:\windows\system32\ml32i1.dll

2010-11-06 00:26 . 2010-05-17 08:40 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2010-05-17 08:40 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2010-05-17 08:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2010-05-17 08:40 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2010-05-17 08:40 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-11-01 11:27 . 2010-11-01 11:27 217088 ----a-w- c:\windows\system32\DownloadXPro.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3216664]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-16 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-16 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-16 141336]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"RTHDCPL"="RTHDCPL.EXE" [2010-03-12 19521056]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-04-08 908368]

"PLFSetL"="c:\windows\PLFSetL.exe" [2010-02-12 99712]

"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2010-02-12 202112]

"snuvcdsm"="c:\windows\snuvcdsm.exe" [2010-02-12 30080]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-04-13 248440]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"snp325"="c:\windows\vsnp325.exe" [2007-05-10 835584]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-10-29 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-12 607584]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Hyperappel du Petit Larousse 2010.lnk - c:\program files\Larousse\Petit Larousse 2010\bin\Hyperappel.exe [2010-10-23 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=

"c:\\Program Files\\eclipse\\eclipse.exe"=

"c:\\Program Files\\Maple 13\\jre\\bin\\java.exe"=

"c:\\Program Files\\Maxima-5.22.1\\bin\\xmaxima.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=

"c:\\Program Files\\Maple 14\\jre\\bin\\maple.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\WinWrapIDE.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.com"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\JRE\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\hasplms.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=

"c:\\Program Files\\Opera 11.00 beta\\opera.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\RobertHA.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\prnet.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\math.exe"=

"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [12/10/2010 23:26 143248]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [12/10/2010 23:26 41936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/24/2011 21:56 135336]

R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [5/17/2010 11:40 312400]

R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2011 21:29 363344]

R2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [5/17/2010 02:33 243232]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 13:48 70768]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 539248]

R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/17/2010 11:40 60456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2011 21:29 20952]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/1/2010 13:44 100560]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/1/2010 13:44 111504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 13:16 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2010 17:22 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 05:46 288112]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/17/2010 02:11 1691480]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 17:51 30963576]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/13/2010 23:29 137344]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/13/2010 23:29 8320]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 20:37 4640000]

S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [1/13/2009 03:00 451456]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]

S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 21:24 48128]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 13:16 753504]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/23/2009 06:08 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 03:09 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 03:23 366936]

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8287896517.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 21:52]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-29 c:\windows\Tasks\Minitab Software Update Manager.job

- c:\program files\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe [2010-03-25 06:45]

2011-01-14 c:\windows\Tasks\WebReg 20110114134107.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-05 22:01]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0401&m=em350&r=0xph1010n125l0484wum5r46n2r739

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

IE: ????? ??? &???? Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: ????? ??? Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Waheb\Application Data\Mozilla\Firefox\Profiles\7rc0ftad.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-30 00:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3132)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\btmmhook.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\system32\hasplms.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\vmnat.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\VMware\VMware Workstation\vmware-authd.exe

c:\windows\system32\vmnetdhcp.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\Apoint2K\ApMsgFwd.exe

c:\program files\Apoint2K\Apntex.exe

c:\program files\Launch Manager\LMworker.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-01-30 00:35:28 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-29 21:35

ComboFix2.txt 2011-01-29 19:36

ComboFix3.txt 2011-01-29 12:18

ComboFix4.txt 2011-01-26 22:49

ComboFix5.txt 2011-01-29 20:50

Pre-Run: 51,508,670,464 bytes free

Post-Run: 51,495,178,240 bytes free

- - End Of File - - DFE4CCCFD1545C63C2350BAA2838A6D5

Share this post


Link to post
Share on other sites

I still can't access Safe mode and agqCPQ.sys is still the last file in the scroll. (which file is supposed to be last ?)

Is it because ComboFix is recovering files from an SP2 Recovery Console (ERDNT) to an SP3 Windows OS ?

Share this post


Link to post
Share on other sites

SFC.exe finished the scan without detecting nor requesting anything.

I immediately went to Windows Update and it doesn't have any High Priority Updates.

Share this post


Link to post
Share on other sites

I need the latest mini memory dump. Please locate to:

c:\windows\minidump

and check the date of files. Please attach it in your next reply.

Share this post


Link to post
Share on other sites

That's strange. Once, there were several BSOD had to have a few mini memory dump files. Please go to Safe Mode and this time, give me mory information about BSOD. What is the message after "Technical information:" and what is the file after "The problem seems to be caused by the following file:".

Share this post


Link to post
Share on other sites

It's really really fast ... it's like a flash !!!

Like I told you before the only thing I saw was "buffer".

That's it.

Share this post


Link to post
Share on other sites

Right mouse button on My Computer => Properties => Advanced tab => Settings and uncheck Automatically restart . Click on OK and reboot to Safe Mode.

Share this post


Link to post
Share on other sites

When I deselected "Automatic restart", I got a dialogue box that I wouldn't be able to save somethingsomething if pagefile is less than 0 megabytes ... I selected Yes and rebooted into Safe mode and here's the BSoD I got:

A problem has been detected and Windows has been shut to prevent damage to your computer.

If this is the first you've seen this STOP error screen, restart your computer. If this screen appears again, follow these steps:

check to be sure that you have adequate disk space. If a driver is identified in the STOP message, disable the driver or check the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing.

If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options and then select Safe Mode.

Technical Information:

***STOP: 0x0000007E ( 0xC0000005 , 0xF9738211 , 0xF7C42720 , 0xF7C4241C )

Share this post


Link to post
Share on other sites

Before I start executed those tedious instructions, are we sure that this is a corrupt driver problem and no more a malware problem ?

As I told you in previous posts, my hp 1200 series printer driver is misbehaving and I suspect its the cause of this problem. So I'll reinstall it before I execute Microsoft's instruction.

Share this post


Link to post
Share on other sites

I used CCleaner after infection and before posting my first message in this thread.

I think it deleted some important files from the registry ... :)

Indeed, files of the same type as agqCGQ.sys (system\drivers\****.sys) are displayed in the scanner window when Antivir is "scanning the registry".

How can I repair the registry ? Any programs you recommend ?

Share this post


Link to post
Share on other sites

There is no program for that, so it's important not to use programs like CCleaner.

Share this post


Link to post
Share on other sites

What about doing a Windows Repair install ?

Will that fix the registry ?

And if it does, will it do anyhting to "third party driver" ?

Will I have to reinstall my programs ?

Share this post


Link to post
Share on other sites

Method 1: I have enough disk space ( 45 GB )

Method 2 : Updated BIOS

Method 3 : Reinstalled my VGA ( VGA_Intel_6.14.10.5182_XPx86 ) and now I get a "Security Warning" about igfxtray.exe each time I restart computer, giving me a choice between "Run" and "Cancel".

And still can't get into Safe Mode each time.

Share this post


Link to post
Share on other sites

Should I take this someplace else now that it's not a malware problem ?

Do you recommend any forums ?

Share this post


Link to post
Share on other sites

I want some additional scans before that.

Please do an online scan with Kaspersky WebScanner

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Share this post


Link to post
Share on other sites

Downloading "Database Update" as we speak...

However, I read somewhere that the displayed files in the boot scroll are actually the files that were successfully loaded.

The problem is therefore with the file that comes after agpCGQ.sys !

Do you have an idea about which file follows agpCGQ.sys ?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.