Jump to content

Recommended Posts

I have ran MalwareBytes several times with no avail. It finds Hijack.controlPanelStyle,PUM.Disabled.SecurityCenter, and PUM.Hijack.DisplayProperties. I remove them and it says to reboot so I do so and these same malware items return. I have also ran Symantec Endpoint Protection scans and Combofix.exe with no avail. I am a System Engineer and prefer to not have to rebuild my PC since it takes so long with all the Admin Tools and such. Do you have any removal tools for this attack? Any assistance would be greatly appreciated. Here is my Malware log.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6132

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

3/22/2011 4:20:48 PM

mbam-log-2011-03-22 (16-20-39).txt

Scan type: Full scan (C:\|)

Objects scanned: 304839

Time elapsed: 1 hour(s), 56 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

post-32477-1261866970.gif

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

ComboFix 11-03-22.03 - jmontgomery 03/22/2011 16:53:31.1.4 - x86 NETWORK

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1910.1501 [GMT -4:00]

Running from: c:\installs\MalwareBytes\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat

c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

c:\users\jmontgomery.JLE\g2mdlhlpx.exe

c:\users\jmontgomery.JLE\GoToAssistDownloadHelper.exe

c:\users\jmontgomery.JLE\ntuser.pol

.

----- BITS: Possible infected sites -----

.

hxxp://oma-casht4.coleman.com

.

((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))

.

.

2011-03-22 20:58 . 2011-03-22 20:58 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\temp

2011-03-22 20:50 . 2011-03-22 20:51 -------- d-----w- C:\32788R22FWJFW

2011-03-22 17:19 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-22 17:19 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-18 14:51 . 2011-03-18 14:51 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Roaming\Malwarebytes

2011-03-18 14:51 . 2011-03-18 14:51 -------- d-----w- c:\programdata\Malwarebytes

2011-03-18 14:51 . 2011-03-22 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-17 20:55 . 2011-03-17 20:55 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Roaming\webex

2011-03-16 17:04 . 2011-03-16 17:04 -------- d-----w- c:\windows\Downloaded Installations

2011-03-15 21:38 . 2011-03-15 21:38 282624 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\libcurlvc80.dll

2011-03-15 21:38 . 2011-03-15 21:38 262144 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\ssleay32vc80.dll

2011-03-15 21:38 . 2011-03-15 21:38 1142784 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\libeay32vc80.dll

2011-03-15 21:38 . 2011-03-15 21:38 402944 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\SciLexer.dll

2011-03-15 21:38 . 2011-03-15 21:38 239224 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\unicows.dll

2011-03-15 21:38 . 2011-03-15 21:38 719360 ----a-w- c:\temp\MetaCommunications\Virtual Ticket Client\DLLs\8.0.2913\DbgHelp.DLL

2011-03-15 14:51 . 2011-03-15 21:38 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\MetaCommunications

2011-03-09 23:05 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll

2011-03-09 23:05 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll

2011-03-09 23:05 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-03-09 23:03 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-03-09 23:03 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll

2011-03-09 23:03 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-03-09 23:03 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-03-09 22:29 . 2011-03-22 16:37 -------- d-----w- c:\program files\Microsoft ActiveSync

2011-03-09 15:34 . 2011-03-22 16:37 -------- d-----w- c:\program files\iTunes

2011-03-09 15:34 . 2011-03-09 15:34 -------- d-----w- c:\program files\iPod

2011-03-08 16:23 . 2011-03-22 17:18 -------- d-----w- C:\Installs

2011-03-06 05:42 . 2011-03-06 05:42 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Roaming\Wireshark

2011-02-28 23:34 . 2011-02-28 23:34 -------- d-----w- c:\programdata\LogiShrd

2011-02-28 23:33 . 2011-02-28 23:33 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\LogiShrd

2011-02-28 23:28 . 2011-02-28 23:28 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Roaming\Leadertech

2011-02-28 23:28 . 2011-02-28 23:28 53248 ----a-r- c:\users\jmontgomery.JLE\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2011-02-28 23:28 . 2011-03-22 16:43 -------- d-----w- c:\windows\system32\logishrd

2011-02-28 23:28 . 2011-02-28 23:28 -------- d-----w- c:\programdata\Logitech

2011-02-28 23:28 . 2011-02-28 23:28 -------- d-----w- c:\program files\Common Files\LWS

2011-02-28 23:27 . 2011-02-28 23:29 -------- d-----w- c:\program files\Logitech

2011-02-28 23:23 . 2011-03-22 16:37 -------- d-----w- c:\program files\Common Files\logishrd

2011-02-27 02:47 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2011-02-27 02:42 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-02-27 02:42 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2011-02-27 02:42 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2011-02-27 02:42 . 2006-11-29 18:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-02-27 02:25 . 2011-02-27 02:25 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\Windows Live

2011-02-27 02:25 . 2011-02-27 02:25 -------- d-----w- c:\program files\Common Files\Windows Live

2011-02-27 02:16 . 2011-03-22 16:39 -------- d-----w- c:\windows\system32\SPReview

2011-02-26 20:07 . 2011-03-22 16:39 -------- d-----w- c:\windows\system32\EventProviders

2011-02-26 20:06 . 2011-02-26 20:06 -------- d-----w- c:\windows\system32\Wat

2011-02-26 20:00 . 2010-11-20 12:19 257024 ----a-w- c:\windows\system32\msv1_0.dll

2011-02-26 19:59 . 2010-11-20 12:20 4278272 ----a-w- c:\program files\DVD Maker\OmdProject.dll

2011-02-26 19:58 . 2010-11-20 12:08 12625408 ----a-w- c:\windows\system32\wmploc.DLL

2011-02-26 19:57 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll

2011-02-26 19:57 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll

2011-02-26 19:57 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe

2011-02-26 19:56 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll

2011-02-26 19:56 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll

2011-02-24 18:30 . 2011-02-24 18:30 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\DeskShare Data

2011-02-24 18:29 . 2011-03-22 16:37 -------- d-----w- c:\programdata\Deskshare

2011-02-24 18:29 . 2011-02-24 18:29 -------- d-----w- c:\users\jmontgomery.JLE\AppData\Local\Xenocode

2011-02-24 18:29 . 2011-02-24 18:29 -------- d-----w- c:\program files\Xenocode

2011-02-24 18:29 . 2011-02-24 18:29 -------- d-----w- c:\program files\Common Files\DeskShare Shared

2011-02-24 18:29 . 2011-02-24 18:29 -------- d-----w- c:\program files\Deskshare

2011-02-24 18:28 . 2008-12-14 01:01 77824 ----a-w- c:\windows\system32\xvid.ax

2011-02-24 18:28 . 2008-12-05 02:42 815104 ----a-w- c:\windows\system32\xvidcore.dll

2011-02-24 18:28 . 2011-03-22 16:37 -------- d-----w- c:\program files\Xvid

2011-02-24 18:28 . 2008-12-05 02:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll

2011-02-23 23:37 . 2011-01-05 03:51 2330624 ----a-w- c:\windows\system32\win32k.sys

2011-02-23 23:37 . 2010-12-17 07:07 542208 ----a-w- c:\windows\system32\kerberos.dll

2011-02-23 23:36 . 2011-01-05 05:55 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-02-23 23:36 . 2011-01-07 06:01 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-02-23 23:34 . 2011-01-07 07:46 870912 ----a-w- c:\windows\system32\XpsPrint.dll

2011-02-23 23:34 . 2011-01-07 07:46 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-02-23 23:34 . 2011-01-07 07:45 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-02-23 23:34 . 2011-01-07 05:43 294400 ----a-w- c:\windows\system32\atmfd.dll

2011-02-23 23:34 . 2010-09-30 06:47 70656 ----a-w- c:\windows\system32\fontsub.dll

2011-02-23 23:34 . 2011-01-17 05:47 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-02-23 23:34 . 2010-11-20 12:18 219136 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-02-23 23:32 . 2010-11-20 11:56 107520 ----a-w- c:\windows\system32\cdd.dll

2011-02-23 23:32 . 2011-02-03 05:54 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-02-23 23:32 . 2010-11-20 12:29 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-01 23:27 . 2010-11-09 15:49 45056 ----a-w- c:\windows\GETSIDSV.EXE

2011-02-27 02:22 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-02-27 02:22 . 2010-11-11 21:35 225280 ----a-w- c:\windows\system32\gpregistrybrowser.dll

2011-02-27 02:22 . 2010-11-11 21:35 4342784 ----a-w- c:\windows\system32\gppref.dll

2011-02-27 02:22 . 2010-11-11 21:35 627712 ----a-w- c:\windows\system32\gpprefbr.dll

2011-02-27 02:22 . 2010-11-11 21:35 2548736 ----a-w- c:\windows\system32\propshts.dll

2011-02-27 02:22 . 2010-11-11 21:35 166400 ----a-w- c:\windows\system32\gpprefcn.dll

2011-02-09 16:09 . 2011-02-09 16:09 181608 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10137.bin

2010-12-22 21:34 . 2010-12-22 21:35 104328 ----a-w- c:\windows\system32\atsckernel.exe

2010-12-22 21:34 . 2010-12-22 21:35 43912 ----a-w- c:\windows\system32\atashost.exe

2007-12-11 13:55 . 2010-11-09 15:03 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2007-12-11 13:55 . 2010-11-09 15:03 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2007-12-11 13:55 . 2010-11-09 15:03 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2007-12-11 13:55 . 2010-11-09 15:03 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Cisco Unified Personal Communicator"="c:\progra~1\CISCOS~1\CISCOU~1\CUPCK9.exe" [2011-02-10 10571776]

"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

"attcm.exe"="c:\program files\AT&T\AT&T Communication Manager\attcm.exe" [bU]

"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-07-22 495708]

"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-07-09 112152]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-09 115560]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-07 140520]

"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [bU]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

.

c:\users\jmontgomery.JLE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-12-11 576000]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-1-8 828704]

Online plug-in.lnk - c:\windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2010-11-19 77824]

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2010-11-9 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoPublishingWizard"= 1 (0x1)

"NoWebServices"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

"ForceClassicControlPanel"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\0\0]

"Script"=CreateIntranetLink.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\1\0]

"Script"=\\jle\netlogon\softwareaudit.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\2\0]

"Script"=\\jle\netlogon\LogConnection.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-678534749-3701800566-368163579-9197\Scripts\Logon\3\0]

"Script"=\\jle\netlogon\OrgLogon.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-04-16 65584]

R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2010-03-24 812448]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2010-03-24 27040]

R2 IERA;Sierra Wireless Error Reporting Agent;c:\program files\Sierra Wireless Inc\IERA\IERA.exe [2010-09-09 153968]

R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-07-09 2533400]

R2 WMCoreService;Mobile Broadband Service;c:\program files\Dell\Dell WWAN\WMCore\mini_WMCore.exe servicemode [x]

R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-01-11 274472]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-11 33320]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 33832]

R3 EraserUtilDrvI10;EraserUtilDrvI10;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [2011-03-09 102448]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-09 102448]

R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 246272]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]

R3 swiwdmbus;Sierra Wireless USB Composite Bus;c:\windows\system32\DRIVERS\swiwdmbus.sys [2010-06-21 78720]

R3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [2010-06-21 201088]

R3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\DRIVERS\swumxa3.sys [2010-06-21 156544]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-26 1343400]

S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2010-12-22 43912]

S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-03-19 59904]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]

S3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.enquirer.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: box.net

Trusted Zone: excite.com

Trusted Zone: excite.com\my

Trusted Zone: google.com\www

Trusted Zone: microsoft.com

Trusted Zone: shutterfly.com\jardenevents

Trusted Zone: thecuso.info

Trusted Zone: box.net

Trusted Zone: excite.com

Trusted Zone: excite.com\my

Trusted Zone: microsoft.com

Trusted Zone: thecuso.info

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-RunOnce-<NO NAME> - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]

"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,

bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-03-22 16:59:31

ComboFix-quarantined-files.txt 2011-03-22 20:59

ComboFix2.txt 2011-03-20 16:55

ComboFix3.txt 2011-03-19 18:22

ComboFix4.txt 2011-03-19 17:56

ComboFix5.txt 2011-03-22 20:51

.

Pre-Run: 123,562,348,544 bytes free

Post-Run: 123,698,728,960 bytes free

.

- - End Of File - - A658D73772C2800DA9DB062618DDEC00

Link to post
Share on other sites

That was before the select items for removal. I selected those (3) found items and removed. I disabled the system restore temporarily. Then I rebooted and hit F8 to go into safe-mode with networking. Lastly I ran Combofix. I am running MalwareBytes as we speak to see if they are finally gone or not. I don't have a lot of confidence because I have done this same routine several times now. Can you tell from the logs any more infections?

Link to post
Share on other sites

I am still running a full scan of MalwareBytes. When that completes I will let you know if there are any more infections. I also turned system restore back on. Do you recommend also running that ATFCleaner? I haven't heard of that one before. I have typically only used Malwarebytes, AdAware or spydoctor.

Link to post
Share on other sites

Yes I suggest you run this as well.

I've been seeing some Java infections lately.

Go here and follow the instructions to clear your Java Cache

http://www.java.com/en/download/help/plugin_cache.xml

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Got one vulnerability left:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6135

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

3/22/2011 6:31:35 PM

mbam-log-2011-03-22 (18-31-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 304095

Time elapsed: 1 hour(s), 21 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

http://www.eset.eu/online-scanner

Go here to run an online scannner from ESET.

Click the green ESET Online Scanner button.

Read the End User License Agreement and check the box: YES, I accept the Terms of Use.

Click on the Start button next to it.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?"".

Answer Yes to download and install the ActiveX controls that allows the scan to run.

Click Start.

Check Remove found threats and Scan potentially unwanted applications.

Click Scan to begin.

If offered the option to get information or buy software. Just close the window.

Wait for the scan to finish

Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic.

Link to post
Share on other sites

I am going to try MalwareBytes one last time. ESET showed no infected files.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=0d0d897711fdce459a62954bcde9ea25

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-23 12:59:24

# local_time=2011-03-22 08:59:24 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776638 100 94 0 52385940 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=27300

# found=0

# cleaned=0

# scan_time=815

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=0d0d897711fdce459a62954bcde9ea25

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-03-23 02:00:01

# local_time=2011-03-22 10:00:01 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776638 100 94 0 52387116 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=111543

# found=0

# cleaned=0

# scan_time=3276

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.