Jump to content

I think I'm infected can you help me


Recommended Posts

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7398

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/6/2011 10:25:11 PM

mbam-log-2011-08-06 (22-25-11).txt

Scan type: Quick scan

Objects scanned: 216350

Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\baby\AppData\Local\Temp\12A7.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\baby\AppData\Local\Temp\3D7.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by baby at 22:47:15 on 2011-08-06

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1197 [GMT -7:00]

.

AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}

SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\System32\msdtc.exe

c:\Program Files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe

C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Users\baby\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.babylon.com/home?AF=18826

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

uURLSearchHooks: H - No File

BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - &Yahoo! Toolbar Helper

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers\YontooIEClient.dll

uRun: [AdobeBridge]

uRun: [Google Update] "c:\users\baby\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

Trusted Zone: pps.tv

Trusted Zone: ppstream.com

Trusted Zone: webscache.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.254 199.185.220.254

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE} : DhcpNameServer = 192.168.1.254 199.185.220.254

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE}\2456C6B696E6F5E4B2F5632353337303 : DhcpNameServer = 192.168.2.1 192.168.2.1

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE}\24F6F6B6D41627B6F575962756C6563737 : DhcpNameServer = 192.168.2.1 10.1.10.1

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 64.59.144.92 64.59.144.93 64.59.150.135

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE}\84F6573756F4666416964786 : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{644D5FD7-620D-4BC4-8B44-B42A7DC43ADE}\B41647869656D286F6573756 : DhcpNameServer = 64.59.144.92 64.59.144.93 64.59.150.135

TCP: Interfaces\{B5FCDE45-2DAA-446F-B51D-A84E2C3B244A} : DhcpNameServer = 68.87.69.150 68.87.85.102

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Hosts: 62.212.84.38 tracker.empornium.us

Hosts: 62.212.84.38 download.empornium.us

Hosts: 62.212.84.235 www.empornium.usforums.empornium.usempornium.us

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\baby\appdata\roaming\mozilla\firefox\profiles\ok4we97h.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18826

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=18826

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\users\baby\appdata\roaming\mozilla\firefox\profiles\ok4we97h.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\users\baby\appdata\roaming\mozilla\firefox\profiles\ok4we97h.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - component: c:\users\baby\appdata\roaming\mozilla\firefox\profiles\ok4we97h.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - plugin: c:\users\baby\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

.

============= SERVICES / DRIVERS ===============

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-8-6 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-8-6 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-8-6 66616]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-6 366640]

R2 OpenVPNTechOVPN_Instantiator;OpenVPNTech Instantiator Service AS;c:\program files\openvpntech\bin\instant-xmlserv.exe [2009-12-3 1012386]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-6 22712]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-28 3664384]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-11-4 27632]

R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2009-11-19 25984]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 SQLAgent$DEV2008;SQL Server Agent (DEV2008);c:\dev2008\mssql10.dev2008\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-5-2 14216]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-5-2 8456]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-11-4 13224]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-6 41272]

S3 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2009-5-27 202584]

S3 MSSQL$DEV2005;SQL Server (DEV2005);c:\dev2008\mssql.1\mssql\binn\sqlservr.exe -sdev2005 --> c:\dev2008\mssql.1\mssql\binn\sqlservr.exe -sDEV2005 [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 PAC207;SoC PC-Camera;c:\windows\system32\drivers\PFC027.SYS [2006-12-5 507136]

S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [2010-10-23 38976]

S3 ReportServer$SSRS2005;SQL Server Reporting Services (SSRS2005);c:\dev2005\mssql.8\reporting services\reportserver\bin\ReportingServicesService.exe [2009-5-27 13672]

S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]

S3 SYBBCK_BABYPC_BS;Sybase BCKServer _ BABYPC_BS;c:\sybase\ase-15_0\bin\bcksrvr.exe -sbabypc_bs -r --> c:\sybase\ase-15_0\bin\bcksrvr.exe -SBABYPC_BS -R [?]

S3 SYBBCK_SYBASE_BS;Sybase BCKServer _ SYBASE_BS;c:\sybase\ase-15_0\bin\bcksrvr.exe -ssybase_bs -r --> c:\sybase\ase-15_0\bin\bcksrvr.exe -SSYBASE_BS -R [?]

S3 SYBMON_BABYPC_MS;Sybase MONServer _ BABYPC_MS;c:\sybase\ase-15_0\bin\monsrvr.exe -mbabypc_ms -c --> c:\sybase\ase-15_0\bin\monsrvr.exe -MBABYPC_MS -C [?]

S3 SYBMON_SYBASE_MS;Sybase MONServer _ SYBASE_MS;c:\sybase\ase-15_0\bin\monsrvr.exe -msybase_ms -c --> c:\sybase\ase-15_0\bin\monsrvr.exe -MSYBASE_MS -C [?]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-24 1343400]

S4 KMService;KMService;c:\windows\system32\srvany.exe [2010-5-28 8192]

S4 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2008-5-20 75016]

S4 msftesql$DEV2005;SQL Server FullText Search (DEV2005);c:\dev2008\mssql.1\mssql\binn\msftesql.exe -s:mssql.1 -f:dev2005 --> c:\dev2008\mssql.1\mssql\binn\msftesql.exe -s:MSSQL.1 -f:DEV2005 [?]

S4 MSOLAP$DEV2008;SQL Server Analysis Services (DEV2008);c:\dev2008\msas10.dev2008\olap\bin\msmdsrv.exe [2009-3-30 21953896]

S4 MSSQL$DEV2008;SQL Server (DEV2008);c:\dev2008\mssql10.dev2008\mssql\binn\sqlservr.exe [2009-3-30 43010392]

S4 MSSQLFDLauncher$DEV2008;SQL Full-text Filter Daemon Launcher (DEV2008);c:\dev2008\mssql10.dev2008\mssql\binn\fdlauncher.exe [2008-7-10 31256]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

S4 ReportServer$DEV2008;SQL Server Reporting Services (DEV2008);c:\dev2008\msrs10.dev2008\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1113448]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

S4 SQLAgent$DEV2005;SQL Server Agent (DEV2005);c:\dev2008\mssql.1\mssql\binn\sqlagent90.exe -i dev2005 --> c:\dev2008\mssql.1\mssql\binn\SQLAGENT90.EXE -i DEV2005 [?]

.

=============== Created Last 30 ================

.

2011-08-07 05:35:10 -------- d-----w- c:\users\baby\appdata\roaming\Avira

2011-08-07 05:32:26 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-07 05:32:24 -------- d-----w- c:\programdata\Avira

2011-08-07 05:32:24 -------- d-----w- c:\program files\Avira

2011-08-07 05:03:46 -------- d-----w- c:\users\baby\appdata\roaming\Malwarebytes

2011-08-07 05:02:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-07 05:02:45 -------- d-----w- c:\programdata\Malwarebytes

2011-08-07 05:02:41 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-07 05:02:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-05 05:34:51 388096 ----a-r- c:\users\baby\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-27 05:29:43 -------- d-----r- c:\program files\Skype

2011-07-25 03:48:04 -------- d-----w- C:\ppsvodcache

.

==================== Find3M ====================

.

2011-07-07 06:33:36 48 ----a-w- c:\windows\system32\msawt.dll

2011-05-10 15:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-05-10 15:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

============= FINISH: 22:50:16.04 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I'm afraid I have bad news.

Your logs reveal an information stealing trojan.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

With that said, please do the following.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Grab a fresh copy of ComboFix, run it, and post its log.

Also update MBAM, run a Quick Scan, and post its log.

Ensure that everything is done in Normal Mode unless otherwise indicated.

Also please do not attach your logs. Paste them directly into your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ComboFix 11-08-18.03 - baby 08/21/2011 22:00:46.2.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.1222 [GMT -7:00]

Running from: c:\users\baby\Downloads\ComboFix.exe

AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2011-07-22 to 2011-08-22 )))))))))))))))))))))))))))))))

.

.

2011-08-22 05:16 . 2011-08-22 05:16 -------- d-----w- c:\users\jobagent\AppData\Local\temp

2011-08-22 05:16 . 2011-08-22 05:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-22 05:16 . 2011-08-22 05:16 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp

2011-08-14 19:11 . 2011-08-17 14:57 0 ----a-w- c:\users\baby\AppData\Local\Mrumudaxubigaxe.bin

2011-08-07 05:35 . 2011-08-07 05:35 -------- d-----w- c:\users\baby\AppData\Roaming\Avira

2011-08-07 05:32 . 2011-08-07 05:42 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-08-07 05:32 . 2011-08-07 05:42 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-08-07 05:32 . 2011-08-07 05:32 -------- d-----w- c:\programdata\Avira

2011-08-07 05:32 . 2011-08-07 05:32 -------- d-----w- c:\program files\Avira

2011-08-07 05:03 . 2011-08-07 05:03 -------- d-----w- c:\users\baby\AppData\Roaming\Malwarebytes

2011-08-07 05:02 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-07 05:02 . 2011-08-07 05:02 -------- d-----w- c:\programdata\Malwarebytes

2011-08-07 05:02 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-07 05:02 . 2011-08-07 05:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-05 05:34 . 2011-08-05 05:34 388096 ----a-r- c:\users\baby\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-27 05:29 . 2011-07-27 05:29 -------- d-----r- c:\program files\Skype

2011-07-25 03:48 . 2011-07-25 03:48 -------- d-----w- C:\ppsvodcache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-04 08:18 . 2011-06-04 08:18 5632 ----a-r- c:\users\baby\AppData\Roaming\Microsoft\Installer\{879F64A7-7EC6-4281-90DB-C720DE11D79C}\nunit_icon.exe

2011-04-14 21:01 . 2011-06-06 04:49 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OfficeSAS.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSAS.lnk

backup=c:\windows\pss\OfficeSAS.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^baby^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\users\baby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^baby^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PPS.lnk]

path=c:\users\baby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk

backup=c:\windows\pss\PPS.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^baby^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Trillian.lnk]

path=c:\users\baby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk

backup=c:\windows\pss\Trillian.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-01-30 00:52 135664 ----atw- c:\users\baby\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-08 00:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]

2006-11-03 18:01 319488 ----a-w- c:\windows\PixArt\Pac207\Monitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2009-10-03 18:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPS Accelerator]

2010-02-24 03:25 214408 ----a-w- c:\progra~1\PPStream\PPSAP.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]

2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-06-15 22:02 15141768 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-01-11 23:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-02-09 01:39 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2010-12-22 07:59 396152 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]

R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 OpenVPNTechOVPN_Instantiator;OpenVPNTech Instantiator Service AS;c:\program files\OpenVPNTech\bin\instant-xmlserv.exe [2009-12-04 1012386]

R2 SQLAgent$DEV2008;SQL Server Agent (DEV2008);c:\dev2008\MSSQL10.DEV2008\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-17 22416]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-03-24 14216]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-03-24 8456]

R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [x]

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-11-05 13224]

R3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2009-05-27 202584]

R3 MSSQL$DEV2005;SQL Server (DEV2005);c:\dev2008\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]

R3 PSSDK42;PSSDK42;c:\windows\system32\Drivers\pssdk42.sys [2010-10-24 38976]

R3 ReportServer$SSRS2005;SQL Server Reporting Services (SSRS2005);c:\dev2005\MSSQL.8\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-05-27 13672]

R3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2007-12-26 288768]

R3 SYBBCK_BABYPC_BS;Sybase BCKServer _ BABYPC_BS;c:\sybase\ASE-15_0\bin\bcksrvr.exe [x]

R3 SYBBCK_SYBASE_BS;Sybase BCKServer _ SYBASE_BS;c:\sybase\ASE-15_0\bin\bcksrvr.exe [x]

R3 SYBMON_BABYPC_MS;Sybase MONServer _ BABYPC_MS;c:\sybase\ASE-15_0\bin\monsrvr.exe [x]

R3 SYBMON_SYBASE_MS;Sybase MONServer _ SYBASE_MS;c:\sybase\ASE-15_0\bin\monsrvr.exe [x]

R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1343400]

R4 KMService;KMService;c:\windows\system32\srvany.exe [2010-05-29 8192]

R4 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2008-05-21 75016]

R4 msftesql$DEV2005;SQL Server FullText Search (DEV2005);c:\dev2008\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592]

R4 MSOLAP$DEV2008;SQL Server Analysis Services (DEV2008);c:\dev2008\MSAS10.DEV2008\OLAP\bin\msmdsrv.exe [2009-03-30 21953896]

R4 MSSQL$DEV2008;SQL Server (DEV2008);c:\dev2008\MSSQL10.DEV2008\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]

R4 MSSQLFDLauncher$DEV2008;SQL Full-text Filter Daemon Launcher (DEV2008);c:\dev2008\MSSQL10.DEV2008\MSSQL\Binn\fdlauncher.exe [2008-07-10 31256]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-10 47128]

R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-23 2808664]

R4 ReportServer$DEV2008;SQL Server Reporting Services (DEV2008);c:\dev2008\MSRS10.DEV2008\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2009-03-30 1113448]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-06 691696]

R4 SQLAgent$DEV2005;SQL Server Agent (DEV2005);c:\dev2008\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2008-11-25 346976]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-12-01 143248]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-12-01 41936]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-07 22712]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2008-08-29 3664384]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]

S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-11-05 27632]

S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2009-11-19 25984]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-12-01 100560]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-12-01 111504]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568164831-4236057464-2028866383-1000Core.job

- c:\users\baby\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-30 00:52]

.

2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568164831-4236057464-2028866383-1000UA.job

- c:\users\baby\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-30 00:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.babylon.com/home?AF=18826

uInternet Settings,ProxyOverride = 127.0.0.1;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: pps.tv

Trusted Zone: ppstream.com

Trusted Zone: webscache.com

TCP: DhcpNameServer = 192.168.1.254 199.185.220.254

FF - ProfilePath - c:\users\baby\AppData\Roaming\Mozilla\Firefox\Profiles\ok4we97h.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18826

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=18826

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com

FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$DEV2005]

"ImagePath"="c:\dev2008\MSSQL.1\MSSQL\Binn\msftesql.exe -s:MSSQL.1 -f:DEV2005"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]

"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3568164831-4236057464-2028866383-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D7782BF-3B64-20B7-8CA1-8F1858EBC93E}*]

@Allowed: (Read) (RestrictedCode)

"jagebfkgdghdddhhbalc"=hex:62,61,6b,63,00,00

"jagebfkgdghdddhhbapb"=hex:62,61,70,63,00,00

"iagdnhpkcgliodfklg"=hex:6b,61,68,63,66,6d,67,64,64,6f,70,6d,70,6e,6b,61,65,70,

67,61,62,68,00,02

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(2288)

c:\windows\system32\nvshext.dll

.

Completion time: 2011-08-21 22:19:49

ComboFix-quarantined-files.txt 2011-08-22 05:19

ComboFix2.txt 2011-08-18 04:25

.

Pre-Run: 10,923,651,072 bytes free

Post-Run: 10,868,965,376 bytes free

.

- - End Of File - - 994B6145B90AA534B6C23F244EDEA3EC

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7532

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/21/2011 10:27:28 PM

mbam-log-2011-08-21 (22-27-28).txt

Scan type: Quick scan

Objects scanned: 215288

Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

didnt have IE but i downloaded IE9 try to start ESET scanner but i get an error when i clicked install on the following msg "This site wants to install the following add-on:'onlinescanner.cab' from ESET spo s.r.o."

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.18

Windows 7

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 18

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.0.45.2

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

ESET Online Scanner v3

Java™ 6 Update 18

Adobe Flash Player 10.0.45.2

Restart your computer.

Get the latest version of Java[/url and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.