Jump to content

Trojan.Fakealert, URL redirecting


gabi

Recommended Posts

Hi,

I've used a few different methods to try and get rid of it, but I have been unsuccessful. Originally, I went along and quarantined the items selected as threats but they included normal Windows applications (conhost.exe, csrss.exe) so I had to remove them from quarantine in order to be able to use my internet connection...so I'm a bit stuck.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by bookshop at 23:51:30 on 2011-08-09

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.647 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\IFXTCS.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\system32\IfxPsdSv.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Documents and Settings\bookshop\Application Data\Microsoft\conhost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyServer = http=127.0.0.1:55030

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Easy Gif Animator Toolbar Helper: {96372ab6-15eb-4316-b497-71c741bc548c} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy Gif Animator Toolbar: {35065594-9169-4a34-b167-fc4865038e53} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [iFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [vptray] c:\program files\navnt\vptray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [b2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [conhost] c:\documents and settings\bookshop\application data\microsoft\conhost.exe

StartupFolder: c:\docume~1\bookshop\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: Download Video on This Page - c:\program files\tomato\youtube video downloader\MDIEEx.dll/211

IE: Download Video This Links To - c:\program files\tomato\youtube video downloader\MDIEEx.dll/212

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {11F19C45-9675-488A-A8E0-8E8234DC245D} - res://c:\program files\tomato\youtube video downloader\MDIEEx.dll/211

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 205.152.111.23 205.152.144.23

TCP: Interfaces\{3701A950-0A46-4573-AC1E-13E89A53A7D5} : DhcpNameServer = 205.152.111.23 205.152.144.23

TCP: Interfaces\{E1F951B6-097A-418D-8D28-AF838624AFCC} : NameServer = 8.8.8.8,8.8.4.4

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bookshop\application data\mozilla\firefox\profiles\0lcn4rra.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.volgistics.com/ex/portal.dll/?FROM=12259

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 55030

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-1 64288]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2010-8-20 38816]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 2151640]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-9 366640]

R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-10-29 9296]

R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-10-29 466944]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-8-20 97280]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-8-20 41216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-9 22712]

R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-10-29 178304]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-11-12 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2010-11-12 1371184]

S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2010-12-30 14336]

S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2010-12-30 20736]

S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2010-12-30 20096]

S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2010-12-30 25088]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [2010-12-30 25728]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15232]

S3 swmx02;HP ev2200 USB MUX Driver (#02);c:\windows\system32\drivers\swmx02.sys [2010-8-20 57600]

S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2010-12-30 20096]

.

=============== Created Last 30 ================

.

2011-08-10 03:28:22 388096 ----a-r- c:\documents and settings\bookshop\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-10 03:28:21 -------- d-----w- c:\program files\Trend Micro

2011-08-10 02:47:59 -------- d-----w- c:\windows\ERUNT

2011-08-10 02:42:15 -------- d-----w- C:\SDFix

2011-08-10 02:13:01 0 ---ha-w- C:\aaw7boot.cmd

2011-08-10 02:05:32 194048 ----a-w- c:\documents and settings\bookshop\application data\microsoft\conhost.exe

2011-08-09 23:56:45 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_321028453.bat

2011-08-09 22:39:28 141 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_316391078.bat

2011-08-09 22:39:15 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_316378609.bat

2011-08-09 21:47:26 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_313269593.bat

2011-08-09 20:04:18 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_307080687.bat

2011-08-09 19:37:58 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_305501562.bat

2011-08-08 17:23:18 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_211021046.bat

2011-08-08 16:57:48 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_209491171.bat

2011-08-04 19:13:03 199 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_665792203.bat

2011-08-04 19:11:57 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_665726265.bat

2011-08-04 18:46:00 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_664169781.bat

2011-07-28 09:21:40 -------- d-----w- C:\sprite

2011-07-14 15:16:34 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2011-07-14 15:15:37 -------- d-----w- c:\program files\Microsoft

2011-07-14 15:13:33 141399376 ----a-w- c:\program files\common files\windows live\.cache\wlc1F0E.tmp

.

==================== Find3M ====================

.

2011-07-28 00:39:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 23:52:20.00 ===============

Link to post
Share on other sites

Hi, I have not been having trouble with redirects now (so far) but MBAM keeps popping up and quarantining new files in the temp folder that it deems malicious. Additionally, it still finds conhost.exe to be a malicious process and I'm unsure as to why.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Here is what I got from MBAM:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7430

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

8/10/2011 7:31:22 PM

mbam-log-2011-08-10 (19-31-16).txt

Scan type: Quick scan

Objects scanned: 169205

Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\documents and settings\bookshop\application data\microsoft\conhost.exe (Trojan.FakeAlert) -> 2412 -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.FakeAlert) -> Value: conhost -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\bookshop\application data\microsoft\conhost.exe (Trojan.FakeAlert) -> No action taken.

After that, I ran ComboFix and my laptop crashed with a bluescreen. Shall I do another scan?

Here is an additional DDS log.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21

Run by bookshop at 19:59:22 on 2011-08-10

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1133 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\AccelerometerSt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Documents and Settings\bookshop\Application Data\Microsoft\conhost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\IfxPsdSv.exe

C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyServer = http=127.0.0.1:55030

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Easy Gif Animator Toolbar Helper: {96372ab6-15eb-4316-b497-71c741bc548c} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy Gif Animator Toolbar: {35065594-9169-4a34-b167-fc4865038e53} - c:\program files\easy gif animator extension\v3.3.0.3\EasyGifAnimator_Toolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [iFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [vptray] c:\program files\navnt\vptray.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [b2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [conhost] c:\documents and settings\bookshop\application data\microsoft\conhost.exe

StartupFolder: c:\docume~1\bookshop\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: Download Video on This Page - c:\program files\tomato\youtube video downloader\MDIEEx.dll/211

IE: Download Video This Links To - c:\program files\tomato\youtube video downloader\MDIEEx.dll/212

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {11F19C45-9675-488A-A8E0-8E8234DC245D} - res://c:\program files\tomato\youtube video downloader\MDIEEx.dll/211

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 205.152.111.23 205.152.144.23

TCP: Interfaces\{3701A950-0A46-4573-AC1E-13E89A53A7D5} : DhcpNameServer = 205.152.111.23 205.152.144.23

TCP: Interfaces\{E1F951B6-097A-418D-8D28-AF838624AFCC} : NameServer = 8.8.8.8,8.8.4.4

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bookshop\application data\mozilla\firefox\profiles\0lcn4rra.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.volgistics.com/ex/portal.dll/?FROM=12259

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 55030

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-1 64288]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2010-8-20 38816]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-9 366640]

R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-10-29 9296]

R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-10-29 466944]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-8-20 97280]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-8-20 41216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-9 22712]

R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-10-29 178304]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-11-12 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2010-11-12 1371184]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.cfxxe [2011-6-26 256000]

S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2010-12-30 14336]

S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2010-12-30 20736]

S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2010-12-30 20096]

S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2010-12-30 25088]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [2010-12-30 25728]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 2151640]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15232]

S3 swmx02;HP ev2200 USB MUX Driver (#02);c:\windows\system32\drivers\swmx02.sys [2010-8-20 57600]

S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2010-12-30 20096]

.

=============== Created Last 30 ================

.

2011-08-10 23:41:55 -------- d-sha-r- C:\cmdcons

2011-08-10 23:40:02 98816 ----a-w- c:\windows\sed.exe

2011-08-10 23:40:02 518144 ----a-w- c:\windows\SWREG.exe

2011-08-10 23:40:02 256000 ----a-w- c:\windows\PEV.exe

2011-08-10 23:40:02 208896 ----a-w- c:\windows\MBR.exe

2011-08-10 23:39:45 -------- d-s---w- C:\ComboFix

2011-08-10 03:28:22 388096 ----a-r- c:\documents and settings\bookshop\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-08-10 03:28:21 -------- d-----w- c:\program files\Trend Micro

2011-08-10 02:47:59 -------- d-----w- c:\windows\ERUNT

2011-08-10 02:42:15 -------- d-----w- C:\SDFix

2011-08-10 02:13:01 0 ---ha-w- C:\aaw7boot.cmd

2011-08-10 02:05:32 194048 ----a-w- c:\documents and settings\bookshop\application data\microsoft\conhost.exe

2011-08-09 23:56:45 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_321028453.bat

2011-08-09 22:39:28 141 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_316391078.bat

2011-08-09 22:39:15 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_316378609.bat

2011-08-09 21:47:26 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_313269593.bat

2011-08-09 20:04:18 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_307080687.bat

2011-08-09 19:37:58 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_305501562.bat

2011-08-08 17:23:18 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_211021046.bat

2011-08-08 16:57:48 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_209491171.bat

2011-08-04 19:13:03 199 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_665792203.bat

2011-08-04 19:11:57 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_665726265.bat

2011-08-04 18:46:00 169 ----a-w- c:\documents and settings\bookshop\application data\microsoft\gb_664169781.bat

2011-07-28 09:21:40 -------- d-----w- C:\sprite

2011-07-14 15:16:34 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2011-07-14 15:15:37 -------- d-----w- c:\program files\Microsoft

2011-07-14 15:13:33 141399376 ----a-w- c:\program files\common files\windows live\.cache\wlc1F0E.tmp

.

==================== Find3M ====================

.

2011-07-28 00:39:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 20:00:11.46 ===============

Link to post
Share on other sites

  • Staff

The legitimate conhost.exe is here:

C:\windows\system32

The infected conhost is not

Having the same name doesn't mean anything.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I am currently using my phone to post because ComboFix removed conhost and I am now unable to use my internet connection via laptop. Firefox gives me this error: "the proxy server is refusing connections. Firefox is configured to use a proxy that is refusing connections."

I don't know what to do and I would post my log but I can't via computer. I could save the log to my SD card and attach it if you would like.

Link to post
Share on other sites

nevermind, I can copy + paste.

ComboFix 11-08-10.03 - bookshop 08/10/2011 20:15:15.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1304 [GMT -4:00]

Running from: c:\documents and settings\bookshop\My Documents\Downloads\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\bookshop\Application Data\Microsoft\conhost.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-07-11 to 2011-08-11 )))))))))))))))))))))))))))))))

.

.

2011-08-10 03:28 . 2011-08-10 03:28 388096 ----a-r- c:\documents and settings\bookshop\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-10 03:28 . 2011-08-10 03:28 -------- d-----w- c:\program files\Trend Micro

2011-08-10 02:47 . 2011-08-10 02:48 -------- d-----w- c:\windows\ERUNT

2011-08-10 02:42 . 2011-08-10 03:23 -------- d-----w- C:\SDFix

2011-08-10 02:13 . 2011-08-10 02:13 0 ---ha-w- C:\aaw7boot.cmd

2011-08-09 23:56 . 2011-08-09 23:56 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_321028453.bat

2011-08-09 22:39 . 2011-08-09 22:39 141 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_316391078.bat

2011-08-09 22:39 . 2011-08-09 22:39 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_316378609.bat

2011-08-09 21:47 . 2011-08-09 21:47 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_313269593.bat

2011-08-09 20:04 . 2011-08-09 20:04 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_307080687.bat

2011-08-09 19:37 . 2011-08-09 19:37 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_305501562.bat

2011-08-08 17:23 . 2011-08-08 17:23 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_211021046.bat

2011-08-08 16:57 . 2011-08-08 16:57 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_209491171.bat

2011-08-04 19:13 . 2011-08-04 19:13 199 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_665792203.bat

2011-08-04 19:11 . 2011-08-04 19:11 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_665726265.bat

2011-08-04 18:46 . 2011-08-04 18:46 169 ----a-w- c:\documents and settings\bookshop\Application Data\Microsoft\gb_664169781.bat

2011-07-28 09:21 . 2011-07-28 09:21 -------- d-----w- C:\sprite

2011-07-14 15:16 . 2011-07-14 15:16 -------- d-----w- c:\program files\Microsoft Office Outlook Connector

2011-07-14 15:15 . 2011-07-14 15:15 -------- d-----w- c:\program files\Microsoft

2011-07-14 15:14 . 2011-07-14 15:15 -------- d-----w- c:\program files\Windows Live

2011-07-14 15:13 . 2011-07-14 15:13 141399376 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc1F0E.tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-28 00:39 . 2010-12-02 00:19 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-07-06 23:52 . 2011-04-09 18:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52 . 2011-04-09 18:50 22712 -c--a-w- c:\windows\system32\drivers\mbam.sys

2011-06-29 20:21 . 2011-04-23 17:13 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1028096]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2008-01-26 677144]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-06 872448]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 131072]

"vptray"="c:\program files\NavNT\vptray.exe" [2001-10-31 73728]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]

.

c:\documents and settings\bookshop\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/1/2010 8:20 PM 64288]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [8/20/2010 7:34 AM 38816]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/9/2011 2:50 PM 366640]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/20/2010 7:34 AM 97280]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [8/20/2010 7:34 AM 41216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/9/2011 2:50 PM 22712]

S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [12/30/2010 4:24 AM 14336]

S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [12/30/2010 4:24 AM 20736]

S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [12/30/2010 4:24 AM 20096]

S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [12/30/2010 4:24 AM 25088]

S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [12/30/2010 4:24 AM 25728]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 3:46 AM 2151640]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 3:46 AM 15232]

S3 swmx02;HP ev2200 USB MUX Driver (#02);c:\windows\system32\drivers\swmx02.sys [8/20/2010 7:34 AM 57600]

S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [12/30/2010 4:24 AM 20096]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 36586033

*NewlyCreated* - WUAUSERV

*Deregistered* - 36586033

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 11:19]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=127.0.0.1:55030

IE: Download Video on This Page - c:\program files\Tomato\YouTube Video Downloader\MDIEEx.dll/211

IE: Download Video This Links To - c:\program files\Tomato\YouTube Video Downloader\MDIEEx.dll/212

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: {{11F19C45-9675-488A-A8E0-8E8234DC245D} - res://c:\program files\Tomato\YouTube Video Downloader\MDIEEx.dll/211

TCP: DhcpNameServer = 205.152.111.23 205.152.144.23

TCP: Interfaces\{E1F951B6-097A-418D-8D28-AF838624AFCC}: NameServer = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\documents and settings\bookshop\Application Data\Mozilla\Firefox\Profiles\0lcn4rra.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.volgistics.com/ex/portal.dll/?FROM=12259

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 55030

FF - prefs.js: network.proxy.type - 1

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe

HKLM-Run-B2C_AGENT - c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-10 20:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\NavLogon.dll

.

Completion time: 2011-08-10 20:22:34

ComboFix-quarantined-files.txt 2011-08-11 00:22

.

Pre-Run: 3,026,231,296 bytes free

Post-Run: 3,009,372,160 bytes free

.

- - End Of File - - 8391C1640451D2791DE49E3F53B5F593

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=3d80802d9da8924d9792f0b833ebe6c3

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-12 11:14:54

# local_time=2011-08-12 07:14:54 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=3586 16764926 40 17 19013174 393118426 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=69187

# found=3

# cleaned=3

# scan_time=6720

C:\Documents and Settings\bookshop\Application Data\Sun\Java\Deployment\cache\6.0\47\6fd04eaf-2f5493bd a variant of Java/TrojanDownloader.OpenStream.NBY trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\bookshop\Application Data\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.RLK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E8FB843-D366-4439-9635-E5DDF58E6A0C}\RP183\A0023347.exe a variant of Win32/Kryptik.RLK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

and

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

Norton AntiVirus Corporate Edition

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 3

Out of date Java installed!

Adobe Flash Player 10.3.183.5

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

``````````End of Log````````````

I don't currently have many issues, except for Malwarebytes blocking some IP addresses but I don't know if that was from the above or not. I was able to access my connection finally when changing my proxy settings back.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Ad-Aware (uninstall if you don't update it)

Java™ 6 Update 21

Java™ 6 Update 3

Adobe Reader 9.0

ESET Online Scanner v3

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain. You should be fine for banking.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.