Jump to content

Recommended Posts

So i've been infected with a rootkit and other malware. I've run combofix, followed by malwarebytes, tried running avira but doesnt respond during install( it did mention manually uninstalling security suite first, but i couldnt find it), and ran hijackthis. I shall post my logs. Any help will be greatly appreciated. Thanks!

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7872

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19019

10/5/2011 4:26:50 AM

mbam-log-2011-10-05 (04-26-39).txt

Scan type: Full scan (C:\|)

Objects scanned: 371328

Time elapsed: 2 hour(s), 38 minute(s), 43 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

c:\Windows\System32\kbdinhin32.exe (Trojan.Tracur.SGen) -> 2312 -> No action taken.

c:\programdata\audiokse32.exe (Trojan.Tracur.SGen) -> 2308 -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv32 (Trojan.Tracur.SGen) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\ineufbr1v (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\Software\mksybupgw (Trojan.FakeAlert.Gen) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\kbdinhin32.exe (Trojan.Tracur.SGen) -> No action taken.

c:\programdata\audiokse32.exe (Trojan.Tracur.SGen) -> No action taken.

c:\program files\easy mp3 alarm clock\whCC.exe (PUP.WebHancer) -> No action taken.

c:\Qoobox\quarantine\C\programdata\phpwoahdwlgldvi.exe.vir (Trojan.Agent) -> No action taken.

c:\Users\reaksmey keo\AppData\LocalLow\Sun\Java\deployment\cache\6.0\35\2ad23923-36d02504 (Trojan.Agent) -> No action taken.

c:\Users\reaksmey keo\AppData\LocalLow\Sun\Java\deployment\cache\6.0\4\263a9144-4fb8caf9 (Trojan.Agent) -> No action taken.

c:\Users\reaksmey keo\AppData\LocalLow\Sun\Java\deployment\cache\6.0\40\2e660168-6b4b1020 (Rootkit.0Access) -> No action taken.

c:\windows\system32\window32.dll (PUP.EliteKeylogger) -> No action taken.

c:\programdata\uoas.exe (Trojan.FakeAlert) -> No action taken.

c:\Windows\temp\0.09787016239315227.exe (Exploit.Drop.2) -> No action taken.

c:\Windows\temp\0.16481013526493415.exe (Exploit.Drop.2) -> No action taken.

c:\Windows\temp\0.3755419133885055.exe (Exploit.Drop.2) -> No action taken.

ComboFix 11-10-04.04 - Reaksmey Keo 10/05/2011 0:33.2.2 - x86

Running from: c:\users\Reaksmey Keo\Desktop\Combo-Fix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\amkk.exe

c:\programdata\gpvf.exe

c:\programdata\lseo.exe

c:\programdata\PC Security 2011

c:\programdata\PC Security 2011\PC2011.exe

c:\programdata\PhPwoaHDWLGLDvI.exe

c:\programdata\pswi_preloaded.exe

c:\programdata\rfrv.exe

c:\programdata\vlc-1.1.2-win32.exe

c:\users\REAKSM~1\AppData\Local\Temp\5b3ed028351e4dc0a326fb6e3c5da4e7\filesys.dll

c:\users\REAKSM~1\AppData\Local\Temp\5b3ed028351e4dc0a326fb6e3c5da4e7\http.dll

c:\users\Reaksmey Keo\AppData\Local\{A6436174-06EA-4D03-AAFB-2040EA9B69E6}

c:\users\Reaksmey Keo\AppData\Local\{A6436174-06EA-4D03-AAFB-2040EA9B69E6}\chrome.manifest

c:\users\Reaksmey Keo\AppData\Local\{A6436174-06EA-4D03-AAFB-2040EA9B69E6}\chrome\content\_cfg.js

c:\users\Reaksmey Keo\AppData\Local\{A6436174-06EA-4D03-AAFB-2040EA9B69E6}\chrome\content\overlay.xul

c:\users\Reaksmey Keo\AppData\Local\{A6436174-06EA-4D03-AAFB-2040EA9B69E6}\install.rdf

c:\users\Reaksmey Keo\AppData\Local\eaal.exe

c:\users\Reaksmey Keo\AppData\Local\fqkc.exe

c:\users\Reaksmey Keo\AppData\Local\hfox.exe

c:\users\Reaksmey Keo\AppData\Local\iemk.exe

c:\users\Reaksmey Keo\AppData\Local\mfmo.exe

c:\users\Reaksmey Keo\AppData\Local\tbcv.exe

c:\users\Reaksmey Keo\AppData\Local\Temp\5b3ed028351e4dc0a326fb6e3c5da4e7\filesys.dll

c:\users\Reaksmey Keo\AppData\Local\Temp\5b3ed028351e4dc0a326fb6e3c5da4e7\http.dll

c:\users\Reaksmey Keo\AppData\Local\wcxr.exe

c:\users\Reaksmey Keo\AppData\Local\xhqk.exe

c:\users\Reaksmey Keo\AppData\Roaming\igxpgd32.dat

c:\users\Reaksmey Keo\AppData\Roaming\jsdfgs.bat

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Templates\gecp.exe

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Templates\hmfl.exe

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Templates\lmg561d1ecsvc30d600084shis54p30ta

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Templates\sbgb.exe

c:\users\Reaksmey Keo\AppData\Roaming\Microsoft\Windows\Templates\yhuf.exe

c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\extensions\{ecce67ea-0e62-4d6f-a819-c945059c4960}

c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\extensions\{ecce67ea-0e62-4d6f-a819-c945059c4960}\chrome.manifest

c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\extensions\{ecce67ea-0e62-4d6f-a819-c945059c4960}\chrome\xulcache.jar

c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\extensions\{ecce67ea-0e62-4d6f-a819-c945059c4960}\defaults\preferences\xulcache.js

c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\extensions\{ecce67ea-0e62-4d6f-a819-c945059c4960}\install.rdf

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_001.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_002.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_005.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_006.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_007.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_ico1.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_ico2.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\_ico3.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_01.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_02.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_03.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_hdr_1.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_hdr_2.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\activate_hdr_bg.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\at.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\balloon_174.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\balloon_201.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\bg_button_a.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\bg_button_span.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\blank.gif

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\block_p_01.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\block_p_03.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\blue.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\critical_202.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_001.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_002.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_003.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_004.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_005.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_006.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_007.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\defender_008.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\filder.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\header.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\i_1.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\i_2.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\i_3.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\level.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\loading.gif

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\logo.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\m.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\off.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\on.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\progressbar.gif

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\progressbar_bg_1.gif

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\prot.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\scan_res_icon.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\t01.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\t02.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\update.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\w1.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\w2.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\w3.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\w4.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\w5.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\warning_popup_072.png

c:\users\Reaksmey Keo\AppData\Roaming\PC Security 2011\warning_popup_200.png

c:\users\Reaksmey Keo\AppData\Roaming\Uninstall_Security

c:\users\Reaksmey Keo\AppData\Roaming\Uninstall_Security\uninstall_security.lnk

c:\windows\2606546328

c:\windows\system32\comct332.ocx

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_98bd5c9b

.

.

((((((((((((((((((((((((( Files Created from 2011-09-05 to 2011-10-05 )))))))))))))))))))))))))))))))

.

.

2011-10-05 05:03 . 2011-10-05 05:11 -------- d-----w- c:\users\Reaksmey Keo\AppData\Local\temp

2011-10-05 05:03 . 2011-10-05 05:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-05 02:41 . 2011-10-05 02:41 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-05 02:28 . 2011-10-05 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-05 02:28 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-04 11:05 . 2011-10-04 11:05 -------- d-----w- c:\program files\Trend Micro

2011-10-03 02:42 . 2011-10-03 02:42 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer

2011-09-29 06:36 . 2011-09-29 06:36 -------- d-----w- c:\programdata\WindowsSearch

2011-09-10 19:07 . 2011-09-10 19:07 288 ----a-w- c:\users\Reaksmey Keo\AppData\Roaming\873ED036.reg

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-05 05:06 . 2011-10-05 05:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D09AE6F5-7A5C-42F9-BE3D-98FDEA5D69A5}\offreg.dll

2011-09-21 13:00 . 2011-09-29 04:40 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D09AE6F5-7A5C-42F9-BE3D-98FDEA5D69A5}\mpengine.dll

2011-08-17 15:28 . 2011-08-17 15:28 0 ----a-w- c:\programdata\uoas.exe

2011-08-17 15:28 . 2011-08-17 15:28 0 ----a-w- c:\programdata\tixi.exe

2011-08-17 15:28 . 2011-08-17 15:28 0 ----a-w- c:\programdata\qxch.exe

2011-08-17 15:28 . 2011-08-17 15:28 0 ----a-w- c:\programdata\gcfp.exe

2011-07-23 16:34 . 2011-07-23 16:35 793088 ----a-w- c:\programdata\AUDIOKSE32.exe

2011-07-23 16:34 . 2011-07-23 16:35 793088 ----a-w- c:\windows\system32\KBDINHIN32.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]

2009-11-08 14:55 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-06-06 06:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EasyTether"="c:\program files\Mobile Stream\EasyTether\easytthr.exe" [2010-12-19 48456]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-06-06 06:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-03-17 01:58 47392 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTether]

2010-12-19 05:25 48456 ----a-w- c:\program files\Mobile Stream\EasyTether\easytthr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-06-29 13:46 154136 ----a-w- c:\windows\System32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-06-29 13:47 137752 ----a-w- c:\windows\System32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]

2007-06-12 01:27 317560 ----a-w- c:\program files\Sony\ISB Utility\ISBMgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-06-29 13:47 133656 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]

2007-06-06 05:40 49168 ----a-w- c:\program files\Protector Suite QL\launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]

2007-04-06 18:18 4423680 ----a-w- c:\windows\RtHDVCpl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

2007-03-08 02:38 835584 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2009-12-05 18:31 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Center Access Bar]

2007-06-21 23:54 53248 ----a-w- c:\program files\Sony\VAIO Center Access Bar\VCAB.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]

2007-07-20 22:30 577536 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]

2007-07-12 18:31 45056 ----a-w- c:\program files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]

2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]

2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]

R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [2010-08-02 14336]

R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [2010-08-02 20864]

R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [2010-08-02 19968]

R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [2010-08-02 24960]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys [2010-08-02 25728]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]

R4 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]

R4 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]

R4 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2007-07-13 292152]

R4 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2007-07-06 79736]

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [2010-06-29 20480]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]

S2 TapiSrv32;Telephony ;c:\windows\system32\KBDINHIN32.exe [2011-07-23 793088]

S3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys [2010-08-29 17232]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]

S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-04-19 73472]

S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-04-19 43904]

S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-05 812544]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - kbdex

*Deregistered* - usbnt

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyServer = http=127.0.0.1:18810

uInternet Settings,ProxyOverride = *.local;<local>

Trusted Zone: intuit.com\ttlc

FF - ProfilePath - c:\users\Reaksmey Keo\AppData\Roaming\Mozilla\Firefox\Profiles\cwoknees.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=11-05-2010&tb_mrud=11-05-2010

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=11-05-2010&tb_mrud=11-05-2010&query=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{01520C09-5AB3-42D0-AF3C-B05BB9B47C96} - c:\windows\system32\AUDIOKSE32.dll

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

MSConfigStartUp-doubleTwist - c:\program files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe

MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe

MSConfigStartUp-odwtmiop - c:\users\REAKSM~1\AppData\Local\Temp\fpqknrcpa\jajsycisjmo.exe

MSConfigStartUp-osdkpafi - c:\users\REAKSM~1\AppData\Local\Temp\arvhlorin\nmueriqsjmo.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

AddRemove-Supple -- Episode 1 - c:\users\Reaksmey Keo\Desktop\Sunshine's Stuff\Supple -- Episode 1\Uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-05 01:10

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\windows\system32\drivers\kbdex.sys 25088 bytes executable

c:\windows\system32\drivers\secdrv2k.sys 522240 bytes executable

c:\windows\system32\drivers\usbnt.sys 17408 bytes executable

c:\windows\system32\dincache.dll -915248067 bytes

c:\windows\system32\NAPCRx86.DLL 1094144 bytes executable

c:\windows\system32\pcasvr.exe 3162112 bytes executable

c:\windows\system32\Window32.dll 139264 bytes executable

c:\windows\TEMP\TMP0000002C5D18B561C21F200D 524288 bytes

.

scan completed successfully

hidden files: 8

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kbdex]

"ImagePath"="system32\drivers\kbdex.sys"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\secdrv2k]

"ImagePath"="system32\drivers\secdrv2k.sys"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usbnt]

"ImagePath"="system32\drivers\usbnt.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(2872)

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\infra.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Protector Suite QL\upeksvr.exe

c:\program files\Sony\VAIO Service Utility\VAIO-SUTOOL.exe

c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe

c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\programdata\AUDIOKSE32.exe

c:\windows\system32\WUDFHost.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2011-10-05 01:24:41 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-05 05:24

.

Pre-Run: 11,989,893,120 bytes free

Post-Run: 12,787,228,672 bytes free

.

- - End Of File - - B0B9590D45F5C6B2D564A15824F154A0

hijackthis.log

mbam-log-2011-10-05 (04-26-39).txt

ComboFix.txt

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Please run a new MBAM scan being sure to update before scanning.

Post the scan results

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.