Sign in to follow this  
Followers 0
dreamer

Help.. Have virus. won't let me run Mbam or other virus software. koobface maybe?

25 posts in this topic

Keep getting screens saying I have viruses and pretending to search computer.

It won't let me know go to or run any virus removal software.

Some one helped me remove something like this before from my son's computer and now I have it.

What do I need to do.?

Share this post


Link to post
Share on other sites

Hello dreamer! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Please follow these instructions:

http://forums.malwarebytes.org/index.php?showtopic=9573

Share this post


Link to post
Share on other sites

Thank you.

I already have it loaded. It won't let me do an update. When I reboot I can run Mbam only if I do start the program real fast before, I am assuming, the virus starts running, because if I wait it will not pull up the mbam screen.

Once up though it will run. I've run it several times and it finds something each time. with name fraudpack or dropper.

If I try to pull up the log it will pull it up real quick then go away. It will not stay up long enough for me to save it somewhere else.

I will try to find it in the file and I copy if from there, and try to run some more of the programs in the list you gave. Last time on my son's computer, I had to download stuff to run on another computer and move it over.

Will try to continue with your list, until I hear back from you

Share this post


Link to post
Share on other sites

1. Below is log file from running malwarebytes. I already had it loaded. Virus would not let me update mbam. Virus would not let me know checker unless I re-booted and quickly started the program. If I waited for the re-boot to finish loading programs, it would with program infected, would you like to load anti-virus software?.

2. It let me run the defogger.exe. But it never asked me to re-boot. I rebooted on my own. ran this several times..same result.

3. Dds.Scr would not let me run program. Asked me what program should run it this file type.

4. Gmer program. It would run only if I could start it fast on reboot list number 1 above. When it ran. it either would re-boot on its own without finishing ( I don't think it finished ) or it would hang up and not move/scan a file for an hour or so.

Looking forward to hearing from you on next step.

Malwarebytes' Anti-Malware 1.44

Database version: 3926

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/8/2010 6:52:02 PM

mbam-log-2010-05-08 (18-52-02).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 207656

Time elapsed: 56 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Please uninstall your MalwareBytes' Anti-MAlware because your database version and your program version are very old. Next:

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest

updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick

the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a Quick scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log.

Share this post


Link to post
Share on other sites

Fyi. When removing files. It said some not able to remove.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4083

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/9/2010 12:23:37 PM

mbam-log-2010-05-09 (12-23-37).txt

Scan type: Quick scan

Objects scanned: 140613

Time elapsed: 18 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdmjstiw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdmjstiw (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Administrator\Local Settings\Application Data\etyfivgrf\kobmxyltssd.exe (Rogue.AntivirusSuite.Gen) -> Delete on reboot.

Share this post


Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Share this post


Link to post
Share on other sites

ComboFix 10-05-08.02 - Administrator 05/09/2010 13:17:57.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1806 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\AbaleZip.dll

c:\windows\Tasks.\nfowedgj.job

c:\windows\Temp\tmp3.tmp

D:\Autorun.inf

c:\windows\Tasks.\nfowedgj.job . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))

.

2010-05-09 15:47 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-07 23:18 . 2010-05-09 16:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf

2010-04-27 00:38 . 2010-04-27 00:38 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-04-27 00:38 . 2010-04-27 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook

2010-04-20 17:30 . 2010-04-20 17:30 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-20 17:27 . 2010-04-20 17:27 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-10 00:53 . 2010-04-10 00:53 98920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-09 17:09 . 2009-12-14 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-04-28 13:32 . 2009-07-15 15:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-04-27 13:22 . 2009-07-15 15:20 3164 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-04-24 22:53 . 2010-04-06 13:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData

2010-04-22 23:09 . 2009-12-09 04:56 0 ----a-w- c:\windows\system32\drivers\FUJITSU_AE5AJ3A323450000_WXPTPC.MKR

2010-04-20 17:29 . 2010-02-11 00:34 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-14 18:50 . 2006-05-17 19:59 -------- d-----w- c:\program files\Google

2010-04-14 07:07 . 2009-07-15 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-18 14:55 . 2010-03-18 14:55 207056 ----a-w- c:\documents and settings\All Users\Application Data\tmp22E.tmp

2010-03-16 18:48 . 2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 18:48 . 2010-02-11 00:33 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 18:47 . 2010-02-11 00:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2006-05-17 11:55 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-05-17 11:54 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-05-17 11:54 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-05-17 11:55 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-24 13:11 . 2006-05-17 11:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-03 23:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-15 20:47 . 2010-02-15 20:47 103449 ----a-w- c:\documents and settings\All Users\Application Data\tmp530.tmp

2010-02-15 00:52 . 2010-02-14 23:58 156075 ----a-w- c:\windows\hpwins12.dat

2010-02-12 04:33 . 2006-05-17 11:54 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-05-17 11:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2001-12-03 21:09 . 2009-09-18 21:02 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2006-01-17 88365]

"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2006-03-31 20480]

"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2005-11-19 303104]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-26 30192]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-16 122368]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-17 166424]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 81920]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-04-05 270336]

"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 61440]

"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-01-28 73728]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-17 137752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]

"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]

"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Nitro PDF\\PrimoPDF\\PrimoPDF.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Fujitsu\\Utils\\FjMnuIco.exe"=

"c:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [5/17/2006 3:56 PM 10496]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/21/2006 6:05 PM 36352]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [9/23/2005 10:48 AM 28544]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2010 8:33 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2010 8:34 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 2:48 PM 308064]

R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [5/17/2006 3:56 PM 17920]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [5/17/2006 3:39 PM 4864]

R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [5/17/2006 3:39 PM 31104]

S2 gupdate1ca0cb5d637f1e;Google Update Service (gupdate1ca0cb5d637f1e);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 7:18 PM 133104]

S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 8:20 PM 3872]

S3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [5/17/2006 3:39 PM 5632]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/15/2009 10:28 AM 30192]

S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/17/2006 3:39 PM 35968]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/17/2006 8:31 AM 14208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

Trusted Zone: isqft.com\www

.

- - - - ORPHANS REMOVED - - - -

BHO-{41890007-d1c6-405e-be05-335a39c03e6f} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-09 13:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2572)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\System32\SCardSvr.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\System32\tabbtnu.exe

c:\windows\System32\digtizer.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\lotus\notes\ntmulti.exe

c:\windows\system32\o2flash.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\windows\AGRSMMSG.exe

c:\program files\Fujitsu\Utils\FjDspMon.exe

c:\program files\Fujitsu\Utils\fjevents.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-05-09 13:29:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-09 17:29

Pre-Run: 13,062,860,800 bytes free

Post-Run: 13,849,145,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 71A9A5D9F780D4C21E1AFF33C931BCD6

Share this post


Link to post
Share on other sites

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Share this post


Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/05/09 14:07

Program Version: Version 1.3.5.0

Windows Version: Windows XP Tablet PC Edition SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\Combo-Fix\catchme.sys

Address: 0xBA458000 Size: 31744 File Visible: No Signed: -

Status: -

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xBA118000 Size: 60416 File Visible: No Signed: -

Status: -

Name: dump_iaStor.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys

Address: 0x98761000 Size: 876544 File Visible: No Signed: -

Status: -

Name: mbr.sys

Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys

Address: 0xBA430000 Size: 20864 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xBA62C000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0x97B36000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\Temp\HPSLPS001.log

Status: Locked to the Windows API!

Path: d:\setupsnk.exe

Status: Size mismatch (API: 28672, Raw: 1049901663130775552)

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_restore{8152C0C8-324C-4987-80CA-A441BE6B69A5}

Status: Visible to the Windows API, but not on disk.

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP243

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP244

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP246

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP249

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP255

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP263

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP264

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP266

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP271

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP278

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP283

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP289

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP243\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP243\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP243\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP244\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP244\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP244\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP246\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP246\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP246\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP249\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP249\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP249\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP255\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP255\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP255\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP263\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP263\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP263\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP264\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP264\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP264\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP266\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP266\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP266\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP271\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP271\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP271\change.log.2

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP271\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP278\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP278\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP278\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP283\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP283\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP283\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP289\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP289\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP289\RestorePointSize

Status: Invisible to the Windows API!

Path: \\?\D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\*

Status: Could not enumerate files with the Windows API (0x00000003)!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\A0106980.ini

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\A0106994.ini

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\A0106996.INF

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\change.log

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\change.log.1

Status: Invisible to the Windows API!

Path: D:\System Volume Information\_r≮store{8152C0C8-324C-4987-80CA-A441BE6B69A5}\RP291\RestorePointSize

Status: Invisible to the Windows API!

==EOF==

Share this post


Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=49828

KillAll::

Collect::[8]
c:\windows\Tasks.\nfowedgj.job
d:\setupsnk.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Share this post


Link to post
Share on other sites

ComboFix 10-05-08.03 - Administrator 05/09/2010 14:33:51.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1746 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: d:\setupsnk.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

d:\setupsnk.exe

.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))

.

2010-05-09 17:12 . 2010-05-09 17:29 -------- d-----w- C:\Combo-Fix

2010-05-09 15:47 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-07 23:18 . 2010-05-09 16:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf

2010-04-27 00:38 . 2010-04-27 00:38 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-04-27 00:38 . 2010-04-27 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook

2010-04-20 17:30 . 2010-04-20 17:30 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-20 17:27 . 2010-04-20 17:27 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-10 00:53 . 2010-04-10 00:53 98920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-09 17:09 . 2009-12-14 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-04-28 13:32 . 2009-07-15 15:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-04-27 13:22 . 2009-07-15 15:20 3164 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-04-24 22:53 . 2010-04-06 13:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData

2010-04-22 23:09 . 2009-12-09 04:56 0 ----a-w- c:\windows\system32\drivers\FUJITSU_AE5AJ3A323450000_WXPTPC.MKR

2010-04-20 17:29 . 2010-02-11 00:34 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-14 18:50 . 2006-05-17 19:59 -------- d-----w- c:\program files\Google

2010-04-14 07:07 . 2009-07-15 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-18 14:55 . 2010-03-18 14:55 207056 ----a-w- c:\documents and settings\All Users\Application Data\tmp22E.tmp

2010-03-16 18:48 . 2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 18:48 . 2010-02-11 00:33 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 18:47 . 2010-02-11 00:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2006-05-17 11:55 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-05-17 11:54 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-05-17 11:54 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-05-17 11:55 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-24 13:11 . 2006-05-17 11:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-03 23:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-15 20:47 . 2010-02-15 20:47 103449 ----a-w- c:\documents and settings\All Users\Application Data\tmp530.tmp

2010-02-15 00:52 . 2010-02-14 23:58 156075 ----a-w- c:\windows\hpwins12.dat

2010-02-12 04:33 . 2006-05-17 11:54 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-05-17 11:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2001-12-03 21:09 . 2009-09-18 21:02 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_17.25.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-09 18:38 . 2010-05-09 18:38 16384 c:\windows\Temp\Perflib_Perfdata_ba8.dat

+ 2010-05-09 18:38 . 2010-05-09 18:38 16384 c:\windows\Temp\Perflib_Perfdata_928.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2006-01-17 88365]

"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2006-03-31 20480]

"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2005-11-19 303104]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-26 30192]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-16 122368]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-17 166424]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 81920]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-04-05 270336]

"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 61440]

"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-01-28 73728]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-17 137752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]

"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]

"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Nitro PDF\\PrimoPDF\\PrimoPDF.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Fujitsu\\Utils\\FjMnuIco.exe"=

"c:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [5/17/2006 3:56 PM 10496]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/21/2006 6:05 PM 36352]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [9/23/2005 10:48 AM 28544]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2010 8:33 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2010 8:34 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 2:48 PM 308064]

R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [5/17/2006 3:56 PM 17920]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [5/17/2006 3:39 PM 4864]

R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [5/17/2006 3:39 PM 31104]

S2 gupdate1ca0cb5d637f1e;Google Update Service (gupdate1ca0cb5d637f1e);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 7:18 PM 133104]

S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 8:20 PM 3872]

S3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [5/17/2006 3:39 PM 5632]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/15/2009 10:28 AM 30192]

S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/17/2006 3:39 PM 35968]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/17/2006 8:31 AM 14208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-16 23:05]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

Trusted Zone: isqft.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-09 14:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2688)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\windows\System32\SCardSvr.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\System32\tabbtnu.exe

c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\windows\System32\digtizer.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\lotus\notes\ntmulti.exe

c:\windows\system32\o2flash.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\system32\wscntfy.exe

c:\windows\AGRSMMSG.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Fujitsu\Utils\FjDspMon.exe

c:\program files\Fujitsu\Utils\fjevents.exe

c:\windows\system32\igfxext.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-05-09 14:43:33 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-09 18:43

ComboFix2.txt 2010-05-09 17:29

Pre-Run: 13,847,633,920 bytes free

Post-Run: 13,813,817,344 bytes free

- - End Of File - - E2330FB0497754AB7EE6F49CDC0A9E4D

Share this post


Link to post
Share on other sites

Step 1:

Open Notepad and copy and paste the text in the code box below into it:

DirLook::
c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Step 2:

Please go to http://virustotal.com

Next to the "Browse" button, in to the blank field, please paste the following:

c:\documents and settings\All Users\Application Data\tmp22E.tmp

Hit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here)

Share this post


Link to post
Share on other sites

ComboFix 10-05-08.03 - Administrator 05/09/2010 15:48:33.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1941 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))

.

2010-05-09 18:32 . 2010-05-09 18:43 -------- d-----w- C:\Combo-Fix18610C

2010-05-09 17:12 . 2010-05-09 17:29 -------- d-----w- C:\Combo-Fix

2010-05-09 15:47 . 2010-04-29 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-07 23:18 . 2010-05-09 16:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf

2010-04-27 00:38 . 2010-04-27 00:38 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe

2010-04-27 00:38 . 2010-04-27 00:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook

2010-04-20 17:30 . 2010-04-20 17:30 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-20 17:27 . 2010-04-20 17:27 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-10 00:53 . 2010-04-10 00:53 98920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-09 19:05 . 2009-12-14 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2010-04-28 13:32 . 2009-07-15 15:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2010-04-27 13:22 . 2009-07-15 15:20 3164 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-04-24 22:53 . 2010-04-06 13:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData

2010-04-22 23:09 . 2009-12-09 04:56 0 ----a-w- c:\windows\system32\drivers\FUJITSU_AE5AJ3A323450000_WXPTPC.MKR

2010-04-20 17:29 . 2010-02-11 00:34 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-14 18:50 . 2006-05-17 19:59 -------- d-----w- c:\program files\Google

2010-04-14 07:07 . 2009-07-15 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-18 14:55 . 2010-03-18 14:55 207056 ----a-w- c:\documents and settings\All Users\Application Data\tmp22E.tmp

2010-03-16 18:48 . 2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-16 18:48 . 2010-02-11 00:33 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-16 18:47 . 2010-02-11 00:33 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-11 12:38 . 2006-05-17 11:55 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38 . 2006-05-17 11:54 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38 . 2006-05-17 11:54 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09 . 2006-05-17 11:55 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-24 13:11 . 2006-05-17 11:54 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-03 23:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-15 20:47 . 2010-02-15 20:47 103449 ----a-w- c:\documents and settings\All Users\Application Data\tmp530.tmp

2010-02-15 00:52 . 2010-02-14 23:58 156075 ----a-w- c:\windows\hpwins12.dat

2010-02-12 04:33 . 2006-05-17 11:54 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-05-17 11:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2001-12-03 21:09 . 2009-09-18 21:02 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf ----

((((((((((((((((((((((((((((( SnapShot@2010-05-09_17.25.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-09 19:45 . 2010-05-09 19:45 16384 c:\windows\Temp\Perflib_Perfdata_b88.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"AGRSMMSG"="AGRSMMSG.exe" [2006-01-17 88365]

"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2006-03-31 20480]

"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2005-11-19 303104]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-26 30192]

"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-07-16 122368]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-17 166424]

"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2005-09-10 81920]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-04-05 270336]

"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-21 61440]

"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-01-28 73728]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-17 137752]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-11 149280]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]

"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]

"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]

"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-16 18:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Nitro PDF\\PrimoPDF\\PrimoPDF.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Fujitsu\\Utils\\FjMnuIco.exe"=

"c:\\Program Files\\Fujitsu\\BtnHnd\\BtnHnd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [5/17/2006 3:56 PM 10496]

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2/21/2006 6:05 PM 36352]

R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [9/23/2005 10:48 AM 28544]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2010 8:33 PM 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2010 8:34 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/16/2010 2:48 PM 308064]

R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [5/17/2006 3:56 PM 17920]

R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [5/17/2006 3:39 PM 4864]

R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [5/17/2006 3:39 PM 31104]

S2 gupdate1ca0cb5d637f1e;Google Update Service (gupdate1ca0cb5d637f1e);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 7:18 PM 133104]

S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [11/18/1999 8:20 PM 3872]

S3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\drivers\FUJ02E1.sys [5/17/2006 3:39 PM 5632]

S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/15/2009 10:28 AM 30192]

S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/17/2006 3:39 PM 35968]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/17/2006 8:31 AM 14208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-16 23:05]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 23:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

Trusted Zone: isqft.com

Trusted Zone: isqft.com\www

Trusted Zone: isqft.com\www

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-09 15:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2896)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

.

Completion time: 2010-05-09 15:54:59

ComboFix-quarantined-files.txt 2010-05-09 19:54

ComboFix2.txt 2010-05-09 18:43

ComboFix3.txt 2010-05-09 17:29

Pre-Run: 13,815,136,256 bytes free

Post-Run: 13,781,733,376 bytes free

- - End Of File - - BF90E58C9F81881EC0D5E9D14E156A8A

===

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.05.09 -

AhnLab-V3 2010.05.09.00 2010.05.08 -

AntiVir 8.2.1.236 2010.05.07 -

Antiy-AVL 2.0.3.7 2010.05.07 -

Authentium 5.2.0.5 2010.05.09 -

Avast 4.8.1351.0 2010.05.09 -

Avast5 5.0.332.0 2010.05.09 -

AVG 9.0.0.787 2010.05.09 -

BitDefender 7.2 2010.05.09 -

CAT-QuickHeal 10.00 2010.05.08 -

ClamAV 0.96.0.3-git 2010.05.09 -

Comodo 4800 2010.05.09 -

DrWeb 5.0.2.03300 2010.05.09 -

eSafe 7.0.17.0 2010.05.09 -

eTrust-Vet None 2010.05.07 -

F-Prot 4.5.1.85 2010.05.09 -

F-Secure 9.0.15370.0 2010.05.09 -

Fortinet 4.1.133.0 2010.05.09 -

GData 21 2010.05.09 -

Ikarus T3.1.1.84.0 2010.05.09 -

Jiangmin 13.0.900 2010.05.09 -

Kaspersky 7.0.0.125 2010.05.09 -

McAfee 5.400.0.1158 2010.05.09 -

McAfee-GW-Edition 2010.1 2010.05.09 -

Microsoft 1.5703 2010.05.09 -

NOD32 5098 2010.05.09 -

Norman 6.04.12 2010.05.09 -

nProtect 2010-05-09.01 2010.05.09 -

Panda 10.0.2.7 2010.05.09 -

PCTools 7.0.3.5 2010.05.07 -

Prevx 3.0 2010.05.09 -

Rising 22.46.06.04 2010.05.09 -

Sophos 4.53.0 2010.05.09 -

Sunbelt 6282 2010.05.09 -

Symantec 20091.2.0.41 2010.05.09 -

TheHacker 6.5.2.0.277 2010.05.09 -

TrendMicro 9.120.0.1004 2010.05.09 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.09 -

VBA32 3.12.12.4 2010.05.06 -

ViRobot 2010.5.8.2306 2010.05.08 -

VirusBuster 5.0.27.0 2010.05.09 -

Additional information

File size: 207056 bytes

MD5...: aabf83058030d6cc6c12d43418c33c86

SHA1..: 645f4e23532136f28e4880149ea55e90770837f0

SHA256: 7162605f36e71caabf4a1d765e2a193dd25546b9cf1157805e68c0e94f74db13

ssdeep: 3072:YW/koiDeUJOFIXBKZ2rR9GxIoFzZxoFftz+YKXidb3e+yIHkADvUhRJpeRc

:YW8oWJweBDR9GxIet6ZEYMidb3jjhUhZ

PEiD..: -

PEInfo: -

RDS...: NSRL Reference Data Set

-

trid..: Adobe Portable Document Format (100.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

pdfid.: PDF Header: %PDF-1.3

obj 36

endobj 36

stream 10

endstream 9

xref 1

trailer 1

startxref 1

/Page 2

/Encrypt 0

/ObjStm 0

/JS 0

/JavaScript 0

/AA 0

/OpenAction 0

/AcroForm 0

/JBIG2Decode 0

/RichMedia 0

/Launch 0

/Colors > 2^24 0

Share this post


Link to post
Share on other sites

Please manually delete the following folder:

c:\documents and settings\Administrator\Local Settings\Application Data\etyfivgrf

Let me know how are things running now.

Share this post


Link to post
Share on other sites

I don't see a folder or file of that name.

I don't see a folder \Local Settings\ in administrator. ???

Everything seems to be ok since the malwarebytes run.

Share this post


Link to post
Share on other sites

Found it and deleted it after I reset to show hidden files.

Share this post


Link to post
Share on other sites

Good! :blink:

Last steps:

Step 1:

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Step 2:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 3:

Please manually delete RootRepeal.

Step 4:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :)

Share this post


Link to post
Share on other sites

Done. Thanks.

Any clue as to how I got this? I don't remember opening or doing anything different.

Share this post


Link to post
Share on other sites

According to our researchers:

Rogue programs use different methods for spreading themselves. This particular one was posing as a porn-video.

Though not necessarily in that way, but this is the most popular.

Share this post


Link to post
Share on other sites

Done. Thanks

Any clue on how I got this. I don't remember doing anything different than I usually do. nor was not opening files when it started. Had hardly even used it the day it started.

Share this post


Link to post
Share on other sites

Not on this puter. Unless son was using it.

Thanks I donated.

Share this post


Link to post
Share on other sites

Thank you so much! :blink:

Good luck!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.