Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] BackDoor.Generic11.BBDE


  • This topic is locked This topic is locked
10 replies to this topic

#1 ccbutler

ccbutler

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 28 October 2009 - 03:50 PM

I have the same problem as user "maxurn" had in a recent post as described below. I have scan ned the file per suggestion of "LDLate" without success at http://virusscan.jotti.org,

Good Morning. I have AVG 8.5 which detected the BackDoor.Generic11.BBDE trojan horse which has infected the file asyncmas.sys file in the following directory: "C:\WINDOWS\system32\driverss" AVG will not delete or heal the file. I greatly appreciate your help!



AVG (both 8.5 and 9.0) anti-virus is telling me on the boot scan that I have the file abpve infected infected with Trojan Horse BackDoor.Generic11.BBDE. The only option that AVG gives me when the warning pops up is to "Ignore" it.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 30 October 2009 - 07:52 PM

Posted Image


DO NOT use any TOOLS such as Combofix, SmitfraudFix, MBAM, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Posted Image
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Posted Image
  • Then click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste". .

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 ccbutler

ccbutler

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 31 October 2009 - 08:51 AM

(No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft Private Data (Rogue.ProofDefender) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft (Rogue.ProofDefender) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Delete on reboot. C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\t.id (Rogue.ProofDefender) -> Quarantined and deleted successfully. "describe how computer runs at this moment" do not notice anything in particular, although IE still slow to load. I will try another reboot.

Edited by ccbutler, 31 October 2009 - 08:53 AM.


#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 05:04 PM

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 ccbutler

ccbutler

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 31 October 2009 - 06:52 PM

I guess i would like to try to clean it for now.

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 06:53 PM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 ccbutler

ccbutler

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 31 October 2009 - 08:01 PM

ComboFix 09-10-30.01 - Owner 10/31/2009 21:46.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.673 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 01:50 . 2008-04-14 09:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-01 01:50 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-31 14:24 . 2009-10-31 14:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-31 14:24 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 14:24 . 2009-10-31 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 14:24 . 2009-10-31 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 14:24 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-27 01:04 . 2009-10-28 04:23 -------- d-----w- c:\windows\system32\Icons
2009-10-27 00:45 . 2008-06-17 19:02 8461312 ----a-w- c:\windows\system32\shell32custom.dll
2009-10-13 22:08 . 2009-10-13 22:08 -------- d-----w- c:\program files\DIFX
2009-10-13 22:08 . 2009-10-13 22:08 -------- d-----w- c:\program files\Mars
2009-10-06 23:08 . 2009-10-08 01:24 -------- d-----w- C:\BasicDVD
2009-10-06 22:10 . 2009-10-06 22:10 -------- d-----w- c:\documents and settings\Ann\Application Data\ArcSoft
2009-10-06 22:01 . 2009-10-06 22:01 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-06 22:01 . 2009-10-06 22:01 -------- d-----w- c:\program files\Simple Backup
2009-10-06 21:59 . 2009-10-06 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-10-06 21:59 . 2009-10-06 21:59 -------- d-----w- c:\program files\CyberLink
2009-10-06 21:59 . 2009-10-06 22:00 -------- d-----w- c:\program files\PowerDVD
2009-10-06 21:57 . 2009-10-06 21:57 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-10-06 21:57 . 2009-10-06 21:57 -------- d-----w- c:\program files\muvee autoProducer DVD Edition - HPC
2009-10-06 21:56 . 2009-10-06 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-10-06 21:56 . 2002-10-01 13:22 9856 ----a-w- c:\windows\system32\drivers\pfc.sys
2009-10-06 21:55 . 2003-04-03 15:09 81920 ----a-w- c:\windows\system32\mplaw7.dll
2009-10-06 21:55 . 2003-04-03 15:09 81920 ----a-w- c:\windows\system32\mplaa6.dll
2009-10-06 21:55 . 2003-04-03 15:09 69632 ----a-w- c:\windows\system32\mplapx.dll
2009-10-06 21:55 . 2003-04-03 15:09 69632 ----a-w- c:\windows\system32\mplam6.dll
2009-10-06 21:55 . 2003-04-03 15:09 49152 ----a-w- c:\windows\system32\cpuinf32.dll
2009-10-06 21:55 . 2003-04-03 15:09 1675264 ----a-w- c:\windows\system32\mplva6.dll
2009-10-06 21:55 . 2003-04-03 15:09 1630208 ----a-w- c:\windows\system32\mplvw7.dll
2009-10-06 21:55 . 2003-04-03 15:09 1581056 ----a-w- c:\windows\system32\mplvm6.dll
2009-10-06 21:55 . 2003-04-03 15:09 1150976 ----a-w- c:\windows\system32\mplvpx.dll
2009-10-06 21:53 . 2009-10-06 21:53 -------- d-----w- c:\program files\RecordNow
2009-10-06 21:52 . 2009-10-06 22:02 -------- d-----w- c:\program files\HP DVD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 13:59 . 2008-10-19 00:26 -------- d-----w- c:\program files\HotDocs
2009-10-20 16:35 . 2008-07-17 19:18 95896 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 00:12 . 2008-07-23 00:14 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-10-06 22:03 . 2008-07-17 18:45 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-06 21:59 . 2008-07-17 18:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-06 21:54 . 2008-07-23 00:03 -------- d-----w- c:\program files\ArcSoft
2009-09-20 14:24 . 2009-04-08 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-09-11 14:18 . 2002-08-29 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 01:28 . 2008-09-25 13:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-10 17:07 . 2008-07-17 19:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2002-08-29 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2002-08-29 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-15 04:03 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-16 22:24 . 2008-07-19 13:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 22:24 . 2008-07-19 13:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 22:24 . 2008-07-19 13:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 23:24 . 2008-07-17 19:10 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2007-07-30 23:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-07-17 19:10 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-07-17 20:01 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-07-17 19:10 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-09-25 16:06 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2008-07-18 23:28 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2008-07-17 20:01 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-08-29 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-08-29 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-14 23:26 . 2009-01-14 23:26 55088 ----a-w- c:\program files\MFInstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-01 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 69632]
"DVDBitSet"="c:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 204800]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 22:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Family Tree Maker 16\\Ftw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/19/2008 9:58 AM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/19/2008 9:58 AM 108552]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [7/29/2008 3:35 PM 101528]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/20/2008 8:55 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/20/2008 8:55 AM 297752]
R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;c:\program files\Visioneer\OneTouch 4.0\OtService.exe [7/13/2007 1:21 AM 126976]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/7/2009 10:31 AM 92008]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/23/2005 7:06 AM 231424]
R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [7/29/2008 3:34 PM 24876]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/5/2009 1:23 PM 18864]
S3 hpusbwdm;HP DVD Movie Writer dc3000;c:\windows\system32\drivers\hpusbwdm.sys [8/5/2003 2:16 PM 1080064]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [7/17/2008 5:58 PM 30495]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-01 c:\windows\Tasks\User_Feed_Synchronization-{C23D985C-1F1F-4017-8E73-DC4FAE802E39}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2C9A45CA-14D5-47F3-9E9F-CCB553CE73AA} - hxxp://pmdownloads.lexisnexis.com/installs/tmbm9/pro/setup-files/install.cab
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
"DisplayName"="???\16?\11\09"
"DeviceDesc"="???\16?\11\09"
"ProviderName"="???\11?#@\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.5"
"DeviceInstanceIds"=multi:"c:\\swsetup\\sp31101\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1692)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-01 21:56
ComboFix-quarantined-files.txt 2009-11-01 01:56
ComboFix2.txt 2009-03-29 16:18

Pre-Run: 39,162,159,104 bytes free
Post-Run: 39,079,444,480 bytes free

- - End Of File - - 858640B104B95B65BD3365DBAB1AFE6F

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 08:09 PM

Good job :thumbup:

The following will implement some cleanup procedures as well as reset System Restore points:

  • Click START then RUN
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    To be on the safe side, I would also change all my passwords.


    Here's my usual all clean post

    Log looks good :D


    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.


I would suggest you read How to Prevent Malware:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 ccbutler

ccbutler

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 31 October 2009 - 08:22 PM

thank you very much

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 08:22 PM

You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 08:23 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users