44 replies to this topic

[Infected Bad]

Hey I had no knowledge about combofix until i followed another thread about the google redirect virus, and followed through with combofix. The first time i ran it after 2 hours i stoped it because i thought it frose. Afterwards it said connected to unidentified network and had limited access or it would say idntifying. The next day i ran combofix again and let the computer sit all day. It took about 5 hours until it completed. Everything works great except for no internet. My connection can now identify the network name and it also says local and internet, but google chrome, firefox, and internet explorer cant pull up any webpages. I can send messages through skype send files and skype says im online but nothing else seems to work. Ive tried everything from using all the ipconfig commands to using ipfix and winsrepair. no results... please help as im aut of ideas... here are all of my logs.

Attached Files

•  ComboFix1.txt   15.62KB   181 downloads
•  ComboFix2.txt   15.62KB   221 downloads

[Tomk]

Hi Infected Bad,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  c:\program files\Bandoo\BndHook.dll
  
  Folder::
  c:\users\Adge Pro\AppData\Roaming\UivD3onF4m6W7E9
  c:\users\Adge Pro\AppData\Roaming\aZ9hTXwjUeItPyA
  c:\users\Adge Pro\AppData\Roaming\P8gTZqjYCkx0v2b
  c:\users\Adge Pro\AppData\Roaming\mD2onF4am5
  c:\users\Adge Pro\AppData\Roaming\pRL9gTXqj
  c:\users\Adge Pro\AppData\Roaming\CCekIBrzPyAuDo
  c:\users\Adge Pro\AppData\Roaming\uqjYCwkIVzNx
  c:\users\Adge Pro\AppData\Roaming\mwjUCelIBzNc1v2
  c:\users\Adge Pro\AppData\Roaming\x0ucS2ibDpG
  c:\users\Adge Pro\AppData\Roaming\cD3onG4aQ
  c:\users\Adge Pro\AppData\Roaming\n9hTXqjUClBzNc1
  c:\users\Adge Pro\AppData\Roaming\u0ucS1ibDpGaHdK
  c:\users\Adge Pro\AppData\Roaming\qXwkUVrlOtPuSiD
  c:\users\Adge Pro\AppData\Roaming\VEK8gRZqh
  c:\users\Adge Pro\AppData\Roaming\jZYkrNPci3G6KRh
  c:\users\Adge Pro\AppData\Roaming\IVOPci3GQs7qeBN
  c:\users\Adge Pro\AppData\Roaming\TXI1FWTzupdXwUe
  c:\users\Adge Pro\AppData\Roaming\iwwkUUeS49PbECN
  c:\users\Adge Pro\AppData\Roaming\Zn66ssfjzupdYlB
  c:\users\Adge Pro\AppData\Roaming\YBxxP00ucS1bDpn
  
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
  "AppInit_DLLs"=-
  
  Firefox::
  FF - ProfilePath - c:\users\Adge Pro\AppData\Roaming\Mozilla\Firefox\Profiles\jb6npyyz.default\
  FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2956077&SearchSource=3&q={searchTerms}
  FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&q=
  FF - prefs.js: network.proxy.http - 127.0.0.1
  FF - prefs.js: network.proxy.http_port - 59939
  FF - prefs.js: network.proxy.type - 0
  
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:59939

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[Infected Bad]

Hi

Thanks for the help. Here is the log requested.

ComboFix 11-11-19.04 - Adge Pro 11/23/2011 18:04:45.4.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2046.1480 [GMT -5:00]
Running from: c:\users\Adge Pro\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Adge Pro\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Bandoo\BndHook.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Bandoo\BndHook.dll
c:\users\Adge Pro\AppData\Roaming\aZ9hTXwjUeItPyA
c:\users\Adge Pro\AppData\Roaming\CCekIBrzPyAuDo
c:\users\Adge Pro\AppData\Roaming\CCekIBrzPyAuDo\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\cD3onG4aQ
c:\users\Adge Pro\AppData\Roaming\IVOPci3GQs7qeBN
c:\users\Adge Pro\AppData\Roaming\iwwkUUeS49PbECN
c:\users\Adge Pro\AppData\Roaming\jZYkrNPci3G6KRh
c:\users\Adge Pro\AppData\Roaming\jZYkrNPci3G6KRh\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\mD2onF4am5
c:\users\Adge Pro\AppData\Roaming\mwjUCelIBzNc1v2
c:\users\Adge Pro\AppData\Roaming\n9hTXqjUClBzNc1
c:\users\Adge Pro\AppData\Roaming\n9hTXqjUClBzNc1\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\P8gTZqjYCkx0v2b
c:\users\Adge Pro\AppData\Roaming\P8gTZqjYCkx0v2b\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\pRL9gTXqj
c:\users\Adge Pro\AppData\Roaming\qXwkUVrlOtPuSiD
c:\users\Adge Pro\AppData\Roaming\qXwkUVrlOtPuSiD\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\TXI1FWTzupdXwUe
c:\users\Adge Pro\AppData\Roaming\TXI1FWTzupdXwUe\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\u0ucS1ibDpGaHdK
c:\users\Adge Pro\AppData\Roaming\UivD3onF4m6W7E9
c:\users\Adge Pro\AppData\Roaming\UivD3onF4m6W7E9\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\uqjYCwkIVzNx
c:\users\Adge Pro\AppData\Roaming\uqjYCwkIVzNx\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\VEK8gRZqh
c:\users\Adge Pro\AppData\Roaming\x0ucS2ibDpG
c:\users\Adge Pro\AppData\Roaming\x0ucS2ibDpG\AV Security 2012.ico
c:\users\Adge Pro\AppData\Roaming\YBxxP00ucS1bDpn
c:\users\Adge Pro\AppData\Roaming\Zn66ssfjzupdYlB
c:\windows\system\svchost.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_COMSysApp
.
.
((((((((((((((((((((((((( Files Created from 2011-10-23 to 2011-11-23 )))))))))))))))))))))))))))))))
.
.
2011-11-23 23:13 . 2011-11-23 23:16 -------- d-----w- c:\users\Adge Pro\AppData\Local\temp
2011-11-23 23:13 . 2011-11-23 23:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-23 21:19 . 2011-11-23 21:19 -------- d-----w- c:\program files\Antares Audio Technologies
2011-11-23 21:15 . 2003-06-20 18:28 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2011-11-15 03:15 . 2011-11-15 03:15 -------- d-----w- c:\users\Public\Waves Audio
2011-11-15 03:15 . 2011-11-15 03:20 -------- d-----w- c:\programdata\Waves Audio
2011-11-15 03:07 . 2011-11-23 20:34 -------- d-----w- c:\program files\WinPcap
2011-11-14 23:44 . 2011-11-15 03:17 -------- d-----w- c:\users\Adge Pro\AppData\Roaming\Waves Audio
2011-11-14 21:38 . 2011-11-16 19:10 -------- d-----w- c:\users\Adge Pro\riotsGamesLogs
2011-11-14 21:38 . 2011-11-14 21:38 -------- d-----w- c:\users\Adge Pro\AppData\Roaming\LolClient
2011-11-14 21:28 . 2011-11-14 21:28 162304 ----a-w- c:\windows\system32\ncusbw32.dll
2011-11-14 06:59 . 2008-07-31 15:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2011-11-14 06:59 . 2008-07-31 15:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2011-11-14 06:59 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-11-14 06:59 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-11-14 06:59 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-11-13 21:43 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 21:25 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-11-13 21:25 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-11-13 21:25 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-11-13 21:25 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-13 21:15 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 21:02 . 2011-11-13 21:02 -------- d-----w- c:\programdata\WindowsSearch
2011-11-13 20:46 . 2011-11-20 08:11 -------- d-----w- c:\users\Adge Pro\AppData\Local\Akamai
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 05:37 . 2009-10-19 19:32 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-11-13 20:43 . 2011-11-13 20:43 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAEA6980-2D38-404B-91EE-968293813CC2}\offreg.dll
2011-09-12 23:14 . 2011-09-28 04:45 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAEA6980-2D38-404B-91EE-968293813CC2}\mpengine.dll
2011-06-28 08:47 . 2011-03-24 21:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"Akamai NetSession Interface"="c:\users\Adge Pro\AppData\Local\Akamai\netsession_win.exe" [2011-11-15 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-12-19 77824]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn4x4.dll
"midi3"=KORGUMDD.DRV
"wave10"=Digi32.dll
"MIDI10"=diomidi.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2853530515-3039482369-3993899090-1000]
"EnableNotificationsRef"=dword:0000001f
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca52f2ba36a898;Google Update Service (gupdate1ca52f2ba36a898);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\Drivers\KORGUMDS.SYS [2009-10-15 22232]
R3 MRV6X32U;Belkin N1 Wireless USB Network Adapter Driver for Windows Vista x86;c:\windows\system32\DRIVERS\MRVW24B.sys [2007-10-29 310016]
R3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2009-11-07 16416]
R3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2009-11-07 22304]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 Ast Service;Ast Service;c:\windows\system32\\AstSrv.exe [2008-01-07 57344]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2009-12-19 16400]
S2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe [2007-04-25 537520]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-08-17 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2009-12-19 85008]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2009-12-19 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-12-19 21904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
necusb3 REG_MULTI_SZ necusb
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 08:36]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 08:36]
.
2011-11-22 c:\windows\Tasks\Norton Security Scan for Adge Pro.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-24 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Adge Pro\AppData\Roaming\Mozilla\Firefox\Profiles\jb6npyyz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{EB5CEE80-030A-4ED8-8E20-454E9C68380F} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 18:15
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3224)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\AstSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\Bandoo\Bandoo.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system\svchost.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-11-23 18:22:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-23 23:22
ComboFix2.txt 2011-11-21 07:09
ComboFix3.txt 2011-11-20 23:59
ComboFix4.txt 2011-11-20 22:56
.
Pre-Run: 32,173,502,464 bytes free
Post-Run: 32,121,303,040 bytes free
.
- - End Of File - - 72E45090A4AB4E73475D1D9E486D055D

[Tomk]

Infected Bad, Do you notice any difference in the way it's running?

[Infected Bad]

memory usage went from 23% to 38% at start up and the internet still isnt working.

[Tomk]

A couple more scans:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


And

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

[Infected Bad]

results are the same 38% memory at start up and no internet... aswMBR log aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software Run date: 2011-11-23 22:50:06 ----------------------------- 22:50:06.772 OS Version: Windows 6.0.6002 Service Pack 2 22:50:06.772 Number of processors: 1 586 0x2F02 22:50:06.772 ComputerName: ADGEPRO-PC UserName: Adge Pro 22:50:26.726 Initialize success 22:52:25.737 AVAST engine download error: 0 22:52:43.003 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 22:52:43.003 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3 22:52:43.018 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-2 22:52:43.018 Disk 1 Vendor: ST3120827AS 3.42 Size: 114473MB BusType: 3 22:52:45.050 Disk 0 MBR read successfully 22:52:45.050 Disk 0 MBR scan 22:52:45.050 Disk 0 Windows VISTA default MBR code 22:52:45.065 Disk 0 scanning sectors +156280320 22:52:45.143 Disk 0 scanning C:\Windows\system32\drivers 22:52:50.753 Service scanning 22:52:51.972 Modules scanning 22:52:57.378 Disk 0 trace - called modules: 22:52:57.393 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys 22:52:57.909 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854858a8] 22:52:57.909 3 CLASSPNP.SYS[881aa8b3] -> nt!IofCallDriver -> [0x84bcf918] 22:52:57.925 5 acpi.sys[8260f6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84bc4b98] 22:52:57.925 Scan finished successfully 22:53:50.855 Disk 0 MBR has been saved successfully to "H:\MBR.dat" 22:53:50.902 The log file has been saved successfully to "H:\aswMBR.txt" mbam log Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 7622 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.19154 11/23/2011 11:01:02 PM mbam-log-2011-11-23 (23-01-02).txt Scan type: Quick scan Objects scanned: 184407 Time elapsed: 3 minute(s), 19 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: c:\Windows\system\svchost.exe (Backdoor.Bot) -> 3128 -> Failed to unload process. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{022C671F-6CBA-4A03-A8F9-3B3A361B235A} (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{8AD815FC-607B-419F-8B70-D345A507A54E} (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{90F62EF7-58D1-4E8E-BB3E-CFB10BA9E47B} (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Smart-Shopper.HbInfoBand (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Smart-Shopper.HbInfoBand.1 (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Smart-Shopper.Smrt-ShprCtrl (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Smart-Shopper.Smrt-ShprCtrl.1 (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\syfrt.exe (Backdoor.IRCbot) -> Quarantined and deleted successfully. c:\sysnb.exe (Backdoor.IRCbot) -> Quarantined and deleted successfully. c:\systb.exe (Backdoor.IRCbot) -> Quarantined and deleted successfully. c:\syty.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\Windows\system\svchost.exe (Backdoor.Bot) -> Delete on reboot.

[Tomk]

Infected Bad,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can most probably be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions.

Let's get and online scan:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[Infected Bad]

Thanks tom for the warning. No i will try and clear everything without reformating as I am a composer/producer and have all kinds of plug ins and configurations id have to reset. Can I do this scan on the infected computer using FF or IE as it still has no internet?

[Tomk]

Can I do this scan on the infected computer using FF or IE as it still has no internet?

Duh! Sorry about that. You are correct that you won't be able to do that.

Please do this:

Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.
  Copy and Paste everything from the Quote box into Notepad:
  
  

  @Echo on
  pushd\windows\system32\drivers\etc
  attrib -h -s -r hosts
  echo 127.0.0.1 localhost>HOSTS
  attrib +r +h +s hosts
  popd
  ipconfig /release
  ipconfig /renew
  ipconfig /flushdns
  netsh winsock reset all
  netsh int ip reset all
  shutdown -r -t 1
  del %0

• Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes. Once saved, the icon to click should look like this on your desktop:
• Double click fix.bat.

Your computer will reboot.

Let me know if you can connect to the internet now.

[Infected Bad]

Happy holidays tom!! No I still cant connect to the internet after running the above command, but my network says i have an internet connection.

[Tomk]

Please run a scan with Malwarebytes' again and post the log.

[Infected Bad]

here is log requested Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 7622 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.19154 11/25/2011 4:22:20 PM mbam-log-2011-11-25 (16-22-20).txt Scan type: Quick scan Objects scanned: 184588 Time elapsed: 3 minute(s), 11 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: c:\Windows\system\svchost.exe (Backdoor.Bot) -> 1216 -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Windows\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

[Tomk]

Good. Now please rerun combofix and post the log.

[Infected Bad]

here is the requested log

ComboFix 11-11-19.04 - Adge Pro 11/25/2011 20:41:41.5.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2046.1484 [GMT -5:00]
Running from: c:\users\Adge Pro\Desktop\Combo-Fix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-26 to 2011-11-26 )))))))))))))))))))))))))))))))
.
.
2011-11-26 01:43 . 2011-11-26 01:43 -------- d-----w- c:\users\Adge Pro\AppData\Local\temp
2011-11-26 01:43 . 2011-11-26 01:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-25 21:02 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 03:55 . 2011-11-24 03:55 -------- d-----w- c:\users\Adge Pro\AppData\Roaming\Malwarebytes
2011-11-24 03:54 . 2011-11-24 03:54 -------- d-----w- c:\programdata\Malwarebytes
2011-11-23 23:03 . 2011-11-23 23:22 -------- d-----w- C:\Combo-Fix
2011-11-23 21:19 . 2011-11-23 21:19 -------- d-----w- c:\program files\Antares Audio Technologies
2011-11-23 21:15 . 2003-06-20 18:28 1777664 ----a-w- c:\windows\system32\gdiplus.dll
2011-11-15 03:15 . 2011-11-15 03:15 -------- d-----w- c:\users\Public\Waves Audio
2011-11-15 03:15 . 2011-11-15 03:20 -------- d-----w- c:\programdata\Waves Audio
2011-11-15 03:07 . 2011-11-23 20:34 -------- d-----w- c:\program files\WinPcap
2011-11-14 23:44 . 2011-11-15 03:17 -------- d-----w- c:\users\Adge Pro\AppData\Roaming\Waves Audio
2011-11-14 21:38 . 2011-11-16 19:10 -------- d-----w- c:\users\Adge Pro\riotsGamesLogs
2011-11-14 21:38 . 2011-11-14 21:38 -------- d-----w- c:\users\Adge Pro\AppData\Roaming\LolClient
2011-11-14 21:28 . 2011-11-14 21:28 162304 ----a-w- c:\windows\system32\ncusbw32.dll
2011-11-14 06:59 . 2008-07-31 15:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2011-11-14 06:59 . 2008-07-31 15:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2011-11-14 06:59 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-11-14 06:59 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-11-14 06:59 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-11-13 21:43 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 21:25 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-11-13 21:25 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-11-13 21:25 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-11-13 21:25 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-11-13 21:15 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 21:02 . 2011-11-13 21:02 -------- d-----w- c:\programdata\WindowsSearch
2011-11-13 20:46 . 2011-11-20 08:11 -------- d-----w- c:\users\Adge Pro\AppData\Local\Akamai
2011-11-13 20:43 . 2011-11-13 20:43 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAEA6980-2D38-404B-91EE-968293813CC2}\offreg.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 05:37 . 2009-10-19 19:32 66560 ----a-w- c:\windows\system32\drivers\smb.sys
2011-09-12 23:14 . 2011-09-28 04:45 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AAEA6980-2D38-404B-91EE-968293813CC2}\mpengine.dll
2011-06-28 08:47 . 2011-03-24 21:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"Akamai NetSession Interface"="c:\users\Adge Pro\AppData\Local\Akamai\netsession_win.exe" [2011-11-15 3303000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2009-12-19 77824]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn4x4.dll
"midi3"=KORGUMDD.DRV
"wave10"=Digi32.dll
"MIDI10"=diomidi.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2853530515-3039482369-3993899090-1000]
"EnableNotificationsRef"=dword:0000001f
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca52f2ba36a898;Google Update Service (gupdate1ca52f2ba36a898);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
R2 MBAMService;MBAMService;h:\malwarebytes' anti-malware\mbamservice.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 133104]
R3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\Drivers\KORGUMDS.SYS [2009-10-15 22232]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 MRV6X32U;Belkin N1 Wireless USB Network Adapter Driver for Windows Vista x86;c:\windows\system32\DRIVERS\MRVW24B.sys [2007-10-29 310016]
R3 USB44LDR;M-Audio USB MidiSport 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2009-11-07 16416]
R3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2009-11-07 22304]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 Ast Service;Ast Service;c:\windows\system32\\AstSrv.exe [2008-01-07 57344]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2009-12-19 16400]
S2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe [2007-04-25 537520]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-08-17 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2009-12-19 85008]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2009-12-19 21648]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2009-12-19 21904]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
Akamai REG_MULTI_SZ Akamai
necusb3 REG_MULTI_SZ necusb
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 08:36]
.
2011-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 08:36]
.
2011-11-26 c:\windows\Tasks\Norton Security Scan for Adge Pro.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-24 04:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Adge Pro\AppData\Roaming\Mozilla\Firefox\Profiles\jb6npyyz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware - h:\malwarebytes' anti-malware\mbamgui.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - h:\malwarebytes' anti-malware\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 20:43
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\ADGEPR~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_d768ebc.dll"
.
Completion time: 2011-11-25 20:46:48
ComboFix-quarantined-files.txt 2011-11-26 01:45
ComboFix2.txt 2011-11-23 23:22
ComboFix3.txt 2011-11-21 07:09
ComboFix4.txt 2011-11-20 23:59
ComboFix5.txt 2011-11-26 01:40
.
Pre-Run: 28,964,532,224 bytes free
Post-Run: 28,926,943,232 bytes free
.
- - End Of File - - A68606D8671576718A7E7F7ACC430219