Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92210 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Ping.exe virus, Google redirect


  • This topic is locked This topic is locked
49 replies to this topic

#1 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 23 January 2012 - 11:09 PM

. DDS (Ver_11-03-05.01) - NTFSx86 Run by Christopher at 22:44:32.57 on Mon 01/23/2012 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1177 [GMT -6:00] . AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe C:\WINDOWS\svcs.exe C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\WINDOWS\system32\hphmon04.exe C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe C:\Program Files\Memeo\AutoBackup\MemeoUpdater.exe C:\Program Files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\SolidWorksLicTemp.0001 C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe C:\WINDOWS\system32\HPHipm11.exe C:\WINDOWS\System32\ping.exe C:\Documents and Settings\Christopher\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\16.0.912.77\npchrome_frame.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\christopher\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [AdobeBridge] uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [<NO NAME>] mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe mRun: [HPHmon04] c:\windows\system32\hphmon04.exe mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe" mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t dRun: [TMP provider] rundll32 c:\windows\temp\TMPprovider01D.dll, RunDllEntry StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\christopher\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks corp\solidworks\swscheduler\swBOEngine.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: mswsock.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\16.0.912.77\npchrome_frame.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ============= SERVICES / DRIVERS =============== . R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-12-15 579072] R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2008-9-9 79144] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664] S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808] . =============== Created Last 30 ================ . 2012-01-23 03:11:07 56200 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{db937c94-519e-4212-a53d-50fe90761f65}\offreg.dll 2012-01-21 03:27:40 6557240 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{db937c94-519e-4212-a53d-50fe90761f65}\mpengine.dll 2012-01-17 04:13:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-01-17 04:13:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2012-01-17 03:50:10 -------- d-----w- C:\utils 2012-01-10 03:01:49 43 ----a-w- c:\windows\b.bat 2011-12-29 15:24:16 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2011-12-29 15:24:16 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2011-12-29 15:21:58 -------- d-----w- c:\program files\iPod 2011-12-29 15:21:34 -------- d-----w- c:\program files\iTunes 2011-12-29 15:21:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2011-12-29 15:19:54 -------- d-----w- c:\program files\Bonjour 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll 2011-12-29 15:13:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll . ==================== Find3M ==================== . 2012-01-10 03:01:49 579072 ----a-w- c:\windows\svcs.exe 2011-11-15 20:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe . ============= FINISH: 22:52:03.82 ===============

Attached Files


    Advertisements

Register to Remove


#2 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 25 January 2012 - 06:00 AM

Hello chrisrowe and :welcome:

My name is JonTom

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 3 days your thread will be closed.

I can see evidence of a serious malware infection on this machine.

If you use this machine for any financial transactions please find an uninfected system and change all of your passwords as soon as you can.

It would also be wise to back up your important data at this point.

Please work your way through the dollowing steps:

  • DeFogger


    • Please download DeFogger to your desktop.
    • Click on DeFogger to run the tool.
    • The application window will appear.
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue.
    • A 'Finished!' message will appear.
    • Click OK.
    • DeFogger will now ask to reboot the machine - click OK.
      IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
      Do not re-enable these drivers until otherwise instructed.

  • aswMBR


    • Download aswMBR.exe to your desktop.
    • Double click the aswMBR.exe to run it.
    • When asked if you want to download Avast's virus definitions please select Yes.
    • Click the "Scan" button to start scan.

    Posted Image

    • On completion of the scan click save log, save it to your desktop and post in your next reply.

    Posted Image


  • Please scan your system with GMER


    Posted Image
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries


Please post the aswMBR log and the GMER log in your next reply. If you encounter any problems with the scans come back and let me know.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#3 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 27 January 2012 - 01:23 PM

Hello, first of all THANK YOU so much for helping me. Sorry its taken so long to respond, i'm having a little trouble. I probably messed this up but i will give you the "play by play to the best of my recollection. i downloaded deFogger and ran it following all the instructions. i think it did crash and i ran it again and it seemed to work, but maybe not: defogger_disable by jpshortstuff (23.02.10.1) Log created at 20:16 on 25/01/2012 (Christopher) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. HKCU:DAEMON Tools Pro Agent -> Removed Checking for services/drivers... Unable to read sptd.sys SPTD -> Disabled (Service running -> reboot required) -=E.O.F=- then i noticed i should have backed up my files,so it did, it took almost 40 hours! it crashed quite a few times along the way. at one point microsoft sent a message they were shutting down Ping.exe next i downloaded aswMBR.exe it crashed while trying to download Avast. i tried it again and it was scanning for a long time, and Microsoft Security Essentials was finding viruses while it was doing so eventually it crashed... what should i do next?

#4 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 27 January 2012 - 04:48 PM

Hello chrisrowe

THANK YOU so much for helping me. Sorry its taken so long to respond

No problem :)

The malware on the machine is trying to prevent our tools from running which is why you are experiencing the frequent crashes.

what should i do next?

Lets try GMER.

Please download and run GMER as described in my previous post to you.

If the program crashes, reboot the machine into Safe Mode and try the scan again:


  • Reboot Your System in Safe Mode


  • Restart your computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
  • Use the arrow keys to select the Safe mode menu item.
  • Press Enter.

If you run into any problems just come back and let me know.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#5 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 28 January 2012 - 06:05 PM

The following Alert showed up when i attempted to run Gmer :

Loaddriver ("C:\DOCUME~1\CHRIST~1\LOCALS~1\TEMP\Kxtdqpod.sys")
error 0xC000010E: Cannot created a stable subkey under a volatile parent key.

i restarted into safe mode and got the same message so i ran it anyway, the things you told me to uncheck were already unchecked it seemed.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-28 13:08:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\kxtdqpod.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB6 0x16 0xC0 0xC8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4B 0x63 0xE6 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x05 0xB9 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x2B 0x20 0xCF 0x06 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\Daemon Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB6 0x16 0xC0 0xC8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4B 0x63 0xE6 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDF 0x05 0xB9 0xE8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x2B 0x20 0xCF 0x06 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB10218$\1507950091 0 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\cfg.ini 325 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\keywords 123 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\L 0 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\L\lgwnsoxg 75264 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\oemid 36 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U 0 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB10218$\1507950091\version 854 bytes
File C:\WINDOWS\$NtUninstallKB10218$\521341660 0 bytes

---- EOF - GMER 1.0.15 ----

#6 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 28 January 2012 - 06:18 PM

Hello chrisrowe

Thank you for the log.

Lets proceed as follows:

  • Combofix


  • Download ComboFix from one of the following locations:

    Link 1
    Link 2

  • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
  • Should there be issues with internet afterward:

    In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Please post the Combofix log in your next reply.

If you encounter any problems with the scan just let me know.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#7 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 January 2012 - 01:01 AM

It says "There's a newer version of ComboFix available. Would you like to updated ComboFix?" what should i do?

#8 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 January 2012 - 01:31 AM

okay, i am going to go for it and trust this update.

#9 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 29 January 2012 - 05:52 AM

Hello chrisrowe

It says "There's a newer version of ComboFix available. Would you like to updated ComboFix?"
what should i do?

Did you run Combofix before asking for help at this forum?

Allow the update to install - its normal behaviour for the program.
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#10 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 29 January 2012 - 10:05 AM

So i ran combofix, i don't believe i ever had combofix downloaded to my machine before (i get remote help from my cousin alot so can't be 100% sure) it downloaded the microsoft recovery software and seemed to successfully run until completion i have restarted and shutdown a couple of times and let new software install now i'm having trouble getting online, i'm using my wife's laptop i use google chrome and tried to uncheck the proxy server setting, but it was already unchecked ping.exe is no longer running it seems like we are winning the war here but maybe a couple battles left i was hoping there would be a log i could post, but don't see anything Sooo happy to see some progress!!! thank you!!

    Advertisements

Register to Remove


#11 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 29 January 2012 - 02:02 PM

Hello chrisrowe

it seems like we are winning the war here but maybe a couple battles left

I'm pretty sure we are not out of the woods just yet.

If you are unable to connect to the net using the infected machine you may need to use a removable drive (such as a flash drive/USB memory stick) to transfer tools and logs between machines.

i'm using my wife's laptop

Okay. We can use this machine to download and transfer the required tools to the infected machine, and also to post the required logs back here.


Before you do that however, we need to take some preventative measures to reduce any chance of cross infection:


If the laptop runs on XP, please download and run the following tool on the laptop first to reduce the chances of cross infection:

  • Please download Flash Disinfector


    • Click here to download Flash Disinfector and save the file (called Flash_Disinfector.exe) to your desktop.
    • Double click on the Flash_Disinfector.exe icon to run the program and follow any prompts that may appear.
    • The program may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so if prompted.
    • Wait until Flash disinfector has finished scanning and then exit the program.
    • Reboot your computer.

    If it runs on Vista/ Win7, use this one instead:
  • AutoRun Eater


    • Download Autorun Eater and save it to your desktop.
    • Plug all of your removable storage devices into the machine (USB sticks etc) and run the tool.


    was hoping there would be a log i could post, but don't see anything

    The Combofix log will determine our next course of action so it is very important that we have it.

    Please check your C:\ drive for the following file:

    C:\ComboFix.txt

    If you can find the Combofix log, copy it to the flash drive and use the laptop to post it back here.

    If there is no Combofix log, please scan the infected machine with DDS again and post the logs created in your next reply.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#12 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 30 January 2012 - 12:23 AM

Hey, how's it going? so i looked for the ComboFix Log and could not find it. I also wanted to mention after i ran ComboFix and tried to restart, it asked if i wanted to install new downloads and shutdown, which i did, but it still says that as if the download have never really been installed. i also can't find the new microsoft recovery software, so i'm wondering if there was a problem somewhere along the way. Just want to give you as much information as possible. I downloaded the flash disinfector, and cleaned the flashdrive. here is the new DDS.txt and the Attach.txt (does this really have to be zipped?) please let me know what you think, and thank you for your patience :) . DDS (Ver_11-03-05.01) - NTFSx86 Run by Christopher at 21:30:59.71 on Sun 01/29/2012 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1287 [GMT -6:00] . AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe C:\WINDOWS\svcs.exe C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\hphmon04.exe C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\WINDOWS\system32\HPHipm11.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Memeo\AutoBackup\MemeoUpdater.exe C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\SolidWorksLicTemp.0001 C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Christopher\Desktop\dds.scr . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\16.0.912.77\npchrome_frame.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\christopher\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [AdobeBridge] uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [<NO NAME>] mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe mRun: [HPHmon04] c:\windows\system32\hphmon04.exe mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe" mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\christopher\application data\dropbox\bin\Dropbox.exe StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks corp\solidworks\swscheduler\swBOEngine.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL LSP: mswsock.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\16.0.912.77\npchrome_frame.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll . ============= SERVICES / DRIVERS =============== . R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648] R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824] R2 NetworkLog;NetworkLog;c:\windows\svcs.exe [2011-12-15 579072] R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2011-6-1 14088] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664] S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016] S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2008-9-9 79144] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664] S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?] S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808] . =============== Created Last 30 ================ . 2012-01-29 07:54:45 -------- d-sha-r- C:\cmdcons 2012-01-29 07:41:00 98816 ----a-w- c:\windows\sed.exe 2012-01-29 07:41:00 518144 ----a-w- c:\windows\SWREG.exe 2012-01-29 07:41:00 256000 ----a-w- c:\windows\PEV.exe 2012-01-29 07:41:00 208896 ----a-w- c:\windows\MBR.exe 2012-01-29 07:39:38 -------- d-s---w- C:\ComboFix 2012-01-29 03:55:46 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2012-01-29 03:55:46 21504 ----a-w- c:\windows\system32\hidserv.dll 2012-01-28 22:37:10 56200 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{81ec3338-77ea-4831-80bb-1f838722c797}\offreg.dll 2012-01-27 15:49:51 29904 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{81ec3338-77ea-4831-80bb-1f838722c797}\MpKsl98aaf3d3.sys 2012-01-27 14:25:12 6557240 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{81ec3338-77ea-4831-80bb-1f838722c797}\mpengine.dll 2012-01-27 14:07:17 -------- d-----w- C:\eac2f908d0fdd11df880a2 2012-01-17 04:13:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2012-01-17 04:13:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2012-01-17 03:50:10 -------- d-----w- C:\utils 2012-01-10 03:01:49 43 ----a-w- c:\windows\b.bat . ==================== Find3M ==================== . 2012-01-10 03:01:49 579072 ----a-w- c:\windows\svcs.exe 2011-12-07 16:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe 2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys 2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll 2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll 2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec 2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll . ============= FINISH: 21:37:46.75 ===============

Attached Files



#13 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 30 January 2012 - 06:47 AM

Hello chrisrowe

Thank you for the logs. There is no need to attach any logs, just post them directly into your replies.

I also wanted to mention after i ran ComboFix and tried to restart, it asked if i wanted to install new downloads and shutdown, which i did

Are we talking about Combofix here? If Combofix notifies you that there are updates available please allow them to install. However, please do not download or install any other updates while the machine is still infected as it may cause us problems.

I can still see evidence of the main infection (Zero Access Rootkit) on your machine.

Lets try the following:

First, drag the copy of Combofix that is on the desktop of the infected machine to the recycle Bin and then Empty the Bin.

Next, using the uninfected laptop download another copy of Combofix to the desktop of the laptop.

Once it has been downloaded, I would like you to makwe sure that file extentions are showing so we can rename the downloaded file.


If the laptop runs on XP use the following instructions:

  • Please make all files and folders Visible:


    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
    • Close the window with "OK".

    If it runs on Vista use these instructions:

  • Please make all files and folders Visible:


    • Close all programs so that you are on your desktop.
    • Click on the "Windows Orb" and select the Control Panel menu option.
    • When the control panel opens you will either be in Classic View or Control Panel Home view:


    • If you are in Classic View do the following:
    • Double-click on the Folder Options icon.
    • Click on the View tab.
    • Under the "Hidden files and folders" section, select the radio button labeled "Show hidden files and folders".
    • Remove the checkmark from the checkbox labeled "Hide extensions for known file types".
    • Remove the checkmark from the checkbox labeled "Hide protected operating system files".
    • Press the "Apply" button and then the "OK" button.


    • If you are in Control Panel Home view do the following:
    • Click on the Appearance and Personalization link.
    • Click on "Show Hidden Files or Folders".
    • Under the "Hidden files and folders" section, select the radio button labeled "Show hidden files and folders".
    • Remove the checkmark from the checkbox labeled "Hide extensions for known file types".
    • Remove the checkmark from the checkbox labeled "Hide protected operating system files".
    • Press the "Apply" button and then the "OK" button.

    • More detailed notes plus a video tutorial of this procedure can be found here.


    If it runs on Win7 use these:

  • Please make all files and folders VISIBLE:


    • Close all open programs.
    • Click on the "Windows Orb" (bottom left hand corner of your screen).
    • Click on "Control Panel", and then on "Appearance and Personalization".
    • Under Folder Options, click on "Show hidden files and folders".
    • Remove the checkmark from the checkbox labeled "Hide extensions for known file types".
    • Remove the checkmark from the checkbox labeled "Hide protected operating system files (Recommended)".
    • Press the "Apply" button and then the "OK" button.
    • For more detail, please see here.

    Once the file extentions are showing, please rename Combofix.exe to jontom.com.

    Make sure that it is not renamed to jontom.exe.com (which can sometimes happen).

    Once renamed, copy jontom.com to the flash drive and place it directly onto the C:\ drive of the infected machine, so that it looks like this:

    C:\jontom.com

    Next, disable all of you security programs then navigate to jontom.com and allow it to run unhindered.

    If a log is produced (please check your C drive if it does not appear) post it in your next reply.

    If you are still having problems getting Combofix to complete its run come back and let me know.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#14 chrisrowe

chrisrowe

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 01 February 2012 - 07:38 AM

Good Morning! Everything seemed to go well. There was one warning on the screen after the log was posted stating :

NkMC2
Encountered an improper argument.

Other than that it seemed to work fine, here is the ComboFix Log:


ComboFix 12-01-30.02 - Christopher 01/31/2012 22:07:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1549 [GMT -6:00]
Running from: C:\jontom.com
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Christopher\WINDOWS
c:\windows\b.bat
c:\windows\svcs.exe
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\SET93.tmp
c:\windows\system32\SET97.tmp
c:\windows\system32\SET9F.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NETWORKLOG
-------\Service_NetworkLog
.
.
((((((((((((((((((((((((( Files Created from 2012-01-01 to 2012-02-01 )))))))))))))))))))))))))))))))
.
.
2012-01-29 03:55 . 2008-04-14 11:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-29 03:55 . 2008-04-14 11:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-28 22:37 . 2012-01-28 22:37 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81EC3338-77EA-4831-80BB-1F838722C797}\offreg.dll
2012-01-27 15:49 . 2012-01-27 15:49 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81EC3338-77EA-4831-80BB-1F838722C797}\MpKsl98aaf3d3.sys
2012-01-27 14:25 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{81EC3338-77EA-4831-80BB-1F838722C797}\mpengine.dll
2012-01-27 14:07 . 2012-01-27 14:07 -------- d-----w- C:\eac2f908d0fdd11df880a2
2012-01-17 04:13 . 2012-01-17 04:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-17 04:13 . 2012-01-17 04:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-17 03:50 . 2012-01-17 03:50 -------- d-----w- C:\utils
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2011-09-28 03:05 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-07 16:08 . 2011-09-27 03:05 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-12-02 18:05 . 2008-08-14 12:57 73312 ----a-w- c:\windows\system32\drivers\adfs.sys
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2008-04-14 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 1DA6C0C952319F33A54C16C024FE905A . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
[-] 2008-04-14 12:00 . 1DA6C0C952319F33A54C16C024FE905A . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Christopher\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Christopher\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Christopher\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Christopher\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-18 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-18 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-12 16377344]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-12-02 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2008-09-15 7218472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-06 149280]
"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-04-23 136416]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Christopher\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Christopher\Application Data\Dropbox\bin\Dropbox.exe [2011-8-22 24182896]
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks Corp\SolidWorks\swScheduler\swBOEngine.exe [2008-9-9 841000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Documents and Settings\\Christopher\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Christopher\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\Christopher\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [4/22/2010 6:33 PM 25824]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 10:42 AM 14088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:17 PM 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [9/9/2008 5:01 AM 79144]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 9:17 PM 135664]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/23/2009 5:57 PM 685816]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 03:17]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 03:17]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-484061587-1606980848-1003Core.job
- c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 21:48]
.
2012-02-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-484061587-1606980848-1003UA.job
- c:\documents and settings\Christopher\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 21:48]
.
2012-02-01 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2011-01-25 19:07]
.
2012-02-01 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2011-01-25 19:07]
.
2012-02-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe
HKLM-Run-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 23:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WININET.dll
c:\documents and settings\Christopher\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Seagate\Seagate Dashboard\MemeoDashboard.exe
c:\program files\Memeo\AutoBackup\InstantBackup.exe
c:\program files\Memeo\AutoBackup\MemeoUpdater.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\CHRIST~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\program files\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-02-01 00:11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-01 06:10
.
Pre-Run: 639,599,656,960 bytes free
Post-Run: 653,382,623,232 bytes free
.
- - End Of File - - A4D208ED550CF0326C5B8A8A5930FF8D

#15 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 01 February 2012 - 08:52 AM

Hello chrisrowe

Thank you for the log :)

Lets proceed as follows:

  • Please scan the following files




    • On the page you'll find a "Choose File" button.
    • Click on the Choose File button.
    • In the File Upload window which opens, copy and paste this into the File Name box.


    c:\windows\system32\dllcache\ipsec.sys


    • Next, click the Open button.
    • Then click the "Scan It" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.

  • Please download SystemLook by JPShortstuff


    • Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
    • Double click SystemLook.exe to run the program.
    • Copy the content of the following codebox into the main textfield:

    :dir 
    C:\eac2f908d0fdd11df880a2 /sub

    • Click the Look button to start the scan.
    • The scan may take a while to complete. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    • Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please post the link to the Virus Total results page and the SystemLook log in your next reply.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users