|
Answer» Yesterday my computer all of a sudden restarted and was then stuck in a restart loop. It went to the option to use safe mode so i selected the option to use the last known working settings which fixed the restart loop. After that i tried to scan for viruses/malware/spyware with spybot and malwarebytes neither of which will work. malwarebytes will start scan for about 2-5 seconds then closes and when i try to open it it tells me i dont have permissions. spybot tells me that spybotsd.exe is read only and wont install or run. i used combofix to create a log which is here:
ComboFix 09-09-30.01 - Charissa 09/30/2009 17:48.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.592 [GMT -7:00]
Running from: c:\documents and settings\Charissa\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\17065314
c:\documents and settings\All Users\Application Data\17065314\17065314
c:\documents and settings\All Users\Application Data\17065314\17065314.exe
c:\documents and settings\All Users\Application Data\17065314\pc17065314ins
c:\program files\Adware Professional
c:\program files\Adware Professional\noadware4_092909.na
c:\windows\Installer\617438.msi
c:\windows\system32\drivers\gasfkyexmyeoqd.sys
c:\windows\system32\gasfkyesmusiwu.dat
c:\windows\system32\gasfkyjxomtivp.dll
c:\windows\system32\gasfkykaliubyb.dat
c:\windows\system32\gasfkymlgiyuht.dll
c:\windows\system32\gasfkywptevrxm.dat
c:\windows\system32\gasfkyxnbevmet.dll
c:\windows\system32\gasfkyxvbuyamd.dll
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.
2009-10-01 00:38 . 2008-05-30 08:06 34296 ----a-w- c:\windows\system32\drivers\mbamcatchme.sys
2009-09-30 21:47 . 2009-09-30 21:47 -------- d-----w- C:\WTablet
2009-09-30 21:12 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 11:17 . 2009-09-30 11:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-30 11:10 . 2009-10-01 00:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 11:10 . 2009-10-01 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 10:45 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-30 10:44 . 2009-08-24 21:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-30 10:44 . 2009-08-19 18:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-30 10:43 . 2009-09-30 10:48 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-30 10:43 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-30 10:42 . 2009-09-30 10:42 -------- d-----w- c:\documents and settings\Charissa\Application Data\PC Tools
2009-09-30 10:42 . 2009-09-30 10:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-30 10:40 . 2009-10-01 00:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-30 09:54 . 2009-09-30 09:54 -------- d-----w- c:\documents and settings\Charissa\Application Data\Malwarebytes
2009-09-30 09:54 . 2009-09-30 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 09:54 . 2009-10-01 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 09:54 . 2008-05-30 08:06 15864 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 08:56 . 2009-09-30 08:56 -------- d-----w- c:\program files\InterVideo Information Service
2009-09-30 08:56 . 2009-09-30 08:56 -------- d-----w- c:\program files\Common Files\Ulead
2009-09-30 08:55 . 2009-09-30 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-30 08:50 . 2008-05-30 21:18 238088 ----a-w- c:\windows\system32\xactengine3_1.dll
2009-09-30 08:39 . 2009-09-30 09:07 -------- d--h--w- c:\windows\msdownld.tmp
2009-09-30 07:04 . 2009-09-30 23:56 0 ----a-r- c:\windows\win32k.sys
2009-09-30 01:37 . 2009-09-30 01:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 01:34 . 2009-09-30 01:34 152576 ----a-w- c:\documents and settings\Charissa\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-28 08:24 . 2009-09-28 08:24 127872 ----a-w- c:\documents and settings\Charissa\Application Data\Move Networks\uninstall.exe
2009-09-28 08:24 . 2009-09-28 08:24 -------- d-----w- c:\documents and settings\Charissa\Application Data\Move Networks
2009-09-28 05:12 . 2009-09-28 05:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-09-23 20:22 . 2009-09-23 20:22 -------- d-----w- c:\program files\iPod
2009-09-23 20:21 . 2009-09-23 20:23 -------- d-----w- c:\program files\iTunes
2009-09-22 10:18 . 2009-09-22 10:18 -------- d-----w- c:\program files\Veoh Networks
2009-09-16 18:42 . 2009-09-16 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-16 18:39 . 2009-09-16 18:40 -------- d-----w- c:\program files\QuickTime
2009-09-15 00:02 . 2009-09-15 00:02 8704 ----a-w- c:\documents and settings\Charissa\Application Data\Thinstall\Visual Thesaurus 3.0.2\400000c00003i\java.exe
2009-09-15 00:02 . 2009-09-15 00:02 -------- d-----w- c:\documents and settings\Charissa\Application Data\Thinstall
2009-09-14 03:49 . 2009-09-14 03:49 -------- d-----w- c:\program files\Black Isle
2009-09-14 01:12 . 2009-09-14 01:12 -------- d-----w- c:\documents and settings\Charissa\Application Data\EPSON
2009-09-13 06:58 . 2009-09-28 05:14 -------- d-----w- c:\program files\RapidBIT
2009-09-13 06:29 . 2009-09-13 06:29 -------- d-----w- c:\documents and settings\Charissa\Application Data\dvdcss
2009-09-13 06:24 . 2008-05-06 06:01 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-09-13 06:24 . 2008-05-06 06:01 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-09-13 06:23 . 2009-09-13 07:01 -------- d-----w- c:\program files\ImTOO
2009-09-10 05:28 . 2009-09-10 05:28 -------- d-sh--w- c:\documents and settings\Charissa\IECompatCache
2009-09-03 02:39 . 2009-10-01 00:55 -------- d-----w- c:\documents and settings\Charissa\Application Data\WTablet
2009-09-03 02:38 . 2004-08-04 07:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-09-03 02:38 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-09-03 02:38 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-09-03 02:38 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-09-03 02:38 . 2007-02-16 00:11 11440 ----a-w- c:\windows\system32\drivers\WacomVKHid.sys
2009-09-03 02:38 . 2007-02-16 19:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2009-09-03 02:38 . 2007-02-16 18:30 12848 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2009-09-03 02:37 . 2009-09-03 02:37 -------- d-----w- c:\windows\system32\WTablet
2009-09-03 02:37 . 2007-09-07 18:09 128296 ------w- c:\windows\system32\Pen_Tablet.dll
2009-09-03 02:37 . 2007-09-07 17:55 181544 ------w- c:\windows\system32\Wintab32.dll
2009-09-03 02:37 . 2007-09-07 18:16 1373480 ------w- c:\windows\system32\Pen_Tablet.exe
2009-09-03 02:37 . 2009-09-03 02:38 -------- d-----w- c:\program files\Tablet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 00:55 . 2009-06-27 22:05 -------- d-----w- c:\program files\DNA
2009-10-01 00:55 . 2009-06-27 22:05 -------- d-----w- c:\documents and settings\Charissa\Application Data\DNA
2009-10-01 00:54 . 2009-06-18 06:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-01 00:54 . 2009-06-18 06:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-30 21:47 . 2009-06-13 07:39 74096 ----a-w- c:\documents and settings\Charissa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 21:12 . 2009-06-13 07:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-30 08:58 . 2009-06-27 22:06 -------- d-----w- c:\documents and settings\Charissa\Application Data\BitTorrent
2009-09-30 08:57 . 2009-06-17 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-30 08:53 . 2009-06-13 07:32 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-30 08:06 . 2009-06-17 06:40 -------- d-----w- c:\documents and settings\Charissa\Application Data\Skype
2009-09-30 06:32 . 2009-06-17 06:41 -------- d-----w- c:\documents and settings\Charissa\Application Data\skypePM
2009-09-30 01:36 . 2009-06-13 07:18 -------- d-----w- c:\program files\Java
2009-09-28 08:24 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Charissa\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-09-24 18:40 . 2009-06-17 00:24 -------- d-----w- c:\documents and settings\Charissa\Application Data\Apple Computer
2009-09-23 20:22 . 2009-06-17 00:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 19:47 . 2009-08-26 06:12 -------- d-----w- c:\program files\Diablo II
2009-09-16 19:47 . 2009-08-26 06:27 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-09-16 19:47 . 2009-08-26 06:27 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-09-16 19:47 . 2009-08-26 06:27 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-09-10 01:56 . 2009-08-28 13:18 -------- d-----w- c:\program files\RootsMagic
2009-09-05 00:44 . 2009-09-30 08:51 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-30 08:51 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:29 . 2009-09-30 08:51 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-30 08:51 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-30 08:51 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-30 08:51 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-30 08:51 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-03 04:19 . 2009-09-03 04:19 -------- d-----w- c:\documents and settings\Charissa\Application Data\InstallShield
2009-09-03 04:19 . 2009-09-03 04:16 -------- d-----w- c:\program files\epson
2009-08-31 09:31 . 2009-08-31 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-31 09:28 . 2009-08-31 09:28 -------- d-----w- c:\program files\Microsoft Works
2009-08-31 09:28 . 2009-08-31 09:28 -------- d-----w- c:\program files\MSBuild
2009-08-31 09:24 . 2009-08-31 09:24 -------- d-----w- c:\program files\Microsoft.NET
2009-08-31 09:20 . 2009-08-31 09:20 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-31 09:08 . 2009-07-05 21:59 -------- d-----w- c:\program files\RoughDraft
2009-08-29 06:08 . 2009-08-29 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-29 05:52 . 2009-08-27 04:09 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-08-29 05:41 . 2009-06-22 18:38 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-29 05:34 . 2009-08-29 05:34 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-28 20:32 . 2009-08-28 13:18 -------- d-----w- c:\documents and settings\Charissa\Application Data\RootsMagic
2009-08-28 20:32 . 2009-08-28 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RootsMagic
2009-08-28 14:12 . 2009-08-28 14:12 -------- d-----w- c:\program files\Common Files\RootsMagic Shared
2009-08-28 14:12 . 2009-08-28 14:12 -------- d-----w- c:\program files\RootsMagic 4
2009-08-28 13:17 . 2009-08-27 01:14 -------- d-----w- c:\documents and settings\Charissa\Application Data\DAEMON Tools Lite
2009-08-27 04:16 . 2009-08-26 06:18 34587 ----a-w- c:\windows\DIIUnin.dat
2009-08-27 04:12 . 2009-08-27 04:12 -------- d-----w- c:\documents and settings\Charissa\Application Data\DAEMON Tools Pro
2009-08-27 04:09 . 2009-08-27 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-27 04:09 . 2009-08-27 04:09 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-27 01:14 . 2009-08-27 01:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-26 22:40 . 2009-08-26 22:39 -------- d-----w- c:\program files\ATT-PRT22-WISE
2009-08-26 22:40 . 2009-08-26 22:40 -------- d-----w- c:\program files\att-prt22
2009-08-26 22:40 . 2009-08-26 22:39 -------- d-----w- c:\program files\Common Files\Motive
2009-08-26 22:40 . 2009-08-26 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-08-26 09:01 . 2009-08-26 09:01 -------- d-----w- c:\documents and settings\Charissa\Application Data\MSN6
2009-08-26 09:01 . 2009-08-26 09:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MSN6
2009-08-26 06:18 . 2009-08-26 06:18 94208 ----a-w- c:\windows\DIIUnin.exe
2009-08-26 06:18 . 2009-08-26 06:18 2829 ----a-w- c:\windows\DIIUnin.pif
2009-08-26 05:53 . 2009-08-25 05:02 -------- d-----w- c:\documents and settings\Charissa\Application Data\Ahead
2009-08-25 05:02 . 2009-08-25 05:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-25 05:00 . 2009-08-25 05:00 -------- d-----w- c:\program files\Nero
2009-08-24 11:31 . 2009-08-24 11:31 -------- d-----w- c:\documents and settings\Charissa\Application Data\Final Draft
2009-08-14 13:58 . 2009-09-30 10:44 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-03 13:45 . 2009-08-03 13:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-08-03 13:45 . 2009-08-03 13:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-08-03 13:43 . 2009-08-03 13:43 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-07-05 22:20 . 2009-07-05 22:17 1102 ----a-w- c:\windows\PowerReg.dat
2009-07-03 17:09 . 2003-03-31 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & LEGIT default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"Google Update"="c:\documents and settings\Charissa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-16 133104]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-06-02 5451536]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-27 321344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-21 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-20 2000120]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-22 198160]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-30 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-06-19 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2008-06-19 2808832]
c:\documents and settings\Charissa\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [9/2/2009 7:37 PM 1373480]
S2 FlexService;Remote Connections Service;"c:\program files\RapidBIT\cisvc.exe" --> c:\program files\RapidBIT\cisvc.exe [?]
S2 gupdate1ca09a1297cbeca;Google Update Service (gupdate1ca09a1297cbeca);c:\program files\Google\Update\GoogleUpdate.exe [7/20/2009 6:18 PM 133104]
S3 PciCon;PciCon;\??\j:\pcicon.sys --> j:\PciCon.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-10-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-21 01:17]
2009-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 01:18]
2009-10-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 01:18]
2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-73586283-725345543-1004Core.job
- c:\documents and settings\Charissa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 06:41]
2009-10-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-73586283-725345543-1004UA.job
- c:\documents and settings\Charissa\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 06:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
HKLM-Run-NWEReboot - (no file)
AddRemove-{F37167DD-4436-4641-90B6-329D60632DDA} - c:\program files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 17:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
Denied: (A 2) (Everyone)
="FlashBroker"
"LocalizedString"="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
="c:\\WINDOWS\\System32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Denied: (A 2) (Everyone)
="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\documents and settings\Charissa\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\ZuneBusEnum.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-01 17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-01 00:59
Pre-Run: 99,820,617,728 bytes free
Post-Run: 102,137,978,880 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
316 --- E O F --- 2009-07-29 10:00
Hi, I see that you have used combofix. What website did you download it from?i don't remember, probably the main one. why is it bad if i hadn't?Download and SAVE the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.
AVPFind.bat
It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.
----------
Now download and Run exeHelper
- Please download exeHelper to your desktop.
- Double-click on exeHelper.com to run the fix.
- A black window should pop up, press any key to close once the fix is completed.
- Post the contents of log.txt (Will be created in the DIRECTORY where you ran exeHelper.com)
.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
----------
Also please try running this online scan: http://www.superantispyware.com/onlinescan.html
Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log from it and post it in the next reply.
-----
Next post please add:
- AVPFind log
- exeHelper log
- Superantispyware log (if you could save one)
|
