-
Click.GiftLoad appears to be common today
I am having trouble with a Click.giftload malware infection. Seeing that there are several other posts on it, it seems to be the Malware that's "In Style" today.
My problem began last Friday 4/15/11 with my computer shutting down for no reason. It would them attempt to restart, but would make it to the Windows startup screen (with the indeterminate blue scrolling dots), and then throw a very quick "Blue screen" (it's so fast I have no chance of reading it), then try to restart again with the same result. I found that If I disconnected my extra hard drive (Basically a Media Drive), it would then boot normally. I then thought that perhaps I had a power supply issue, (which I may still have), but everything seemed normal, as long as that extra hard drive is unplugged, until I tried Internet Explorer. It began taking me to websites I didn't click on, mostly ads. I tried to go to Trend Micro Housecall, but got redirected. Only by downloading housecall to a USB stick was I able to run it. After running it, I still had the hijacking problem.
I installed a new version of Ad-Aware two days ago and it didn't find it.
I installed Spybot S+D and it found it, says it fixed it, but after I reboot, it's still there.
I have downloaded and ran ERUNT as requested in the "Read this Before Posting"
I have downloaded DDS.com and ran it per the "Read this before posting"
Thank you in advance for the help. I've read through several of the other forum's postings and the people who are helping seem VERY knowledgeable.
Here is the DDS.com log
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jason at 15:32:20.14 on Thu 04/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.750 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Anti-Virus - SBC Yahoo! Online Protection *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\bpowmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\SoniqCast\SoniqSync\SsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PV92Tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jason\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://search.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://search.yahoo.com
mSearch Page = hxxp://search.yahoo.com
mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110225174931.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - SidebarAutoLaunch Class
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [WebCamRT.exe]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB0_0_0 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [PV92TRAY] PV92Tray.exe
IE: &Search - ?p=ZKxdm021YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-4-18 64512]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-25 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-25 84072]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2005-9-16 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2005-9-16 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2005-9-16 879832]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2005-9-16 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-8-3 26787]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 BPowMon;Broadcom Power monitoring service v1.0.1;c:\windows\system32\BPowMon.exe [2002-11-27 65536]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-17 1753048]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-29 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-12 47640]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-3 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-25 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-25 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-25 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-25 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-25 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-25 141792]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2005-10-12 45696]
R2 SoniqSync Service;SoniqSync Service;c:\program files\soniqcast\soniqsync\SsSvc.exe [2005-1-6 294912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-25 24652]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-25 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-25 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-25 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-25 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-25 88544]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2005-10-12 56960]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2005-9-16 108360]
S2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\isafe.exe --> c:\program files\yahoo!\antivirus\ISafe.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [2007-9-13 70708]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2010-8-1 94208]
S2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\vetmsg.exe --> c:\program files\yahoo!\antivirus\VetMsg.exe [?]
S3 csaudio;AVerDVD EZMaker USB Audio Device Driver;c:\windows\system32\drivers\csaud.sys [2002-11-5 11008]
S3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;c:\windows\system32\drivers\CsMini20.sys [2003-3-18 46248]
S3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\drivers\STK018W2.sys [2005-6-20 99476]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\jason\locals~1\temp\imspcloj.sys --> c:\docume~1\jason\locals~1\temp\iMSPCLOj.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-17 15232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-25 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-25 84264]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [2007-4-4 38272]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-04-19 02:52:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 02:52:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-04-19 01:33:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-18 20:20:28 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-18 20:20:10 -------- d-----w- c:\docume~1\jason\locals~1\applic~1\Sunbelt Software
2011-04-18 20:20:09 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-18 20:16:57 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{727F038C-857C-49B8-8541-BFCEB1009A3E}
2011-04-16 05:43:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-16 05:43:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-11 21:53:07 -------- d-----w- c:\program files\Chessware
2011-04-03 19:57:43 -------- d-----w- c:\docume~1\jason\applic~1\FLV Extract
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA60A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4E84E7]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4ee7d0]; MOV EAX, [0x8a4ee84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A50EAB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000079[0x8A587338]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A511940]
\Driver\atapi[0x8A528930] -> IRP_MJ_CREATE -> 0x8A4E84E7
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4E8332
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:37:02.28 ===============
-
Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Your computer is infected with a nasty Rootkit, I am going to have you run TDSSKiller but this rootkits latest version may prevent it from running , if it runs it will clean it , if it does not we will have to use another method
Please download TDSSKiller.zip- Extract it to your desktop
- Double click TDSSKiller.exe
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
Last edited by ken545; 2011-04-25 at 13:16.
-
-
Yes, I'm still here! Still Infected With ROOTKIT!
Yes, still here. I had to go out of town for work. Thank you for responding. I was checking the forum until I left on Monday, but I realize this was a holiday weekend.
I tried the TDSSkiller.zip and TDSSKiller.exe downloaded straight from Kaparsky. Whenever I tried to run it, it would not run. I even tried to rename it, as I saw that in another post someone suggested the renaming trick. It makes it to 80% and shuts the TDSSkiller down.
I did read the "read before you post". I hope that my actions are proving that.
Since TDSSKiller is a no-go, it looks like we are going to have to move to use the "other method" you suggested.
Thanks for the help.
Jason
-
Hello Jason,
This is what we need to do, your Master Boot Record is infected and we will have to write a new one via the Recovery Console, I am going to have you run Combofix which should clear out more garbage, as it loads it will prompt you to install a Recovery Console if it cant find one, do so as we need that to fix the MBR, cant do it without it.
What is the brand of your computer ???
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- See this Link for programs that need to be disabled and instruction on how to disable them.
- Remember to re-enable them when we're done.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
-
OK, I have followed the directions about downloading Combofix and stopping Malware and antivirus programs, but I still get a warning when I try to run Combofix:
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Anti-Virus - SBC Yahoo! Online Protection"
I have gone to my Mcafee program that comes with my DSL service and shut off or disabled every setting that I can get to.
I still have a program running in task manager Mcshield.exe. I try to end the process, but it says "Operation could not be completed Access Is Denied"
I have gone to "services.msc" and attempted to stop the service, but it won't let me. Again it says "Access Is Denied"
I am an administrator on this machine.
Combofix warns of errors and damage if you run it while Antivirus programs are still running. When I get that warning, the only option is to click "OK" and that appears to run the scan regardless of the status of the anti-virus. WHen I get that warning, I try to stop the service, or make other changes, then reboot. I then try Combofix again and get the same warning.
Got any ideas?
Jason
-
Go ahead and run it in Safemode with Network Support
Safemode with Network Support
To Enter Safemode
- Go to Start> Shut off your Computer> Restart
- As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu. - Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
- Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode
-
OK, I've uninstalled McAfee and anything I can find referencing SBC Yahoo.
I ran Abexo Free Registry cleaner to hopefully get rid of any unused entries. I still get the warning that
"ComboFix has detected the following real time scanner(s) to be active:
antivirus: Anti-Virus - SBC Yahoo! Online Protection"
I went into safe mode and it says the same thing.
How do I proceed?
Should I run the ComboFix in safe mode regardless of the warning?
Thanks,
Jason
-
Yes, please do, you will be alright
-
ComboFix 11-04-29.02 - Jason 04/29/2011 17:14:05.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1245 [GMT -4:00]
Running from: c:\documents and settings\Jason\Desktop\Combo-Fix.exe
AV: Anti-Virus - SBC Yahoo! Online Protection *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jason\Application Data\inst.exe
c:\documents and settings\Jason\GoToAssistDownloadHelper.exe
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\temp.dmf
c:\documents and settings\Jason\WINDOWS
c:\program files\JavaCore
c:\program files\NoDNS
c:\program files\NoDNS\UnInstall.exe
c:\program files\RcvSystem
c:\windows\MailSwitch.ocx
c:\windows\system32\42KJE738.ocx
.
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 21:03 . 2011-04-29 21:04 -------- d-----w- C:\32788R22FWJFW
2011-04-29 17:36 . 2011-04-29 17:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2011-04-29 17:31 . 2011-04-29 17:31 -------- d-----w- c:\program files\Citrix
2011-04-29 17:29 . 2011-04-29 17:29 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Citrix
2011-04-21 19:30 . 2011-04-21 19:31 -------- d-----w- c:\program files\ERUNT
2011-04-19 02:52 . 2011-04-19 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-19 02:52 . 2011-04-19 02:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-18 20:20 . 2011-04-18 20:20 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Sunbelt Software
2011-04-18 20:20 . 2011-04-18 20:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-16 05:43 . 2011-04-16 05:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-16 04:39 . 2011-04-16 04:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-11 21:53 . 2011-04-11 21:53 -------- d-----w- c:\program files\Chessware
2011-04-03 19:57 . 2011-04-03 19:58 -------- d-----w- c:\documents and settings\Jason\Application Data\FLV Extract
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-08-29 03:32 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2001-08-23 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-01-08 20:23 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2001-08-23 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 21:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 07:56 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 07:56 186880 ------w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2001-08-23 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-08-29 03:31 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-07-17 180224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
backup=c:\windows\pss\SBC Self Support Tool.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetModule21
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GetPack21
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Plugin
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mfevtp"=2 (0x2)
"mfefire"=2 (0x2)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"McNaiAnn"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McMPFSvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SoniqCast\\SoniqSync\\SoniqSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\Wireless\\lxdxwpss.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/23/2001 8:00 AM 14336]
R2 BPowMon;Broadcom Power monitoring service v1.0.1;c:\windows\system32\BPowMon.exe [11/27/2002 5:57 PM 65536]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/29/2010 1:37 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [10/12/2005 7:02 PM 45696]
R2 SoniqSync Service;SoniqSync Service;c:\program files\SoniqCast\SoniqSync\SsSvc.exe [1/6/2005 5:25 PM 294912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/25/2009 2:20 PM 24652]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [10/12/2005 7:02 PM 56960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 DILUSBCamera;Agfa ePhoto CL18 Camera Stream Driver;c:\windows\system32\drivers\stream18.sys [9/13/2007 10:32 PM 70708]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [8/1/2010 3:02 PM 94208]
S3 csaudio;AVerDVD EZMaker USB Audio Device Driver;c:\windows\system32\drivers\csaud.sys [11/5/2002 4:56 PM 11008]
S3 DCamUSB20;AVerDVD EZMaker USB 2.0 Video Capture;c:\windows\system32\drivers\CsMini20.sys [3/18/2003 3:55 PM 46248]
S3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\drivers\STK018W2.sys [6/20/2005 2:08 PM 99476]
S3 iMSPCLOj;iMSPCLOj;\??\c:\docume~1\Jason\LOCALS~1\Temp\iMSPCLOj.sys --> c:\docume~1\Jason\LOCALS~1\Temp\iMSPCLOj.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\drivers\sustucam.sys [4/4/2007 7:50 PM 38272]
S3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\drivers\sustucau.sys [4/4/2007 7:56 PM 21376]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: c:\windows\system32\VetRedir.dll
DPF: Microsoft XML Parser for Java
DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - hxxp://download.newaol.com/bkpromo/download/PerformerSetup.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-WebCamRT.exe - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-29 17:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS722580VLAT20 rev.V32OA60A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A427332
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-838170752-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1252)
c:\windows\system32\WININET.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\lxdxcoms.exe
c:\windows\system32\pctspk.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-04-29 17:39:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-29 21:39
.
Pre-Run: 1,663,410,176 bytes free
Post-Run: 4,736,348,160 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 71830851AABC5D8DA2324B6FBEE98B96
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules