Badly Infected

**e28ct17** · 2012-01-19, 22:29

Yes, it looks like all my icons and programs are back. I ran several programs and they all worked fine. Here is the log:

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Janice [Admin rights]
Mode: Shortcuts HJfix -- Date : 01/19/2012 15:14:53

¤¤¤ Bad processes: 5 ¤¤¤
[SUSP PATH] enrollSync.exe -- C:\ProgramData\enrollSync.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[SUSP PATH] ReminderHelper.exe -- C:\ProgramData\WeCareReminder\ReminderHelper.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\SysWOW64\svchost.exe -> KILLED [TermProc]
[SUSP PATH] teuzviu.exe -- C:\Users\Janice\AppData\Roaming\Ofgaub\teuzviu.exe -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 8 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 11 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 109 / Fail 0
My documents: Success 11 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 10 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 168 / Fail 0
Backup: [FOUND] Success 0 / Fail 239

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[F:] \Device\HarddiskVolume6 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume8 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume9 -- 0x2 --> Restored

¤¤¤ Infection : Rogue.FakeHDD|ZeroAccess ¤¤¤

Finished : << RKreport[1].txt >>
RKreport[1].txt

**oldman960** · 2012-01-19, 23:11

Hi e28ct17,

Ok let's go for the rest.

If you have a copy of combofix please delete it by right clicking on it and clicking delete.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1or Link 2 to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, before you save it to your desktop, rename Combofix to jgh.exe

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Right click on ComboFix.exe (jgh.exe), click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3 CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

How's the computer now?

Thanks

**e28ct17** · 2012-01-20, 20:21

I am not able to open a web browser with Internet Explorer or Firefox. Both say the program stopped working. Here is my combofix log:

ComboFix 12-01-19.02 - Janice 01/19/2012 22:08:51.8.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6109.4205 [GMT -6:00]
Running from: c:\users\Janice\Desktop\jgh.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\enrollSync.exe
c:\users\Janice\AppData\Local\dplaysvr.exe
c:\users\Janice\AppData\Local\dplayx.dll
c:\users\Janice\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dxdiag.exe
c:\users\Janice\AppData\Roaming\utilfix.exe
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-20 04:39 . 2012-01-20 04:39 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-01-20 04:39 . 2012-01-20 04:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-19 13:31 . 2012-01-19 13:31 -------- d-----w- c:\users\Janice\AppData\Roaming\Sie
2012-01-19 13:31 . 2012-01-19 13:31 -------- d-----w- c:\users\Janice\AppData\Roaming\Ofgaub
2012-01-19 04:07 . 2012-01-19 04:07 -------- d-----w- C:\_OTL
2012-01-17 02:55 . 2012-01-17 02:55 -------- d-----w- C:\found.000
2012-01-09 05:05 . 2012-01-09 05:17 -------- d-----w- C:\ComboFix
2012-01-06 22:33 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6575671-F39F-46D8-AB4F-C27D6149F639}\mpengine.dll
2012-01-05 07:57 . 2012-01-05 07:57 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared
2012-01-05 07:56 . 2012-01-06 01:49 -------- d-----w- c:\programdata\Symantec
2012-01-04 04:27 . 2002-11-12 18:22 569397 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\RichFX\Player\nprfxins.dll
2012-01-04 04:27 . 2012-01-04 04:27 -------- d-----w- c:\program files (x86)\Rhapsody
2012-01-01 18:08 . 2012-01-01 18:08 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-01-01 18:08 . 2012-01-01 18:08 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-01-01 18:08 . 2012-01-01 18:08 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-01-01 18:08 . 2012-01-01 18:08 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-31 04:30 . 2011-12-31 04:30 -------- d-----w- c:\users\Janice\AppData\Roaming\SumatraPDF
2011-12-31 04:30 . 2011-12-31 04:30 -------- d-----w- c:\programdata\WeCareReminder
2011-12-31 04:30 . 2011-12-31 04:30 -------- d-----w- c:\program files (x86)\Yontoo Layers Runtime
2011-12-31 04:29 . 2011-12-31 04:29 -------- d-----w- c:\program files (x86)\PDFReader
2011-12-29 02:56 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-29 02:55 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-29 02:55 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-29 02:55 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-29 02:55 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-15 20:29 . 2011-06-07 02:19 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-11-13 10:31 . 2011-06-13 04:41 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-07_03.27.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-09 16:25 . 2012-01-20 03:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-01-09 20:28 . 2012-01-19 12:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-01-19 12:34 . 2012-01-20 00:12 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012011920120120\index.dat
+ 2012-01-18 23:41 . 2012-01-19 04:41 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012011820120119\index.dat
+ 2012-01-17 06:24 . 2012-01-17 18:40 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012011720120118\index.dat
+ 2012-01-17 03:07 . 2012-01-17 05:49 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012011620120117\index.dat
+ 2012-01-17 03:07 . 2012-01-17 03:07 98304 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012010920120116\index.dat
+ 2012-01-09 16:25 . 2012-01-09 16:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2012-01-09 16:26 . 2012-01-20 03:25 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2009-08-27 20:15 . 2012-01-19 04:10 53928 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-20 05:07 35352 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-06-07 02:26 . 2012-01-20 05:07 15060 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2297261745-2509026556-3228908354-1001_UserData.bin
- 2011-06-07 03:54 . 2012-01-06 14:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-07 03:54 . 2012-01-20 05:04 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-07 03:54 . 2012-01-20 05:04 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-06-07 03:54 . 2012-01-06 14:31 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-06 14:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-20 05:04 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-07 02:25 . 2012-01-07 00:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-07 02:25 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-12 17:30 . 2012-01-20 05:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-12 17:30 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2012-01-12 17:30 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
- 2011-06-07 02:25 . 2012-01-07 00:18 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-06-07 02:25 . 2012-01-20 05:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-06-07 02:25 . 2012-01-07 00:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-06-07 02:25 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-07 02:25 . 2012-01-07 03:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-07 02:25 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-06-07 02:25 . 2012-01-20 05:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-06-07 02:25 . 2012-01-07 03:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-16 21:01 . 2012-01-17 12:13 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut7_A14671C8E59149CB9556CAD85DCEF123.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut7_A14671C8E59149CB9556CAD85DCEF123.exe
+ 2011-07-16 21:01 . 2012-01-17 12:13 40960 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut6_80448032606D4D10ACE91BEC75D1ACAD.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 40960 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut6_80448032606D4D10ACE91BEC75D1ACAD.exe
+ 2011-07-16 21:01 . 2012-01-17 12:13 57344 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut5_9EF149EC2375429A910D1EFA489B67F6.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 57344 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut5_9EF149EC2375429A910D1EFA489B67F6.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 57344 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut4_9EF149EC2375429A910D1EFA489B67F6.exe
+ 2011-07-16 21:01 . 2012-01-17 12:13 57344 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut4_9EF149EC2375429A910D1EFA489B67F6.exe
+ 2011-07-16 21:01 . 2012-01-17 12:13 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut1_A14671C8E59149CB9556CAD85DCEF123.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\NewShortcut1_A14671C8E59149CB9556CAD85DCEF123.exe
+ 2011-07-16 21:01 . 2012-01-17 12:13 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\ARPPRODUCTICON.exe
- 2011-07-16 21:01 . 2011-12-30 06:14 25214 c:\windows\Installer\{11F7808F-76AD-40E0-A8D9-6445DAEA3F5D}\ARPPRODUCTICON.exe
- 2012-01-07 03:26 . 2012-01-07 03:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-20 05:06 . 2012-01-20 05:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-20 05:06 . 2012-01-20 05:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-07 03:26 . 2012-01-07 03:26 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-09 16:13 . 2010-11-20 12:17 586752 c:\windows\SysWOW64\sysprep\_update.exe
+ 2009-07-14 04:54 . 2012-01-20 04:36 671744 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2012-01-07 00:22 632708 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-01-17 03:04 632708 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-07 00:22 110342 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-01-17 03:04 110342 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:12 . 2012-01-17 04:23 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2011-09-12 15:41 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:01 . 2012-01-07 03:26 968304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-20 05:05 968304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-01-20 04:36 7831552 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-20 04:36 8306688 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-07-29 19:12 . 2012-01-20 05:05 5787984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2297261745-2509026556-3228908354-1001-12288.dat
- 2011-07-29 19:12 . 2011-12-31 05:49 5787984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2297261745-2509026556-3228908354-1001-12288.dat
+ 2011-06-21 23:17 . 2012-01-20 05:05 14482722 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2297261745-2509026556-3228908354-1001-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-07-22 23:53 787744 ----a-w- c:\program files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchEngineProtection"="c:\program files (x86)\Gamesbar\SearchEngineProtection.exe" [2011-03-03 591248]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"dplaysvr"="c:\users\Janice\AppData\Local\dplaysvr.exe" [BU]
"{24903B15-CFA6-2F4F-D499-A747DA35520F}"="c:\users\Janice\AppData\Roaming\Ofgaub\teuzviu.exe" [2011-07-03 174080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"B2C_AGENT"="c:\programdata\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2011-09-28 404568]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files (x86)\The Print Shop 23\Remind.exe [2008-7-16 344064]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-06-04 1150496]
S2 iWinTrusted;iWinTrusted;c:\program files (x86)\iWin Games\iWinTrusted.exe [2011-04-08 176848]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-08-12 62208]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2009-07-04 240160]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\jgh\CF25503.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=ZUxpt020YYus&ptb=zicrx_1Avu_ZGi24DJBLew&si=CMqg8duiuK0CFYMEQAodrjEGpQ
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACGW&l=0409&m=aspire_m5802/m3802&r=1736061196dg1275w9283i9hj67767
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
FF - ProfilePath - c:\users\Janice\AppData\Roaming\Mozilla\Firefox\Profiles\48hsr9sg.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=ZUxpt020YYus&ptb=zicrx_1Avu_ZGi24DJBLew&si=CMqg8duiuK0CFYMEQAodrjEGpQ
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxpt020YYus&ptb=zicrx_1Avu_ZGi24DJBLew&ind=2012010511&ptnrS=ZUxpt020YYus&si=CMqg8duiuK0CFYMEQAodrjEGpQ&n=77ecd80f&psa=&st=kwd&searchfor=
FF - user.js: extentions.y2layers.installId - 3b818f57-fa2f-4b4c-b00c-be2f55d1f438
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-enrollSync - c:\programdata\enrollSync.exe
Wow6432Node-HKCU-Run-utilfix - c:\users\Janice\AppData\Roaming\utilfix.exe
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Smart Protection 2012 - c:\programdata\F4D55F3B0004240800208380B4EB2367\F4D55F3B0004240800208380B4EB2367.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2012-01-19 23:25:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-20 05:25
ComboFix2.txt 2012-01-09 05:16
ComboFix3.txt 2012-01-07 09:24
ComboFix4.txt 2012-01-07 03:30
ComboFix5.txt 2012-01-20 04:02
.
Pre-Run: 921,982,869,504 bytes free
Post-Run: 922,030,284,800 bytes free
.
- - End Of File - - F6D0E593C85C954AD76C6BC1783BF5AF

**oldman960** · 2012-01-20, 21:23

Hi e28ct17,

Did you happen to run combofix twice?

Besides the browsers not working does the computer have access to the internet? You can check by clicking start > Control Panel > Network and Internet > Network and Sharing Center

What is the complete message you recieve when opening IE or FF?

**e28ct17** · 2012-01-21, 02:21

No, not that I am aware of anyway.

Both Firefox and Internet Explorer say "Firefox/Internet Explorer has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available".

**e28ct17** · 2012-01-21, 02:53

About my internet connection.....yes I am connected

**oldman960** · 2012-01-21, 03:42

Hi e28ct17,

Let's see if this will sort out the browser problem.

On the computer that you are now using

.
Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Code:

File::
c:\users\Janice\AppData\Local\dplaysvr.exe
c:\users\Janice\AppData\Roaming\Ofgaub\teuzviu.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"=-
"{24903B15-CFA6-2F4F-D499-A747DA35520F}"=-

Folder::
c:\users\Janice\AppData\Roaming\Ofgaub

In the notepad

Click File, Save as..., and set the Save in to your usb device
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Transfer the file to the sick computer's desktop.

We will be using Combofix again but will run it differently.

Please follow all previous instructions regarding security programs.

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Please post back with the combofix log.

Browsers working?

Thanks

**e28ct17** · 2012-01-21, 05:04

When I dropped the script onto Combofix, I got the same message I did with Firefox/Internet Explorer. It said iexplorer quit working and nothing else happened.

**oldman960** · 2012-01-21, 06:18

Hi e28ct17,

Was that iexplore.exe or explorer.exe?

You have RogueKiller please run it with Option 1. A log should be produced.

**e28ct17** · 2012-01-21, 10:04

I'm not positive but I think it was iexplorer.

Here is the log

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Janice [Admin rights]
Mode: Scan -- Date : 01/21/2012 02:59:23

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : {24903B15-CFA6-2F4F-D499-A747DA35520F} (C:\Users\Janice\AppData\Roaming\Ofgaub\teuzviu.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : {74D07B99-0FA3-B911-92DF-7573ED80F35B} (C:\Users\Janice\AppData\Roaming\Goaci\pyko.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2297261745-2509026556-3228908354-1001[...]\Run : {24903B15-CFA6-2F4F-D499-A747DA35520F} (C:\Users\Janice\AppData\Roaming\Ofgaub\teuzviu.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2297261745-2509026556-3228908354-1001[...]\Run : {74D07B99-0FA3-B911-92DF-7573ED80F35B} (C:\Users\Janice\AppData\Roaming\Goaci\pyko.exe) -> FOUND
[SUSP PATH] winupd.job : C:\Users\Janice\AppData\Local\Temp:winupd.exe -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] cea9947c991ef6cbea6c477a516d5f94
[BSP] 62f35c68ca4bceaeae08b6f8c4f7e488 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo
1 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 31459328 | Size: 104 Mo
2 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 983991 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 5d719d004efccab984080ddfb7839f1b
[BSP] 62f35c68ca4bceaeae08b6f8c4f7e488 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo
1 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 31459328 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 983991 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 5d719d004efccab984080ddfb7839f1b
[BSP] 62f35c68ca4bceaeae08b6f8c4f7e488 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 16106 Mo
1 - [XXXXXX] UNKNW [HIDDEN!] Offset (sectors): 31459328 | Size: 104 Mo
2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 31664128 | Size: 983991 Mo
3 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 1953521664 | Size: 1 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Thread: Badly Infected

Thread Tools

Display

Posting Permissions