A dirty little bug is in my house

**mnyyoungs** · 2011-11-23, 01:50

Batting a thousand today...this didn't provide anything on the desktop...I copied ALL of the command and tried both search and run. I get a request to perform the task from windows...then nadda.

**jeffce** · 2011-11-23, 02:49

Ok lets try this.

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.

Copy/Paste the contents of the box below into Notepad.

Code:

@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp"
Notepad.exe %userprofile%\Desktop\look.txt
Del look.txt
Del %0

Click Format and ensure Wordwrap is unchecked.
Save as RegExp.bat
Save as file type All Files or it won't work.
Now double click on RegExp.bat to run it.
A file look.txt will open on your Desktop, please post the contents in your next reply.

**mnyyoungs** · 2011-11-23, 13:18

Look - notepad is blank. To recap, I saved the RegExp.bat notepad file to the desktop. Double clicked on it. The system asked for my permission to run. Then identified that there was no desktop file to save it to, create one. I said yes....voila...nadda. :-s zoinkies shaggy! I think there's a ghost in there!

**jeffce** · 2011-11-23, 13:35

zoinkies shaggy! I think there's a ghost in there!

ru roh!

I don't think so luckily.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Right-click and Run as Administrator SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

Code:

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp /s

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

**mnyyoungs** · 2011-11-24, 00:02

taaaa daaaaa.....

SystemLook 30.07.11 by jpshortstuff
Log created at 18:02 on 23/11/2011 by Family
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
(Unable to open key - key not found)

-= EOF =-

**jeffce** · 2011-11-24, 02:35

Hi mnyyoungs,

That is what I thought. The restore from Qoobox did not take. Lets try it again.

Please navigate to this file:

C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg.dat

Right click it and click rename
Remove the .dat file extension so the file now looks like this:

C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg

Left click on a blank spot near the filename and make sure it looks like the above
Right click the file and click merge
Accept any warnings

Let me know if it was successful.

**mnyyoungs** · 2011-11-24, 13:02

:-s the file does not have a reg.dat extension for me to rename.

"C:\Qoobox\Quarantine\Registry_backups\Service_COMSysApp.reg"

although it does show as a dat file listed under "type"

I cannot proceed with the instructions, as is. :(

**jeffce** · 2011-11-24, 14:53

Hi mnyyoungs,

Go ahead and delete your copy of ComboFix, download a fresh copy and then run a new scan. Please post the log into your next reply.

**mnyyoungs** · 2011-11-24, 17:27

ComboFix 11-11-23.03 - Family 24/11/2011 11:00:03.11.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1286 [GMT -5:00]
Running from: c:\users\Family\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
.
.
2011-11-24 16:20 . 2011-11-24 16:20 -------- d-----w- c:\users\Family\AppData\Local\temp
2011-11-24 16:20 . 2011-11-24 16:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-21 11:48 . 2011-11-21 11:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 11:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-20 21:41 . 2011-11-20 21:41 -------- d-----w- C:\_OTM
2011-11-17 02:11 . 2008-02-29 08:13 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2011-11-16 15:27 . 2011-11-16 15:27 -------- d-----w- c:\program files\ERUNT
2011-11-12 17:56 . 2011-11-12 17:56 -------- d-----w- c:\program files\ESET
2011-11-09 19:05 . 2011-11-09 19:05 -------- d-----w- c:\users\Family\AppData\Local\WinZip
2011-11-09 19:03 . 2011-11-09 19:04 -------- d-----w- c:\programdata\WinZip
2011-10-31 18:18 . 2011-10-31 18:18 1529728 ----a-w- c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2011-10-31 18:13 . 2011-10-31 18:13 145184 ----a-w- c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
2011-10-30 14:38 . 2011-10-30 14:38 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-28 08:13 . 2011-10-18 06:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D208FC11-8E7A-4DE4-917E-F39D40F22D8F}\mpengine.dll
2011-10-25 22:48 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-30 14:43 . 2009-07-26 02:26 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-09-30 23:06 . 2011-10-12 15:36 916480 ----a-w- c:\windows\system32\wininet.dll
2011-09-30 23:02 . 2011-10-12 15:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-09-30 23:01 . 2011-10-12 15:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-09-30 23:01 . 2011-10-12 15:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-09-30 23:01 . 2011-10-12 15:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-09-30 22:07 . 2011-10-12 15:36 385024 ----a-w- c:\windows\system32\html.iec
2011-09-30 21:29 . 2011-10-12 15:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-09-30 21:28 . 2011-10-12 15:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-06 13:30 . 2011-10-12 15:36 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 18:01 . 2010-10-25 17:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\Clickfree\C2NPlus\reminder\SacReminder.exe" [2011-01-20 870224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-26 129560]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 405504]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"DLBXCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2007-02-22 73728]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
c:\users\Family\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-10-13 984408]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-10-22 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-09-24 09:27 159744 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-20 04:48 342848 ----a-w- c:\users\Family\Program Files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-25 06:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-04-16 22:10 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-11-22 12:06 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 CFUACProxy_c2nplus;CFUACProxy_c2nplus;c:\programdata\Clickfree\C2NPlus\UACProxy.exe [2011-10-31 87368]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [x]
R2 gupdate1c9834ebde52a90;Google Update Service (gupdate1c9834ebde52a90);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programdata\Clickfree\C2NPlus\Reminder\SacNetAgent.exe [2011-10-25 157296]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2008-07-09 47360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2009-02-12 22312]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2011-06-28 101720]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2011-10-31 1153368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-10-31 18:10]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{1A27E350-4EB9-4A64-8D25-115B91043FBF}.job
- c:\windows\system32\msfeedssync.exe [2011-10-12 21:29]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Family\AppData\Roaming\Mozilla\Firefox\Profiles\85q3ua9k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e2b35e5&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=ca&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 11:20
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-11-24 11:25:50
ComboFix-quarantined-files.txt 2011-11-24 16:25
ComboFix2.txt 2011-11-17 02:38
ComboFix3.txt 2011-11-14 23:46
ComboFix4.txt 2011-11-09 01:02
.
Pre-Run: 53,239,291,904 bytes free
Post-Run: 53,025,878,016 bytes free
.
- - End Of File - - E9AAB4F6F4642F1C49009A2742B198F6

**jeffce** · 2011-11-27, 02:32

Hi mnyyoungs,

I haven't forgotten about you.

Working some details out about your logs. I will return as quickly as I can.

Thread: A dirty little bug is in my house

Thread Tools

Display

Posting Permissions