TechSpot

Bamital-AF infected explorer.exe on vista with blackscreen

By sayhello
Oct 25, 2010
  1. Hi there,

    Hope you can help me out with the following issue I have since thursday; think point virus infected my laptop with vista 32bit. As soon this happened, I switched off internet en rebooted in safe mode. No idea where this virus came from, maybe an outdated Javascript?

    From there in safe mode,I used taskmanager, shutdown process hotfix.exe en deleted the file.

    I have had the latest windows update already, excluding the latest for the MS office. But I didn't use that on the day of infection.

    Avast anti virus was running too.
    I tried, malware bytes, super anti spyware and avast. All found virusses. Only after a 10 hour boot scan by Avast it turned out that almost all viruses where gone except at two locations; wininit.exe and explorer.exe

    avast was not able to delete/repair these. I renaimed wininit.exe into wininit2.exe and manually deleted it. Now at this time of writing, no reboot has been settled yet.

    I tried to understand all of the post: http://www.techspot.com/vb/topic154603.html but found difficulties.

    I already used JavaRA to uninstall old versions.
    I ran security check;

    a Results of screen317's Security Check version 0.99.5
    Windows Vista (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    avast! Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 22
    Java(TM) 6 Update 2
    Out of date Java installed!
    Adobe Flash Player 10.1.53.64
    Adobe Reader 9.4.0 - Nederlands
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 AvastUI.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````


    With the programm SystemLook I found out that there are several explorer.exe programms running on my pc:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 10:21 on 25/10/2010 by Simon
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "winlogon.exe"
    C:\WINDOWS\SoftwareDistribution\Download\2b4e48d0ede6112a59b10e3704a22eee\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe --a---- 314880 bytes [17:32 23/10/2010] [07:33 19/01/2008] C2610B6BDBEFC053BBDAB4F1B965CB24
    C:\WINDOWS\System32\winlogon.exe --a---- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD
    C:\WINDOWS\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21\winlogon.exe --a---- 308224 bytes [08:44 02/11/2006] [09:45 02/11/2006] 9F75392B9128A91ABAFB044EA350BAAD

    Searching for "explorer.exe"
    C:\WINDOWS\explorer.exe --a---- 2923520 bytes [13:04 08/12/2009] [13:04 08/12/2009] 69BD2E12B17DEC67A3BD48723D338E86
    C:\WINDOWS\SoftwareDistribution\Download\2b4e48d0ede6112a59b10e3704a22eee\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe --a---- 2927104 bytes [17:33 23/10/2010] [07:33 19/01/2008] FFA764631CB70A30065C12EF8E174F9F
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe --a---- 2923520 bytes [08:47 02/11/2006] [09:45 02/11/2006] FD8C53FB002217F6F888BCF6F5D7084D
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe --a---- 2923520 bytes [13:34 08/12/2009] [13:34 08/12/2009] 6D06CD98D954FE87FB2DB8108793B399
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --a---- 2923520 bytes [13:04 08/12/2009] [13:04 08/12/2009] 37440D09DEAE0B672A04DCCF7ABF06BE
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe --a---- 2923520 bytes [13:34 08/12/2009] [13:34 08/12/2009] BD06F0BF753BC704B653C3A50F89D362
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe --a---- 2923520 bytes [13:04 08/12/2009] [13:04 08/12/2009] E7156B0B74762D9DE0E66BDCDE06E5FB
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe --a---- 2927104 bytes [13:04 08/12/2009] [13:04 08/12/2009] 4F554999D7D5F05DAAEBBA7B5BA1089D
    C:\WINDOWS\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --a---- 2927616 bytes [13:04 08/12/2009] [13:04 08/12/2009] 50BA5850147410CDE89C523AD3BC606E

    Searching for "wininit.exe"
    C:\WINDOWS\SoftwareDistribution\Download\2b4e48d0ede6112a59b10e3704a22eee\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --a---- 96768 bytes [17:31 23/10/2010] [07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
    C:\WINDOWS\System32\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] F0A27AEEA77769D1463157C7FA40F755
    C:\WINDOWS\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] D4385B03E8CCCEE6F0EE249F827C1F3E

    -= EOF =-

    Hope that someone of your forum can help me cleaning the explorer.exe file. I do not have a dvd of my legitime vista, it was pre-installed and has a recovery partition on my laptop.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hello back to you and welcome to TechSpot. Let's get you headed in the right direction:

    ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

    The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:

    1. Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    2. End Task
      Click on Start> Run> type in taskmgr> OK.
      Double click on the frame at the top of the Processes column to sort
      Find hotfix.exe and click to Highlight
      Click on End Task
    3. Unhide
      Click on Start> Search> All Files and Folders
      Go up to Tools> Folder Options
      Click on the View tab
      Check 'Show hidden files and folders'
      Uncheck 'Hide protected operating system files (Recommended)'
      Click on OK> Apply> OK
    4. Search
      Go to Search> 'all or part of the name'
      Type in hotfix.exe
      (It should be found in this folder: C:\Documents and Settings\User\Application Data\hotfix.exe
      Do a right click> Delete on the file
    5. Rehide the files and folders.
    Close
    ===============================================
    Reboot the computer back into Normal Mode
    ==============================================
    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply

    Malwarebytes will remove some of the Malware entries, but Bamnital also has a Registry I need to remove so I'd also like you to download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Regarding the security information you left: Please uninstall Java(TM) 6 Update 2 . I will have you update the Vista SP later.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. sayhello

    sayhello TS Rookie Topic Starter

    hi Bobbye,
    Thank you for helping me out on this problem.


    the hotfix.exe was manually delete by me, some days ago

    I used the Preliminary Virus and Malware Removal thread

    1) Avast was already running as descibred in the first thread, and deleted several files

    2) after running Temporary File Cleaner in my black windows, the windows system recovery was activated and later on windows rebooted with screen. It seems it worked fine, sound / Chrome/ normal screen / explorer.. but after i went online again, Avast had to block explorer.exe again

    3) the scan from malware is provided below. Nothing found.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Databaseversie: 4932

    Windows 6.0.6000
    Internet Explorer 8.0.6001.18882

    26-10-2010 10:00:08
    mbam-log-2010-10-26 (10-00-08).txt

    Scantype: Snelle scan
    Objecten gescand: 164473
    Verstreken tijd: 12 minuut/minuten, 10 seconde(n)

    Geheugenprocessen geïnfecteerd: 0
    Geheugenmodulen geïnfecteerd: 0
    Registersleutels geïnfecteerd: 0
    Registerwaarden geïnfecteerd: 0
    Registerdata geïnfecteerd: 0
    Mappen geïnfecteerd: 0
    Bestanden geïnfecteerd: 0

    Geheugenprocessen geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Geheugenmodulen geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Registersleutels geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Registerwaarden geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Registerdata geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Mappen geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    Bestanden geïnfecteerd:
    (Geen kwaadaardige objecten gedetecteerd)

    4) the GMER was launched with 'Files + ADS + Show all' and it turned out, that nothing was changed, so no log was created

    5) I couldn't make DDS work for me! I temporary closed all items on Avast and shutdown the internet, the document started with this message:

    € º ´ Í!¸LÍ!This program cannot be run in DOS mode.

    $ PE L +I à  2 n    @     à  ’       ÔÇ À ´ .




    Therefore I didn' t start with combofix. Do you have any suggestions what to do next?
     
  4. sayhello

    sayhello TS Rookie Topic Starter

    update:

    as said, step 5, DDS by sUBs was skipped.
    Your suggestion of uninstall JAVA 2 update 2 would install JAVA completely, so for now, I didn't act on this.

    I tried combofix, below the result:

    ComboFix 10-10-27.01 - Simon 28-10-2010 7:02.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.31.1043.18.3070.2166 [GMT 2:00]
    Gestart vanuit: c:\users\Simon\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    SP: avast! Antivirus *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\pdfforge Toolbar\SeARchsettings.dll
    c:\users\Simon\AppData\Roaming\chkntfs.dat
    c:\windows\system32\~.inf
    c:\windows\system32\KBL.LOG
    D:\install.exe

    .
    (((((((((((((((((((( Bestanden Gemaakt van 2010-09-28 to 2010-10-28 ))))))))))))))))))))))))))))))
    .

    2010-10-28 05:10 . 2010-10-28 05:10 -------- d-----w- c:\users\Simon\AppData\Local\temp
    2010-10-26 07:42 . 2010-10-18 07:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6BDECEE9-8AEE-48CE-8D6D-1AD1D48FF08A}\mpengine.dll
    2010-10-25 22:44 . 2010-10-25 22:44 -------- d-----w- c:\users\Simon\AppData\Roaming\18A5297803520240D56E428B0BCEB873
    2010-10-24 20:15 . 2010-09-15 02:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-24 20:15 . 2010-09-15 02:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-24 11:54 . 2010-10-24 11:54 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
    2010-10-23 18:15 . 2010-10-23 18:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-10-23 18:15 . 2010-10-23 18:15 -------- d-----w- c:\users\Simon\AppData\Roaming\SUPERAntiSpyware.com
    2010-10-23 18:14 . 2010-10-28 04:42 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-10-22 15:18 . 2010-10-22 15:18 -------- d-----w- c:\users\Simon\AppData\Roaming\Malwarebytes
    2010-10-22 15:18 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-22 15:18 . 2010-10-23 21:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-22 15:18 . 2010-10-22 15:18 -------- d-----w- c:\programdata\Malwarebytes
    2010-10-22 15:18 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-21 06:47 . 2010-09-06 09:26 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-10-20 20:13 . 2010-10-20 20:13 175 ----a-w- c:\users\Simon\AppData\Roaming\1592.bat

    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 09:41 . 2009-12-08 09:42 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-28 14:12 . 2010-07-21 08:36 403605 ----a-w- c:\windows\system32\~.tmp
    2010-09-26 10:24 . 2010-09-26 10:24 1409 ----a-w- c:\windows\QTFont.for
    2010-09-07 15:12 . 2010-07-14 06:27 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2009-12-08 09:42 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2009-12-08 09:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2009-12-08 09:42 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2009-12-08 09:42 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2009-12-08 09:42 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-09-07 14:47 . 2009-12-08 09:42 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\users\Simon\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\users\Simon\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2009-10-08 21:18 77824 ----a-w- c:\users\Simon\AppData\Roaming\Dropbox\bin\DropboxExt.3.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-12-08 1232896]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
    "Google Update"="c:\users\Simon\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-08 135664]
    "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-28 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-17 4702208]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
    "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-09-30 181544]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
    "OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-11-27 1006264]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-08 13601312]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-08 92704]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
    "UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
    "SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-07-29 1024512]
    "hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-12-16 155648]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-25 202256]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Acrobat Snelle start.lnk - c:\windows\Installer\{AC76BA86-1040-7D00-7760-000000000003}\_SC_Acrobat.exe [2009-12-14 295606]
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-9-5 727592]
    HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
    MindManager PDF Writer.lnk - c:\program files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exe [2003-2-21 61440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli DPPWDFLT

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 135664]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
    R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-12-08 716272]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
    S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]


    --- Andere Services/Drivers In Geheugen ---

    *NewlyCreated* - SASDIFSV

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2007-08-23 16:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Inhoud van de 'Gedeelde Taken' map

    2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 11:40]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-20 11:40]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901700071-4206263301-2560484385-1000Core.job
    - c:\users\Simon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 10:11]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901700071-4206263301-2560484385-1000UA.job
    - c:\users\Simon\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 10:11]

    2010-10-08 c:\windows\Tasks\HPCeeScheduleForSimon.job
    - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-11-27 10:58]
    .
    .
    ------- Bijkomende Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_nl&c=81&bd=Pavilion&pf=laptop
    uInternet Settings,ProxyOverride = *.local
    IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Afbeelding verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Geselecteerde koppelingen converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Koppelingdoel converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Koppelingdoel converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Pagina verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: Selectie converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Selectie converteren naar bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Toevoegen aan bestaand PDF-bestand - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: {{E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\Evernote\Evernote3.5\enbar.dll
    FF - ProfilePath - c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\h78hf0g5.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VE3D01&q=
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VE3D01&q=
    FF - component: c:\program files\DigitalPersona\Bin\firefoxext\components\dpffcli.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
    FF - component: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
    FF - component: c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\h78hf0g5.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - plugin: c:\users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\h78hf0g5.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    .
    ------- Bestandsassociaties -------
    .
    .scr=AutoCADScriptFile
    .
    - - - - ORPHANS VERWIJDERD - - - -

    HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-28 07:10
    Windows 6.0.6000 NTFS

    scannen van verborgen processen ...

    scannen van verborgen autostart items ...

    scannen van verborgen bestanden ...

    Scan succesvol afgerond
    verborgen bestanden: 0

    **************************************************************************
    .
    --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Geladen Onder Lopende Processen ---------------------

    - - - - - - - > 'lsass.exe'(716)
    c:\windows\system32\DPPWDFLT.dll
    .
    Voltooingstijd: 2010-10-28 07:13:12
    ComboFix-quarantined-files.txt 2010-10-28 05:12

    Pre-Run: 29.608.804.352 bytes beschikbaar
    Post-Run: 30.813.847.552 bytes beschikbaar

    - - End Of File - - 8D39F6F10F101CA2B534C265AEF09165
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please look at the screenshot of GMER on this page: http://www.softpedia.com/progScreenshots/GMER-Screenshot-45737.html

    Note that all of the boxes in the right column are checked except 'Show all'. Download the program to your desktop> don't launch it from the download site.- save to your desktop. If the screen isn't checked for this display, please put the checks in. Then try GMER again.


    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Then try DDS again.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...