also @ TechSpot: Tea Party Republicans and 'liberal weenies' alike celebrate Texas email privacy law

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Have downloaded Malware but virus is blocking access to it

Discussion in 'Virus and Malware Removal' started by gill12, Feb 26, 2011.

Page 2 of 4

Broni Malware Annihilator Posts: 40,051 +187

Did you try steps listed here?

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:
[...]

Broni, Mar 4, 2011

#21
gill12 Newcomer, in training Posts: 44

Combofix

Hi,
finally got Combo to run - here is the Rkill report followed by Combofix.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/03/2011 at 15:40:08.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

--------------------------------------------------------------------------------------------------------------
COMBOFIX

ComboFix 11-03-06.06 - Owner 07/03/2011 15:16:17.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.614 [GMT 0:00]
Running from: C:\Documents and Settings\All Users\Desktop\gill12ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

---- Previous Run -------

C:\Documents and Settings\Owner\g2mdlhlpx.exe
C:\Documents and Settings\Owner\GoToAssistDownloadHelper.exe
C:\Install.exe
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
C:\WINDOWS\system32\muzapp.exe

-- Previous Run --

C:\WINDOWS\system32\kernel32.dll . . . is infected!!

--------

((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))

2011-02-28 23:53:23 . 2011-03-01 00:12:19 -------- d-----w- C:\Temp
2011-02-27 00:46:43 . 2010-12-20 18:09:00 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-02-27 00:46:39 . 2010-12-20 18:08:40 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-02-27 00:01:39 . 2011-02-27 00:01:39 -------- d-----w- C:\Program Files\ESET
2011-02-26 16:03:06 . 2011-02-28 18:28:50 -------- d-----w- C:\Documents and Settings\All Users\Application Data\gMpOpOg06300
2011-02-16 18:43:35 . 2011-02-16 18:43:35 -------- d-----w- C:\Program Files\MyFree Codec
2011-02-16 18:31:05 . 2011-02-17 14:42:46 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Samsung
2011-02-16 17:38:36 . 2011-01-29 17:00:44 4659712 ----a-w- C:\WINDOWS\system32\Redemption.dll
2011-02-16 17:33:17 . 2011-02-16 17:33:17 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-02-16 17:22:39 . 2011-02-16 17:24:28 87340080 ----a-w- C:\Program Files\Kies_2.0.0.11014_49_2.exe
2011-02-16 16:21:30 . 2008-07-06 12:06:10 89088 ----a-w- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll.new
2011-02-16 16:20:25 . 2011-02-16 16:21:41 -------- d-----w- C:\e3e73489e9a60c045b91ecda
2011-02-16 16:00:03 . 2011-02-16 16:00:03 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Suite
2011-02-16 16:00:00 . 2011-02-16 16:00:00 -------- d-----w- C:\Documents and Settings\Owner\Application Data\PC Suite
2011-02-16 15:47:54 . 2009-09-19 05:30:10 100224 ----a-w- C:\WINDOWS\system32\drivers\ss_bserd.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 14848 ----a-w- C:\WINDOWS\system32\drivers\ss_bmdfl.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 12416 ----a-w- C:\WINDOWS\system32\drivers\ss_bcmnt.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 123648 ----a-w- C:\WINDOWS\system32\drivers\ss_bmdm.sys
2011-02-16 15:47:51 . 2009-09-19 05:30:10 98432 ----a-w- C:\WINDOWS\system32\drivers\ss_bbus.sys
2011-02-16 15:47:51 . 2009-09-19 05:30:10 12288 ----a-w- C:\WINDOWS\system32\drivers\ss_bwhnt.sys
2011-02-16 15:46:27 . 2011-02-16 15:46:27 -------- d-----w- C:\Program Files\DIFX
2011-02-16 15:46:24 . 2008-08-26 09:26:12 18816 ----a-w- C:\WINDOWS\system32\drivers\pccsmcfd.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-01-29 17:00:24 . 2011-01-29 17:00:24 90112 ----a-w- C:\WINDOWS\MAMCityDownload.ocx
2011-01-29 17:00:24 . 2011-01-29 17:00:24 325552 ----a-w- C:\WINDOWS\MASetupCaller.dll
2011-01-29 17:00:24 . 2011-01-29 17:00:24 30568 ----a-w- C:\WINDOWS\MusiccityDownload.exe
2011-01-29 17:00:22 . 2011-01-29 17:00:22 143360 ----a-w- C:\WINDOWS\system32\3DAudio.ax
2011-01-21 14:44:37 . 2004-08-04 12:00:00 439296 ----a-w- C:\WINDOWS\system32\shimgvw.dll
2011-01-07 14:09:02 . 2004-08-04 12:00:00 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-12-31 13:10:33 . 2004-08-04 12:00:00 1854976 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-12-22 12:34:28 . 2004-08-04 12:00:00 301568 ----a-w- C:\WINDOWS\system32\kerberos.dll
2010-12-20 23:59:20 . 2004-08-04 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-12-20 23:59:19 . 2004-08-04 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2010-12-20 23:59:19 . 2004-08-04 12:00:00 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-12-20 17:26:00 . 2004-08-04 12:00:00 730112 ----a-w- C:\WINDOWS\system32\lsasrv.dll
2010-12-20 12:55:26 . 2004-08-04 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
2010-12-09 15:15:09 . 2004-08-04 12:00:00 718336 ----a-w- C:\WINDOWS\system32\ntdll.dll
2010-12-09 14:30:22 . 2004-08-04 12:00:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2010-12-09 13:42:26 . 2004-08-04 12:00:00 2148864 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2010-12-09 13:07:07 . 2004-08-03 22:59:02 2027008 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 16:44:34 3883856]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 13:20:19 68856]
"HUAWEI 3G Data Card MTS"="C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [BU]
"Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [BU]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [BU]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2010-05-13 16:57:20 26192168]
"KiesHelper"="C:\Program Files\Samsung\Kies\KiesHelper.exe" [2011-01-29 23:11:32 888120]
"KiesTrayAgent"="C:\Program Files\Samsung\Kies\KiesTrayAgent.exe" [2011-01-29 23:11:36 3372856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-29 15:11:46 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-29 15:11:44 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-29 15:11:50 118784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 20:11:06 925696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 18:29:08 88203]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50:42 155648]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36:28 30208]
"TPSMain"="TPSMain.exe" [2006-03-21 14:40:12 299008]
"TPSODDCtl"="TPSODDCtl.exe" [2006-03-21 14:40:14 102400]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24:46 32768]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 09:43:48 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 15:29:20 198160]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 08:50:26 36864]
"OneTouch Monitor"="C:\Program Files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 15:14:00 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-09-08 11:17:42 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-11-17 20:59:04 421160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 09:15:10 40368]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 18:37:40 932288]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2008-2-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 17:48:24 40448 ----a-w- C:\WINDOWS\system32\psqlpwd.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 dgdersvc;Device Error Recovery Service;C:\WINDOWS\system32\dgdersvc.exe [22/12/2009 02:31:02 95568]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00:02 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59:52 33024]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [08/09/2010 01:30:47 217088]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [05/05/2006 17:33:04 3456]
R3 dgderdrv;dgderdrv;C:\WINDOWS\system32\drivers\dgderdrv.sys [22/12/2009 02:31:02 18136]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [08/09/2010 01:30:48 36640]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [28/01/2010 21:08:54 135664]
S3 AIDA32Driver;AIDA32Driver;\??\D:\3942\aida32.sys --> D:\3942\aida32.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [16/02/2011 15:47:51 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [16/02/2011 15:47:53 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [16/02/2011 15:47:53 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;C:\WINDOWS\system32\drivers\ss_bserd.sys [16/02/2011 15:47:54 100224]

Contents of the 'Scheduled Tasks' folder

2011-02-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50:20 . 2009-10-22 10:50:20]

2011-03-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-28 21:08:54 . 2010-01-28 21:07:32]

2011-03-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-28 21:08:54 . 2010-01-28 21:07:32]

2011-03-07 C:\WINDOWS\Tasks\OGALogon.job
- C:\WINDOWS\system32\OGAEXEC.exe [2009-08-03 15:07:42 . 2009-08-03 15:07:42]

2011-03-07 C:\WINDOWS\Tasks\WGASetup.job
- C:\WINDOWS\system32\KB905474\wgasetup.exe [2009-03-26 07:23:17 . 2009-03-10 22:18:08]

------- Supplementary Scan -------

uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lhydjfig.default\
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Java Quick Starter: jqs@sun.com - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

gill12, Mar 7, 2011

#22
Broni Malware Annihilator Posts: 40,051 +187

The log is incomplete (lower part is missing).
Please repost, or re-run Combofix.

Broni, Mar 7, 2011

#23
gill12 Newcomer, in training Posts: 44

This is the latest complete log.
ComboFix 11-03-07.02 - Owner 08/03/2011 1:33:56.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.608 [GMT 0:00]
Running from: C:\Documents and Settings\All Users\Desktop\gill12ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Previous Run --

C:\WINDOWS\system32\kernel32.dll . . . is infected!!

--------

((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))

2011-03-07 22:53:01 . 2011-03-07 22:53:01 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Avira
2011-03-07 22:50:02 . 2011-01-10 14:23:53 61960 ----a-w- C:\WINDOWS\system32\drivers\avgntflt.sys
2011-03-07 22:50:02 . 2011-01-10 14:23:53 135096 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys
2011-03-07 22:50:02 . 2010-06-17 14:27:24 45416 ----a-w- C:\WINDOWS\system32\drivers\avgntdd.sys
2011-03-07 22:50:02 . 2010-06-17 14:27:24 22360 ----a-w- C:\WINDOWS\system32\drivers\avgntmgr.sys
2011-03-07 22:49:49 . 2011-03-07 22:49:49 -------- d-----w- C:\Program Files\Avira
2011-03-07 22:49:49 . 2011-03-07 22:49:49 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Avira
2011-02-28 23:53:23 . 2011-03-01 00:12:19 -------- d-----w- C:\Temp
2011-02-27 00:46:43 . 2010-12-20 18:09:00 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-02-27 00:46:39 . 2010-12-20 18:08:40 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2011-02-27 00:01:39 . 2011-02-27 00:01:39 -------- d-----w- C:\Program Files\ESET
2011-02-26 16:03:06 . 2011-02-28 18:28:50 -------- d-----w- C:\Documents and Settings\All Users\Application Data\gMpOpOg06300
2011-02-16 18:43:35 . 2011-02-16 18:43:35 -------- d-----w- C:\Program Files\MyFree Codec
2011-02-16 18:31:05 . 2011-02-17 14:42:46 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Samsung
2011-02-16 17:38:36 . 2011-01-29 17:00:44 4659712 ----a-w- C:\WINDOWS\system32\Redemption.dll
2011-02-16 17:33:17 . 2011-02-16 17:33:17 -------- d-----w- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-02-16 17:22:39 . 2011-02-16 17:24:28 87340080 ----a-w- C:\Program Files\Kies_2.0.0.11014_49_2.exe
2011-02-16 16:21:30 . 2008-07-06 12:06:10 89088 ----a-w- C:\WINDOWS\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll.new
2011-02-16 16:20:25 . 2011-02-16 16:21:41 -------- d-----w- C:\e3e73489e9a60c045b91ecda
2011-02-16 16:00:03 . 2011-02-16 16:00:03 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Suite
2011-02-16 16:00:00 . 2011-02-16 16:00:00 -------- d-----w- C:\Documents and Settings\Owner\Application Data\PC Suite
2011-02-16 15:47:54 . 2009-09-19 05:30:10 100224 ----a-w- C:\WINDOWS\system32\drivers\ss_bserd.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 14848 ----a-w- C:\WINDOWS\system32\drivers\ss_bmdfl.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 12416 ----a-w- C:\WINDOWS\system32\drivers\ss_bcmnt.sys
2011-02-16 15:47:53 . 2009-09-19 05:30:10 123648 ----a-w- C:\WINDOWS\system32\drivers\ss_bmdm.sys
2011-02-16 15:47:51 . 2009-09-19 05:30:10 98432 ----a-w- C:\WINDOWS\system32\drivers\ss_bbus.sys
2011-02-16 15:47:51 . 2009-09-19 05:30:10 12288 ----a-w- C:\WINDOWS\system32\drivers\ss_bwhnt.sys
2011-02-16 15:46:27 . 2011-02-16 15:46:27 -------- d-----w- C:\Program Files\DIFX
2011-02-16 15:46:24 . 2008-08-26 09:26:12 18816 ----a-w- C:\WINDOWS\system32\drivers\pccsmcfd.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-01-29 17:00:24 . 2011-01-29 17:00:24 90112 ----a-w- C:\WINDOWS\MAMCityDownload.ocx
2011-01-29 17:00:24 . 2011-01-29 17:00:24 325552 ----a-w- C:\WINDOWS\MASetupCaller.dll
2011-01-29 17:00:24 . 2011-01-29 17:00:24 30568 ----a-w- C:\WINDOWS\MusiccityDownload.exe
2011-01-29 17:00:22 . 2011-01-29 17:00:22 143360 ----a-w- C:\WINDOWS\system32\3DAudio.ax
2011-01-21 14:44:37 . 2004-08-04 12:00:00 439296 ----a-w- C:\WINDOWS\system32\shimgvw.dll
2011-01-07 14:09:02 . 2004-08-04 12:00:00 290048 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-12-31 13:10:33 . 2004-08-04 12:00:00 1854976 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-12-22 12:34:28 . 2004-08-04 12:00:00 301568 ----a-w- C:\WINDOWS\system32\kerberos.dll
2010-12-20 23:59:20 . 2004-08-04 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-12-20 23:59:19 . 2004-08-04 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2010-12-20 23:59:19 . 2004-08-04 12:00:00 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-12-20 17:26:00 . 2004-08-04 12:00:00 730112 ----a-w- C:\WINDOWS\system32\lsasrv.dll
2010-12-20 12:55:26 . 2004-08-04 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
2010-12-09 15:15:09 . 2004-08-04 12:00:00 718336 ----a-w- C:\WINDOWS\system32\ntdll.dll
2010-12-09 14:30:22 . 2004-08-04 12:00:00 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2010-12-09 13:42:26 . 2004-08-04 12:00:00 2148864 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2010-12-09 13:07:07 . 2004-08-03 22:59:02 2027008 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe

((((((((((((((((((((((((((((( SnapShot@2011-03-07_15.24.07 )))))))))))))))))))))))))))))))))))))))))

+ 2011-03-08 01:19:15 . 2011-03-08 01:19:15 16384 C:\WINDOWS\temp\Perflib_Perfdata_ad4.dat
+ 2011-03-07 22:50:05 . 2010-06-17 14:27:22 28520 C:\WINDOWS\system32\drivers\ssmdrv.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 16:44:34 3883856]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 13:20:19 68856]
"HUAWEI 3G Data Card MTS"="C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [BU]
"Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [BU]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [BU]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2010-05-13 16:57:20 26192168]
"KiesHelper"="C:\Program Files\Samsung\Kies\KiesHelper.exe" [2011-01-29 23:11:32 888120]
"KiesTrayAgent"="C:\Program Files\Samsung\Kies\KiesTrayAgent.exe" [2011-01-29 23:11:36 3372856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-10-29 15:11:46 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-10-29 15:11:44 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-10-29 15:11:50 118784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 20:11:06 925696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 18:29:08 88203]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50:42 155648]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2006-05-05 17:36:28 30208]
"TPSMain"="TPSMain.exe" [2006-03-21 14:40:12 299008]
"TPSODDCtl"="TPSODDCtl.exe" [2006-03-21 14:40:14 102400]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24:46 32768]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 09:43:48 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 15:29:20 198160]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 08:50:26 36864]
"OneTouch Monitor"="C:\Program Files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 15:14:00 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-09-08 11:17:42 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-11-17 20:59:04 421160]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 09:15:10 40368]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 18:37:40 932288]
"avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 14:23:29 281768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2008-2-13 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 17:48:24 40448 ----a-w- C:\WINDOWS\system32\psqlpwd.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 dgdersvc;Device Error Recovery Service;C:\WINDOWS\system32\dgdersvc.exe [22/12/2009 02:31:02 95568]
R2 FdRedir;FdRedir;C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00:02 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59:52 33024]
R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [08/09/2010 01:30:47 217088]
R2 smihlp;SMI helper driver;C:\Program Files\Protector Suite QL\smihlp.sys [05/05/2006 17:33:04 3456]
R3 dgderdrv;dgderdrv;C:\WINDOWS\system32\drivers\dgderdrv.sys [22/12/2009 02:31:02 18136]
R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [08/09/2010 01:30:48 36640]
S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [28/01/2010 21:08:54 135664]
S3 AIDA32Driver;AIDA32Driver;\??\D:\3942\aida32.sys --> D:\3942\aida32.sys [?]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);C:\WINDOWS\system32\drivers\ss_bbus.sys [16/02/2011 15:47:51 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);C:\WINDOWS\system32\drivers\ss_bmdfl.sys [16/02/2011 15:47:53 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;C:\WINDOWS\system32\drivers\ss_bmdm.sys [16/02/2011 15:47:53 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;C:\WINDOWS\system32\drivers\ss_bserd.sys [16/02/2011 15:47:54 100224]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

Contents of the 'Scheduled Tasks' folder

2011-02-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50:20 . 2009-10-22 10:50:20]

2011-03-08 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-28 21:08:54 . 2010-01-28 21:07:32]

2011-03-07 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-28 21:08:54 . 2010-01-28 21:07:32]

2011-03-08 C:\WINDOWS\Tasks\OGALogon.job
- C:\WINDOWS\system32\OGAEXEC.exe [2009-08-03 15:07:42 . 2009-08-03 15:07:42]

2011-03-08 C:\WINDOWS\Tasks\WGASetup.job
- C:\WINDOWS\system32\KB905474\wgasetup.exe [2009-03-26 07:23:17 . 2009-03-10 22:18:08]

------- Supplementary Scan -------

uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\lhydjfig.default\
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Java Quick Starter: jqs@sun.com - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

gill12, Mar 7, 2011

#24
Broni Malware Annihilator Posts: 40,051 +187
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\kernel32.dll
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

=======================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

Double-click SystemLook.exe to run it.

Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator

Copy the content of the following box into the main textfield:

Code:

:filefind kernel32.dll

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
Broni, Mar 7, 2011

#25

gill12 Newcomer, in training Posts: 44

I don't have Folder Options on my Windows Explorer.

gill12, Mar 7, 2011

#26

gill12 Newcomer, in training Posts: 44

I have now found it!

gill12, Mar 7, 2011

#27
gill12 Newcomer, in training Posts: 44

I uploaded that file but nothing happens, the programme doesn't acknowledge it. Also my Windows Folder has about 300 contaminated files in, mostly with uninstall in the name.

gill12, Mar 7, 2011

#28
Broni Malware Annihilator Posts: 40,051 +187

Also my Windows Folder has about 300 contaminated files in, mostly with uninstall in the name

Says who?

Broni, Mar 7, 2011

#29
gill12 Newcomer, in training Posts: 44

Me, I can see them. They all have dollar signs in the name and I can't open them, same as my word files.

gill12, Mar 7, 2011

#30
Broni Malware Annihilator Posts: 40,051 +187

Those are Windows updates uninstallation files.
Leave them alone.

Proceed with SystemLook.

Broni, Mar 7, 2011

#31
gill12 Newcomer, in training Posts: 44

SystemLook won't run. It says sript required.

gill12, Mar 7, 2011

#32
Broni Malware Annihilator Posts: 40,051 +187

Did you paste a script from my reply #25?
Please, pay attention.

Broni, Mar 7, 2011

#33
gill12 Newcomer, in training Posts: 44

sorry, its 4.30am in London and i'm a bit tired.
Here is the log.

SystemLook 04.09.10 by jpshortstuff
Log created at 04:35 on 08/03/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "kernel32.dll"
C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll --a---- 985088 bytes [00:32 13/02/2008] [10:57 05/07/2006] 0FDD84928A5DDE2510761B7EC76CCEC9
C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll --a---- 986112 bytes [17:28 12/02/2008] [16:07 16/04/2007] 09F7CB3687F86EDAA4CA081F7AB66C03
C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll --a---- 991744 bytes [13:59 21/03/2009] [13:59 21/03/2009] DA11D9D6ECBDF0F93436A4B7C13F7BEC
C:\WINDOWS\$NtServicePackUninstall$\kernel32.dll -----c- 984576 bytes [10:28 21/09/2008] [15:52 16/04/2007] A01F9CA902A88F7CED06884174D6419D
C:\WINDOWS\$NtUninstallKB917422$\kernel32.dll -----c- 983552 bytes [00:32 13/02/2008] [12:00 04/08/2004] 888190E31455FAD793312F8D087146EB
C:\WINDOWS\$NtUninstallKB935839$\kernel32.dll -----c- 984064 bytes [19:16 13/02/2008] [10:55 05/07/2006] D8DB5397DE07577C1CB50BA6D23B3AD4
C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll -----c- 989696 bytes [02:08 16/04/2009] [00:11 14/04/2008] C24B983D211C34DA8FCC1AC38477971D
C:\WINDOWS\ERDNT\cache\kernel32.dll --a---- 989696 bytes [15:08 07/03/2011] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3
C:\WINDOWS\ServicePackFiles\i386\kernel32.dll ------- 989696 bytes [09:14 17/09/2008] [00:11 14/04/2008] C24B983D211C34DA8FCC1AC38477971D
C:\WINDOWS\system32\kernel32.dll --a---- 989696 bytes [12:00 04/08/2004] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3

-= EOF =-

gill12, Mar 7, 2011

#34
Broni Malware Annihilator Posts: 40,051 +187
Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

Click OK at the warning (and take note of it, this is a VERY powerful tool!).

Click the Script tab and copy/paste the following text there:

Code:

CopyFile: C:\WINDOWS\ServicePackFiles\i386\kernel32.dll C:\WINDOWS\system32\kernel32.dll C:\WINDOWS\ServicePackFiles\i386\kernel32.dll C:\WINDOWS\ERDNT\cache\kernel32.dll

Click Execute Now. Your computer will need to reboot in order to replace the files.

When done, post the report created by Blitzblank.
You can find it in the root of the drive, normally C:\
Broni, Mar 8, 2011

#35
gill12 Newcomer, in training Posts: 44

Hi, here is Blitzbank report.

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\kernel32.dll", destinationFile = "\??\c:\windows\system32\kernel32.dll"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\kernel32.dll", destinationFile = "\??\c:\windows\erdnt\cache\kernel32.dll"

gill12, Mar 8, 2011

#36
Broni Malware Annihilator Posts: 40,051 +187

Good.
Re-run Combofix and post new log.

Broni, Mar 8, 2011

#37
gill12 Newcomer, in training Posts: 44

Here is new log from safe mode:

ComboFix 11-03-08.03 - Administrator 09/03/2011 2:21.11.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.820 [GMT 0:00]
Running from: c:\documents and settings\All Users\Desktop\gill12ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SystemLook.exe
c:\program files\Quicktime\QTTask.exe
.
-- Previous Run --
.
c:\windows\system32\kernel32.dll . . . is infected!!
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-02-09 to 2011-03-09 )))))))))))))))))))))))))))))))
.
.
2011-03-07 22:53 . 2011-03-07 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2011-03-07 22:50 . 2011-01-10 14:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-07 22:50 . 2011-01-10 14:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 22:50 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-03-07 22:50 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-03-07 22:49 . 2011-03-07 22:49 -------- d-----w- c:\program files\Avira
2011-03-07 22:49 . 2011-03-07 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-02-28 23:53 . 2011-03-01 00:12 -------- d-----w- C:\Temp
2011-02-27 00:46 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-27 00:46 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-27 00:01 . 2011-02-27 00:01 -------- d-----w- c:\program files\ESET
2011-02-26 16:03 . 2011-02-28 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\gMpOpOg06300
2011-02-16 18:43 . 2011-02-16 18:43 -------- d-----w- c:\program files\MyFree Codec
2011-02-16 18:31 . 2011-02-17 14:42 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Samsung
2011-02-16 17:38 . 2011-01-29 17:00 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-02-16 17:33 . 2011-02-16 17:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-02-16 17:22 . 2011-02-16 17:24 87340080 ----a-w- c:\program files\Kies_2.0.0.11014_49_2.exe
2011-02-16 16:21 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll.new
2011-02-16 16:20 . 2011-02-16 16:21 -------- d-----w- C:\e3e73489e9a60c045b91ecda
2011-02-16 16:00 . 2011-02-16 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2011-02-16 16:00 . 2011-02-16 16:00 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Suite
2011-02-16 15:47 . 2009-09-19 05:30 100224 ----a-w- c:\windows\system32\drivers\ss_bserd.sys
2011-02-16 15:47 . 2009-09-19 05:30 14848 ----a-w- c:\windows\system32\drivers\ss_bmdfl.sys
2011-02-16 15:47 . 2009-09-19 05:30 12416 ----a-w- c:\windows\system32\drivers\ss_bcmnt.sys
2011-02-16 15:47 . 2009-09-19 05:30 123648 ----a-w- c:\windows\system32\drivers\ss_bmdm.sys
2011-02-16 15:47 . 2009-09-19 05:30 98432 ----a-w- c:\windows\system32\drivers\ss_bbus.sys
2011-02-16 15:47 . 2009-09-19 05:30 12288 ----a-w- c:\windows\system32\drivers\ss_bwhnt.sys
2011-02-16 15:46 . 2011-02-16 15:46 -------- d-----w- c:\program files\DIFX
2011-02-16 15:46 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-29 17:00 . 2011-01-29 17:00 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2011-01-29 17:00 . 2011-01-29 17:00 325552 ----a-w- c:\windows\MASetupCaller.dll
2011-01-29 17:00 . 2011-01-29 17:00 30568 ----a-w- c:\windows\MusiccityDownload.exe
2011-01-29 17:00 . 2011-01-29 17:00 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-04 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-07_15.24.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-07 22:50 . 2010-06-17 14:27 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2004-08-04 12:00 . 2011-03-08 11:22 989696 c:\windows\system32\kernel32.dll
- 2004-08-04 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-10-29 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-10-29 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-10-29 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"TPSMain"="TPSMain.exe" [2006-03-21 299008]
"TPSODDCtl"="TPSODDCtl.exe" [2006-03-21 102400]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-02 198160]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2008-2-13 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 17:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
S2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [22/12/2009 02:31 95568]
S2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
S2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [08/09/2010 01:30 217088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/01/2010 21:08 135664]
S2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
S3 AIDA32Driver;AIDA32Driver;\??\d:\3942\aida32.sys --> d:\3942\aida32.sys [?]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [22/12/2009 02:31 18136]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [08/09/2010 01:30 36640]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [16/02/2011 15:47 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [16/02/2011 15:47 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [16/02/2011 15:47 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [16/02/2011 15:47 100224]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 21:07]
.
2011-03-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 21:07]
.
2011-03-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]
.
2011-03-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-26 22:18]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pjolj68m.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-09 02:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-842925246-1450960922-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,8f,3a,42,d6,9a,0a,4b,b5,bb,a2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,48,8f,3a,42,d6,9a,0a,4b,b5,bb,a2,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
Completion time: 2011-03-09 02:34:59
ComboFix-quarantined-files.txt 2011-03-09 02:34
.
Pre-Run: 58,133,942,272 bytes free
Post-Run: 58,137,649,152 bytes free
.
- - End Of File - - EE032F796C6594DFA527E7E3C2DC1D19

gill12, Mar 8, 2011

#38
Broni Malware Annihilator Posts: 40,051 +187

Please, re-run SystemLook with the very same script as in my reply #25

Broni, Mar 8, 2011

#39
gill12 Newcomer, in training Posts: 44

SystemLook 04.09.10 by jpshortstuff
Log created at 06:46 on 09/03/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "kernel32.dll"
C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll --a---- 985088 bytes [00:32 13/02/2008] [10:57 05/07/2006] 0FDD84928A5DDE2510761B7EC76CCEC9
C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll --a---- 986112 bytes [17:28 12/02/2008] [16:07 16/04/2007] 09F7CB3687F86EDAA4CA081F7AB66C03
C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll --a---- 991744 bytes [13:59 21/03/2009] [13:59 21/03/2009] DA11D9D6ECBDF0F93436A4B7C13F7BEC
C:\WINDOWS\$NtServicePackUninstall$\kernel32.dll -----c- 984576 bytes [10:28 21/09/2008] [15:52 16/04/2007] A01F9CA902A88F7CED06884174D6419D
C:\WINDOWS\$NtUninstallKB917422$\kernel32.dll -----c- 983552 bytes [00:32 13/02/2008] [12:00 04/08/2004] 888190E31455FAD793312F8D087146EB
C:\WINDOWS\$NtUninstallKB935839$\kernel32.dll -----c- 984064 bytes [19:16 13/02/2008] [10:55 05/07/2006] D8DB5397DE07577C1CB50BA6D23B3AD4
C:\WINDOWS\$NtUninstallKB959426$\kernel32.dll -----c- 989696 bytes [02:08 16/04/2009] [00:11 14/04/2008] C24B983D211C34DA8FCC1AC38477971D
C:\WINDOWS\ERDNT\cache\kernel32.dll --a---- 989696 bytes [15:08 07/03/2011] [11:22 08/03/2011] C24B983D211C34DA8FCC1AC38477971D
C:\WINDOWS\ServicePackFiles\i386\kernel32.dll ------- 989696 bytes [09:14 17/09/2008] [00:11 14/04/2008] C24B983D211C34DA8FCC1AC38477971D
C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll --a---- 989696 bytes [14:06 21/03/2009] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3
C:\WINDOWS\system32\kernel32.dll --a---- 989696 bytes [12:00 04/08/2004] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3
C:\WINDOWS\system32\dllcache\kernel32.dll -----c- 989696 bytes [14:06 21/03/2009] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3

-= EOF =-

gill12, Mar 9, 2011

#40

Page 2 of 4

Topic Status:: Not open for further replies.

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.