Malware removal - Windows Vista

Resolved
By Bahawolf
Aug 25, 2010
Topic Status:
Not open for further replies.
  1. Hello folks! I'm new to this community, though I've been lurking for a few days and it really seems that it'd be a nice place to become involved in. I'll be sure to post an introduction thread soon. :)

    In the mean time, I am facing a challenge removing this infection on a friend's system which I am repairing remotely. The system originally had a rogue infection and I ran Combofix as well as Malwarebytes Anti-malware and it appeared to take care of it. Unfortunately, there is still some freezing and the unit still runs slower than expected as per my friend.. plus MABM did pick up an infection in a quick scan.

    Any assistance is greatly appreciated.

    ==
    Logs
    ==

    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Chris at 21:35:33.71 on Tue 08/24/2010
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1382 [GMT -7:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\TeamViewer\Version5\TeamViewer.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\msiexec.exe
    C:\Program Files\UltraVNC\winvnc.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BK5MN7WL\dds[1].scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    BHO: MRI_DISABLED - No File
    BHO: 1 (0x1) - No File
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    uRun: [Svhst] c:\users\chris\appdata\roaming\swhst\svhst.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\mri_di~1\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\
    FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - component: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - plugin: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-18 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-17 165456]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-17 17744]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-17 50256]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-25 99248]
    S2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
    S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-8-24 1590216]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
    S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-8-24 12096]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S4 B-Service;B-Service;c:\users\chris\downloads\B-Service.exe [2010-8-9 185640]
    S4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

    =============== Created Last 30 ================

    2010-08-25 04:27:59 23872 ----a-w- c:\windows\system32\mv2.dll
    2010-08-25 04:27:59 12096 ----a-w- c:\windows\system32\drivers\mv2.sys
    2010-08-25 04:27:51 0 d-----w- c:\program files\UltraVNC
    2010-08-19 04:44:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-08-18 12:21:52 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-08-18 12:21:49 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-08-18 11:57:45 0 dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-08-18 11:57:06 0 d-----w- c:\programdata\Lavasoft
    2010-08-18 11:57:06 0 d-----w- c:\program files\Lavasoft
    2010-08-18 05:18:36 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-18 05:18:11 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-18 05:18:08 0 d-----w- c:\programdata\Alwil Software
    2010-08-17 02:51:46 0 d-----w- C:\SDFix
    2010-08-17 02:41:06 53248 ----a-w- c:\windows\system32\process.exe
    2010-08-17 02:41:06 126976 ----a-w- c:\windows\system32\zip.exe
    2010-08-17 02:40:56 0 d-----w- c:\program files\roguescanfix
    2010-08-17 02:32:07 0 d-----w- c:\windows\LMI7445.tmp
    2010-08-17 02:27:38 0 d-----w- c:\program files\Trend Micro
    2010-08-15 17:01:06 0 d-----w- c:\users\chris\appdata\roaming\TeamViewer
    2010-08-15 15:49:02 0 d-----w- c:\users\chris\appdata\roaming\PCToolsFirewallPlus
    2010-08-15 15:49:01 0 d-----w- c:\users\chris\appdata\roaming\Spam Monitor
    2010-08-15 14:44:08 0 d-----w- c:\programdata\PC Tools
    2010-08-15 14:44:08 0 d-----w- c:\program files\PC Tools Internet Security
    2010-08-15 14:43:38 0 d-----w- c:\users\chris\appdata\roaming\Swhst
    2010-08-15 14:09:02 798 ---ha-w- C:\IPH.PH
    2010-08-15 14:09:02 0 d--h--w- C:\TEMP
    2010-08-15 14:01:16 0 d-----w- c:\program files\common files\PC Tools
    2010-08-15 14:01:14 0 d---a-w- c:\programdata\TEMP
    2010-08-15 13:11:46 4213696 ----a-w- C:\ExterminateIt.exe
    2010-08-15 07:16:34 0 d-----w- c:\program files\Exterminate It!
    2010-08-15 06:51:29 226688 ----a-w- C:\BdUninstallTool2010.08.14-11.51.29.reg
    2010-08-15 04:22:02 0 d-----w- c:\users\chris\appdata\roaming\QuickScan
    2010-08-14 22:56:26 0 d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-08-14 14:19:07 0 d-sh--w- C:\$RECYCLE.BIN
    2010-08-13 05:24:32 162616 ----a-w- c:\windows\RegDelNull.exe
    2010-08-12 04:50:55 1152 ----a-w- c:\windows\system32\windrv.sys
    2010-08-10 03:34:33 15892480 ----a-w- C:\Ad-AwareInstall.exe
    2010-08-10 03:03:53 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-10 03:03:53 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 02:44:19 16409960 ----a-w- C:\spybotsd162.exe
    2010-08-10 02:15:43 98816 ----a-w- c:\windows\sed.exe
    2010-08-10 02:15:43 77312 ----a-w- c:\windows\MBR.exe
    2010-08-10 02:15:43 256512 ----a-w- c:\windows\PEV.exe
    2010-08-10 02:15:43 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-10 02:12:38 35 ----a-w- c:\users\chris\appdata\roaming\SetValue.bat
    2010-08-10 02:12:37 691 ----a-w- c:\users\chris\appdata\roaming\GetValue.vbs
    2010-08-09 23:56:45 0 d-----w- c:\users\chris\appdata\roaming\Malwarebytes
    2010-08-09 23:56:27 0 d-----w- c:\programdata\Malwarebytes
    2010-08-09 23:50:12 0 d-----w- c:\program files\TeamViewer
    2010-08-03 22:46:16 221300608 ----a-w- c:\windows\MEMORY.DMP

    ==================== Find3M ====================

    2010-08-25 04:28:06 86016 ----a-w- c:\windows\inf\infstrng.dat
    2010-08-25 04:28:06 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-08-25 04:28:05 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-08-23 18:07:04 4022 ----a-w- c:\users\chris\appdata\roaming\wklnhst.dat
    2008-08-03 09:44:02 174 --sha-w- c:\program files\desktop.ini
    2008-08-03 09:31:48 665600 ----a-w- c:\windows\inf\drvindex.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2009-05-01 06:44:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2008-01-15 06:45:41 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2008-09-07 04:26:46 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008090620080907\index.dat

    ============= FINISH: 21:36:32.46 ===============

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-23 21:03:44
    Windows 6.0.6001 Service Pack 1
    Running: nrl9qy0u.exe; Driver: C:\Users\Chris\AppData\Local\Temp\ufldapoc.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8E997B9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8E9979C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8E997AFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4473

    Windows 6.0.6001 Service Pack 1 (Safe Mode)
    Internet Explorer 7.0.6001.18000

    8/25/2010 04:06:29
    mbam-log-2010-08-25 (04-06-29).txt

    Scan type: Quick scan
    Objects scanned: 135305
    Time elapsed: 5 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhst (Backdoor.PoisonIvy) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yes, I can see where there are still problems. There is a second part to the DDS log named Attach.txt. Please find that and include it in the next reply.

    When you ran Malwarebytes, you didn't check for it to remove what it found and it shows No Action Taken. Please update Mbam and rescan, with that line checked.

    Please run this Security Check:

    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
    ================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    I notice you ran SDFix> do you have the log for that? If not, don't run it again> I'll have yo u run Combofix instead.

    Important:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    I apologize for the delay in reply...
    When I ran MBAM before, it did prompt me to remove the found infection at the end so I did so.
    I do not have the log for SD but I will post the rest.


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f344608f45944d9b2e88f2bc227538
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-25 05:47:27
    # local_time=2010-08-24 10:47:27 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776637 100 100 39337640 119319748 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=119935
    # found=0
    # cleaned=0
    # scan_time=3028
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f344608f45944d9b2e88f2bc227538
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-27 05:54:23
    # local_time=2010-08-26 10:54:23 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776637 100 100 39510847 119492955 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=119919
    # found=0
    # cleaned=0
    # scan_time=3037


    Results of screen317's Security Check version 0.99.5
    Windows Vista Service Pack 1 (UAC is disabled!)
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    avast! Free Antivirus
    ESET Online Scanner v3
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) SE Runtime Environment 6 Update 1
    Adobe Flash Player 10.0.22.87
    Adobe Reader 8.1.2
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.0.19) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````

    Attached Files:

  4. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    Hey Bobby,
    I apologize that there was such a long delay in responses but I would love if you could still help me. :)
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, the security check shows several programs out of date, so they will have to be updated along the line.

    Things to do before we go on:

    1. Update Java> it is 20 updates behind and presents a vulnerability to the system.
    Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    2. Disable or uninstall Roguescanfix while I am helping you clean the system. This is a specially crafted tool to remove rogue anti-spyware applications that use trojans to infest a system. This tool should only be used under the guidance of a trained Malware Expert. It could affect the scans we do.
    3. Check Network Restrictions. Ask if any restrictions have been intentionally set or if the user is aware that the Administrator has set them.
    4. Combofix. IF you have the Combofix report, copy the header and the section that shows deletions, if any. If there were any, I want to check this before you do the next step.
    ===============================================
    If you did not save the log:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
  6. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    I've updated Java and disabled Roguescanfix now. This is the latest Combofix log...


    ComboFix 10-08-09.02 - Chris 08/13/2010 18:10:42.2.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1526 [GMT -7:00]
    Running from: c:\users\Chris\Desktop\ComboFix.exe
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\scecli.dll . . . is infected!!

    c:\windows\system32\comres.dll . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
    .

    2010-08-14 12:18 . 2010-08-14 12:37 -------- d-----w- c:\users\Chris\AppData\Local\temp
    2010-08-14 12:18 . 2010-08-14 12:18 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-08-14 12:18 . 2010-08-14 12:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-14 00:48 . 2010-08-14 00:48 -------- d-----w- C:\32788R22FWJFW
    2010-08-13 05:24 . 2006-11-01 20:06 162616 ----a-w- c:\windows\RegDelNull.exe
    2010-08-12 04:50 . 2010-08-12 04:50 1152 ----a-w- c:\windows\system32\windrv.sys
    2010-08-11 10:02 . 2010-08-12 04:42 -------- d-----w- c:\windows\BDOSCAN8
    2010-08-11 06:32 . 2010-08-11 06:32 -------- d-----w- c:\program files\Common Files\BitDefender
    2010-08-10 03:34 . 2010-08-10 03:48 15892480 ----a-w- C:\Ad-AwareInstall.exe
    2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-10 02:48 . 2010-08-10 02:48 -------- d-----w- c:\program files\CCleaner
    2010-08-10 02:44 . 2010-08-10 02:42 16409960 ----a-w- C:\spybotsd162.exe
    2010-08-10 01:00 . 2010-08-10 01:00 -------- d-----w- c:\users\Chris\AppData\Local\ICS
    2010-08-10 00:59 . 2010-08-14 00:45 -------- d-----w- c:\windows\LMI3B0C.tmp
    2010-08-10 00:02 . 2010-08-10 02:38 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
    2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
    2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-09 23:50 . 2010-08-09 23:50 -------- d-----w- c:\program files\TeamViewer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-13 05:13 . 2009-05-17 01:10 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
    2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
    2010-08-10 02:12 . 2010-08-10 02:12 691 ----a-w- c:\users\Chris\AppData\Roaming\GetValue.vbs
    2010-08-03 22:50 . 2008-02-10 09:13 -------- d-----w- c:\users\Chris\AppData\Roaming\FUJIFILM
    2010-08-03 19:04 . 2007-12-10 04:29 4022 ----a-w- c:\users\Chris\AppData\Roaming\wklnhst.dat
    2010-08-03 19:01 . 2007-12-14 06:13 -------- d-----w- c:\program files\Lx_cats
    2010-08-03 02:26 . 2009-09-21 22:32 256 ----a-w- c:\windows\system32\pool.bin
    2010-07-07 23:05 . 2010-07-04 05:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Sysinternals Antivirus
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "*LogMeInRescue_528354783"="c:\windows\LMI3B0C.tmp\lmi_rescue.exe" [2010-08-10 1874808]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
    Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-10 303104]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    2007-05-04 06:40 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2008-01-03 01:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2008-01-03 01:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
    2007-07-04 00:40 40072 ----a-w- c:\windows\SMINST\Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
    2007-03-05 07:40 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
    2007-05-04 06:38 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
    2009-02-03 22:21 21244864 ----a-w- c:\windows\System32\mrt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2008-01-03 01:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2008-03-06 23:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-04-23 22:51 4435968 ----a-w- c:\windows\RtHDVCpl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC_McciTrayApp]
    2007-02-28 19:35 1011200 ----a-w- c:\program files\SBC\update\SST.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
    2007-07-13 04:27 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
    "EnableNotificationsRef"=dword:00000001

    R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
    R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R4 B-Service;B-Service;c:\users\Chris\Downloads\B-Service.exe [2010-08-10 185640]
    R4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - UFLDAPOC
    *Deregistered* - ufldapoc
    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = <local>;*.local
    uInternet Settings,ProxyServer = http=localhost:7171
    FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={51BAF25C-83A7-EB49-8254-EE07C9DA3C19}&q=
    FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
    HKLM-RunOnce-<NO NAME> - (no file)
    MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-14 05:35
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-08-14 07:54:47
    ComboFix-quarantined-files.txt 2010-08-14 14:51
    ComboFix2.txt 2010-08-10 02:22

    Pre-Run: 236,285,657,088 bytes free
    Post-Run: 236,727,607,296 bytes free

    - - End Of File - - ACBD098F8E48D099CD968878B41BB587
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Run this please and give me the results:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      scecli.*
      comres.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =================================
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\comres.dll
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.

    Scecli.dll implements the client side extension for Group Policy. Which may be why the restrictions are in place. Important you find out which-if any-Restrictions were set by the Administrator
  8. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    Bobby,
    I've asked and they have informed me that there are no user or network restrictions in place.

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 11:43 on 28/08/2010 by Chris (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "scecli.*"
    C:\Windows\ERDNT\cache\scecli.dll --a--- 177152 bytes [02:21 10/08/2010] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
    C:\Windows\System32\en-US\scecli.dll.mui --a--- 26112 bytes [12:41 02/11/2006] [12:41 02/11/2006] 9BAEE5A01FF86F50F5C996B420F40EA7
    C:\Windows\System32\scecli.dll --a--- 177152 bytes [14:43 26/07/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
    C:\Windows\winsxs\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.0.6000.16386_en-us_4a83ea07e02eec19\scecli.dll.mui --a--- 26112 bytes [12:41 02/11/2006] [12:41 02/11/2006] 9BAEE5A01FF86F50F5C996B420F40EA7
    C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
    C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [14:43 26/07/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9

    Searching for "comres.*"
    C:\Windows\System32\comres.dll --a--- 1291264 bytes [14:44 26/07/2008] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD
    C:\Windows\System32\en-US\comres.dll.mui --a--- 401408 bytes [12:40 02/11/2006] [12:40 02/11/2006] 21FD28B92DE8F3CBA5A7D4BC449304F7
    C:\Windows\winsxs\x86_microsoft-windows-c..mplus.res.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a0e5c1ae452540b0\comres.dll.mui --a--- 401408 bytes [12:40 02/11/2006] [12:40 02/11/2006] 21FD28B92DE8F3CBA5A7D4BC449304F7
    C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6000.16386_none_2a7a18dbe946c84f\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6
    C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [14:44 26/07/2008] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD

    -=End Of File=-

    VirSCAN.org Scanned Report :
    Scanned time : 2010/08/28 13:48:08 (CDT)
    Scanner results: Scanners did not find malware!
    File Name : comres.dll
    File Size : 1291264 byte
    File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
    MD5 : 4211249955af9133e2e357cc92b54dfd
    SHA1 : b2f121782f01ff1f7c4fffe297ccb3d1eb1f7494
    Online report : http://virscan.org/report/cd9e59125294333f36d30fecef811031.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.0.0.19 20100827080832 2010-08-27 4.73 -
    AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.23 -
    AntiVir 8.2.4.46 7.10.11.43 2010-08-28 0.27 -
    Antiy 2.0.18 20100829.5009785 2010-08-29 0.12 -
    Arcavir 2009 201006281601 2010-06-28 0.01 -
    Authentium 5.1.1 201008280228 2010-08-28 1.29 -
    AVAST! 4.7.4 100828-0 2010-08-28 0.06 -
    AVG 8.5.793 271.1.1/3099 2010-08-28 0.22 -
    BitDefender 7.90123.6284734 7.33608 2010-08-29 4.49 -
    ClamAV 0.96.1 11727 2010-08-28 0.19 -
    Comodo 4.0 5888 2010-08-28 1.17 -
    CP Secure 1.3.0.5 2010.08.28 2010-08-28 0.22 -
    Dr.Web 5.0.2.3300 2010.08.29 2010-08-29 9.05 -
    F-Prot 4.4.4.56 20100827 2010-08-27 1.28 -
    F-Secure 7.02.73807 2010.08.28.02 2010-08-28 10.86 -
    Fortinet 4.1.143 12.289 2010-08-28 0.19 -
    GData 21.742/21.288 20100828 2010-08-28 7.34 -
    ViRobot 20100827 2010.08.27 2010-08-27 0.38 -
    Ikarus T3. 2010.08.28.76622 2010-08-28 4.61 -
    JiangMin 13.0.900 2010.08.27 2010-08-27 1.33 -
    Kaspersky 5.5.10 2010.08.28 2010-08-28 0.08 -
    KingSoft 2009.2.5.15 2010.8.28.20 2010-08-28 0.65 -
    McAfee 5400.1158 6088 2010-08-28 18.49 -
    Microsoft 1.6103 2010.08.28 2010-08-28 5.25 -
    Norman 6.05.11 6.05.00 2010-08-28 8.01 -
    Panda 9.05.01 2010.08.27 2010-08-27 0.54 -
    Trend Micro 9.120-1004 7.420.02 2010-08-28 0.03 -
    Quick Heal 11.00 2010.08.28 2010-08-28 2.72 -
    Rising 20.0 22.62.05.03 2010-08-28 0.21 -
    Sophos 3.10.0 4.56 2010-08-29 4.23 -
    Sunbelt 3.9.2432.2 6802 2010-08-27 11.75 -
    Symantec 1.3.0.24 20100828.004 2010-08-28 0.10 -
    nProtect 20100825.02 8957401 2010-08-25 9.38 -
    The Hacker 6.5.2.1 v00357 2010-08-28 0.74 -
    VBA32 3.12.14.0 20100827.0614 2010-08-27 3.25 -
    VirusBuster 4.5.11.10 10.127.68/2038242 2010-08-27 2.73 -
  9. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    Hey Bobby,
    The logs didn't post for some reason; I think they might be waiting for approval from a moderator but didn't want you to think I disappeared again.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Everything is here- in fact, I removed one duplicate. Working on logs now.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\RegDelNull.exe
    c:\windows\system32\windrv.sys
    c:\users\Chris\Downloads\B-Service.exe
    Folder::
    c:\users\Chris\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    c:\windows\LMI3B0C.tmp
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
    "EnableNotificationsRef"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
    Driver::
    B-Service
    FCopy::
    C:\Windows\ERDNT\cache\scecli.dll | c:\windows\system32\scecli.dll
    C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll | c:\windows\system32\comres.dll 
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =====================================
    Then run a new scan using the Eset Online scanner:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    There is a rootkit on the system and it also looks like a Worm which works through Group Policy- that would explain no setting and what I'm seeing.
     
  12. Bahawolf

    Bahawolf Newcomer, in training Topic Starter

    It hasn't frozen in a while now, but the startup is still taking a long time from the initial loading screen.

    Latest logs:

    ComboFix 10-08-28.02 - Chris 08/29/2010 21:35:30.3.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1465 [GMT -7:00]
    Running from: c:\users\Chris\Desktop\ComboFix.exe
    Command switches used :: c:\users\Chris\Desktop\CFScript.txt
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point

    FILE ::
    "c:\users\Chris\Downloads\B-Service.exe"
    "c:\windows\RegDelNull.exe"
    "c:\windows\system32\windrv.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Chris\AppData\Local\temp
    c:\users\Chris\Downloads\B-Service.exe
    c:\users\Default\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\windows\RegDelNull.exe
    c:\windows\system32\Process.exe
    c:\windows\system32\windrv.sys

    .
    --------------- FCopy ---------------

    c:\windows\ERDNT\cache\scecli.dll --> c:\windows\system32\scecli.dll
    c:\windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --> c:\windows\system32\comres.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_B-Service


    ((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
    .

    2010-08-30 04:42 . 2010-08-30 04:42 -------- d-----w- c:\users\Chris\AppData\Local\Temp
    2010-08-30 04:33 . 2010-08-30 04:34 -------- d-----w- C:\32788R22FWJFW
    2010-08-28 16:57 . 2010-08-28 16:57 -------- d-----w- c:\users\Chris\AppData\Roaming\Webroot
    2010-08-28 14:24 . 2010-08-28 14:24 -------- d-----w- c:\program files\Common Files\Java
    2010-08-28 14:23 . 2010-08-28 14:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-28 13:47 . 2010-08-28 13:47 -------- d-----w- c:\program files\Windows Installer Clean Up
    2010-08-28 13:47 . 2010-08-28 13:47 -------- d-----w- c:\program files\MSECACHE
    2010-08-28 12:17 . 2010-08-28 12:20 -------- d-----w- c:\program files\JDownloader
    2010-08-27 04:59 . 2010-08-27 04:59 -------- d-----w- c:\users\Chris\AppData\Local\Seven Zip
    2010-08-25 04:51 . 2010-08-25 04:51 -------- d-----w- c:\program files\ESET
    2010-08-25 04:48 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-25 04:48 . 2010-08-28 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-25 04:48 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-25 04:27 . 2010-08-25 04:27 23872 ----a-w- c:\windows\system32\mv2.dll
    2010-08-25 04:27 . 2010-08-25 04:27 12096 ----a-w- c:\windows\system32\drivers\mv2.sys
    2010-08-25 04:27 . 2010-08-25 04:32 -------- d-----w- c:\program files\UltraVNC
    2010-08-18 12:21 . 2010-08-18 12:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-08-18 12:00 . 2010-08-18 12:00 -------- d-----w- c:\users\Chris\AppData\Local\Sunbelt Software
    2010-08-18 11:57 . 2010-08-27 05:00 -------- d-----w- c:\programdata\Lavasoft
    2010-08-18 11:57 . 2010-08-18 11:57 -------- d-----w- c:\program files\Lavasoft
    2010-08-18 05:18 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-18 05:18 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-18 05:18 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-18 05:18 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-18 05:18 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-18 05:18 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-18 05:18 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-18 05:18 . 2010-08-18 05:18 -------- d-----w- c:\programdata\Alwil Software
    2010-08-18 05:18 . 2010-08-18 05:18 -------- d-----w- c:\program files\Alwil Software
    2010-08-17 02:51 . 2008-11-06 09:03 -------- d-----w- C:\SDFix
    2010-08-17 02:40 . 2010-08-28 13:54 -------- d-----w- c:\program files\roguescanfix
    2010-08-17 02:32 . 2010-08-17 02:59 -------- d-----w- c:\windows\LMI7445.tmp
    2010-08-17 02:27 . 2010-08-17 02:27 -------- d-----w- c:\program files\Trend Micro
    2010-08-15 17:01 . 2010-08-18 05:03 -------- d-----w- c:\users\Chris\AppData\Roaming\TeamViewer
    2010-08-15 15:49 . 2010-08-15 15:49 -------- d-----w- c:\users\Chris\AppData\Roaming\PCToolsFirewallPlus
    2010-08-15 15:49 . 2010-08-15 15:49 -------- d-----w- c:\users\Chris\AppData\Roaming\Spam Monitor
    2010-08-15 14:44 . 2010-08-16 01:29 -------- d-----w- c:\program files\PC Tools Internet Security
    2010-08-15 14:44 . 2010-08-15 16:24 -------- d-----w- c:\programdata\PC Tools
    2010-08-15 14:43 . 2010-08-15 15:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Swhst
    2010-08-15 14:09 . 2010-08-28 16:26 -------- d-----w- C:\TEMP
    2010-08-15 14:01 . 2010-08-16 01:29 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-08-15 13:11 . 2010-07-24 16:30 4213696 ----a-w- C:\ExterminateIt.exe
    2010-08-15 07:16 . 2010-08-15 13:59 -------- d-----w- c:\program files\Exterminate It!
    2010-08-15 06:51 . 2010-08-15 06:53 226688 ----a-w- C:\BdUninstallTool2010.08.14-11.51.29.reg
    2010-08-15 04:22 . 2010-08-15 04:24 -------- d-----w- c:\users\Chris\AppData\Roaming\QuickScan
    2010-08-14 22:56 . 2010-08-14 22:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-08-11 10:02 . 2010-08-15 04:15 -------- d-----w- c:\windows\BDOSCAN8
    2010-08-10 03:34 . 2010-08-10 03:48 15892480 ----a-w- C:\Ad-AwareInstall.exe
    2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-08-10 02:44 . 2010-08-10 02:42 16409960 ----a-w- C:\spybotsd162.exe
    2010-08-10 01:00 . 2010-08-10 01:00 -------- d-----w- c:\users\Chris\AppData\Local\ICS
    2010-08-10 00:02 . 2010-08-30 04:38 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
    2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
    2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\programdata\Malwarebytes
    2010-08-09 23:50 . 2010-08-09 23:50 -------- d-----w- c:\program files\TeamViewer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-28 16:36 . 2009-09-13 01:26 -------- d-----w- c:\program files\Bonjour
    2010-08-28 16:36 . 2007-09-24 19:40 -------- d-----w- c:\program files\Spare Backup
    2010-08-28 16:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
    2010-08-28 14:22 . 2007-09-24 19:39 -------- d-----w- c:\program files\Java
    2010-08-28 13:47 . 2010-08-28 13:47 3584 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2010-08-25 14:19 . 2007-12-10 04:29 4022 ----a-w- c:\users\Chris\AppData\Roaming\wklnhst.dat
    2010-08-17 02:27 . 2010-08-17 02:27 388096 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-15 15:48 . 2010-08-15 15:47 699904 ----a-w- c:\users\Chris\AppData\Roaming\Swhst\swhst.exe
    2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
    2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
    2010-08-10 02:12 . 2010-08-10 02:12 691 ----a-w- c:\users\Chris\AppData\Roaming\GetValue.vbs
    2010-08-03 22:50 . 2008-02-10 09:13 -------- d-----w- c:\users\Chris\AppData\Roaming\FUJIFILM
    2010-08-03 19:01 . 2007-12-14 06:13 -------- d-----w- c:\program files\Lx_cats
    2010-08-03 02:26 . 2009-09-21 22:32 256 ----a-w- c:\windows\system32\pool.bin
    2010-07-07 23:05 . 2010-07-04 05:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Sysinternals Antivirus
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\MRI_DISABLED
    Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-10 303104]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
    2007-05-04 06:40 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2008-01-03 01:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2008-01-03 01:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
    2007-07-04 00:40 40072 ----a-w- c:\windows\SMINST\Launcher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
    2007-03-05 07:40 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
    2007-05-04 06:38 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
    2009-02-03 22:21 21244864 ----a-w- c:\windows\System32\mrt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    2008-01-03 01:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
    2008-03-06 23:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-04-23 22:51 4435968 ----a-w- c:\windows\RtHDVCpl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC_McciTrayApp]
    2007-02-28 19:35 1011200 ----a-w- c:\program files\SBC\update\SST.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
    2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
    2007-07-13 04:27 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
    "EnableNotificationsRef"=dword:00000001

    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    R4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
    R4 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
    R4 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
    R4 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
    S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1590216]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
    S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2010-08-25 12096]

    .
    Contents of the 'Scheduled Tasks' folder

    2008-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\
    FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-HijackThis - c:\users\Chris\Desktop\MRI5_5_0\MRI5_5_0\Malware\Utilities\Trend Micro\HijackThis\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-29 21:43
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
    c:\program files\TeamViewer\Version5\TeamViewer.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\ssText3d.scr
    .
    **************************************************************************
    .
    Completion time: 2010-08-29 21:48:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-30 04:48
    ComboFix2.txt 2010-08-14 14:56
    ComboFix3.txt 2010-08-10 02:22

    Pre-Run: 236,663,062,528 bytes free
    Post-Run: 236,383,076,352 bytes free

    - - End Of File - - 41CAF884B90311C690E3BEFA099F905F



    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f344608f45944d9b2e88f2bc227538
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-25 05:47:27
    # local_time=2010-08-24 10:47:27 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776637 100 100 39337640 119319748 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=119935
    # found=0
    # cleaned=0
    # scan_time=3028
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f344608f45944d9b2e88f2bc227538
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-27 05:54:23
    # local_time=2010-08-26 10:54:23 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776637 100 100 39510847 119492955 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=119919
    # found=0
    # cleaned=0
    # scan_time=3037
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=d3f344608f45944d9b2e88f2bc227538
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-30 06:01:54
    # local_time=2010-08-29 11:01:54 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6001 NT Service Pack 1
    # compatibility_mode=512 16777215 100 0 210683 210683 0 0
    # compatibility_mode=768 16777215 100 0 114053 114053 0 0
    # compatibility_mode=5892 16776637 100 100 40982 119751869 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=121382
    # found=0
    # cleaned=0
    # scan_time=3774
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please ask your friend not to download or run any cleaning scans except as I direct. Although it was stated in my first post not to run any other cleaning programs or scans while cleaning, I now see the following from 8/28:
    c:\users\Chris\AppData\Roaming\Webroot>>>> Webroot what?
    c:\program files\Windows Installer Clean Up
    c:\program files\MSECACHE


    Every time these scans are done, data is collected or removed, the contents of the system changes. That means some of what I previously noted is either gone or changed and some added, this takes my control of the system away. While I'm cleaning out the front door, entries are being added or removed out the backdoor by the user. And I only note Windows Defender disabled in the Combofix header, but I see numerous entries for PCTools.

    PCTools uses TreatFire for AV. I see drivers/Services now indicating no longer used for PCTools, AdAware, TreatFire, but Avast is suppose to be the AV.

    Is your friend aware of the type of infection found in Mbam?
    But " plus MABM did pick up an infection in a quick scan."
    backdoor.poisonivy
    This Trojan program provides a remote malicious user with full access to the victim machine. The Trojan itself is a Windows PE EXE file, 9216 bytes in size.
    Once launched, the backdoor copies itself to the Windows root directory as "wab32.exe"
    The backdoor itself is the encrypted server component of Poison Ivy, a common remote administration utility.

    This program is dropped to the victim machine by Trojan-Dropper.Ichitaro.Tarodrop.a, which penetrates the victim machine via a vulnerability in Ichitaro Office Suite.

    It's probably very frustrating for you doing the remote help. But imagine that I am being presenting with new contents to deal with every time a log is posted. My recommendation for what you should consider now is:
    1. Make sure one antivirus is installed, running and updating.
    2. Make sure one firewall is installed and configured.
    3. Remove any programs that are in excess of one each of the above.
    4. Change all passwords and monitor any online financial transactions.
    5. Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ====================
    Once this has been done, give your friend the following options:
    1. Reformat/reinstall the operating system
    >OR<
    2. Start a cleaning over, with the preliminary program run, logs pasted in, wait for the recommendation of the helper before going further.
    Once a cleaning has begun, stress to the user that no other cleaning programs or scans should be done unless the helper directs it.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.