Inactive [A] AVG detects a Trojan in system file; "smb.sys" causing Windows Update to fail

Status
Not open for further replies.
[FONT=Helvetica Neue]AntivirusResultUpdate
Agnitum - 20121021
AntiVir - 20121022
Antiy-AVL - 20121022
Avast Win32:Sirefef-AMS [Rtk] 20121022
AVG ZeroAccess.IH 20121022
BitDefender Gen:Variant.Symmi.2296 20121022
ByteHero - 20121019
CAT-QuickHeal - 20121022
ClamAV - 20121022
Commtouch - 20121022
Comodo - 20121022
DrWeb BackDoor.Maxplus 20121022
Emsisoft Gen:Variant.Symmi.2296 (B) 20121022
eSafe - 20121017
ESET-NOD32 Win32/Sirefef.DA 20121022
F-Prot - 20121022
F-Secure Gen:Variant.Symmi.2296 20121022
Fortinet W32/Sirefef.DA!tr 20121022
GData Gen:Variant.Symmi.2296 20121022
Ikarus Trojan.ZeroAccess 20121022
Jiangmin Trojan/Genome.czgd 20121022
K7AntiVirus - 20121022
Kaspersky HEUR:Backdoor.Win32.Generic 20121022
Kingsoft - 20121008
McAfee - 20121022
McAfee-GW-Edition Heuristic.BehavesLike.Win32.Suspicious-BAY.K 20121022
Microsoft - 20121022
MicroWorld-eScan Gen:Variant.Symmi.2296 20121022
Norman - 20121022
nProtect - 20121022
Panda - 20121022
PCTools Trojan.Zeroaccess 20121022
Rising Malware.XPACK!4904 20121022
Sophos - 20121022
SUPERAntiSpyware - 20121022
Symantec Trojan.Zeroaccess!i11 20121022
TheHacker - 20121021
TotalDefense - 20121022
TrendMicro - 20121022
TrendMicro-HouseCall - 20121022
VBA32 - 20121022
VIPRE Lookslike.Win32.Sirefef.t (v) 20121022
ViRobot - 20121022
[/FONT]
 
Continued...

[FONT=Helvetica Neue][FONT=inherit]ssdeep[/FONT]

1536:g0TjNxUGKinE0KWfYmsBlgAolx6FuNMvLbYAg:g0TjN6MCIT7NibYB
[FONT=inherit]TrID[/FONT]

Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
[FONT=inherit]ExifTool[/FONT]

[FONT=Menlo]MIMEType.................: application/octet-stream
Subsystem................: Native
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:10:09 21:34:55+01:00
FileType.................: Win32 DLL
PEType...................: PE32
CodeSize.................: 39424
LinkerVersion............: 6.238
EntryPoint...............: 0x6077
InitializedDataSize......: 14848
SubsystemVersion.........: 5.1
ImageVersion.............: 0.0
OSVersion................: 5.1
UninitializedDataSize....: 0[/FONT]
[FONT=inherit]Portable Executable structural information[/FONT]

[FONT=Menlo]Compilation timedatestamp.....: 2012-10-09 20:34:55
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00006077

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.code 4096 40 512 0.17 2edcb377efa91cd4d13a9e03c2a19235
.icode 8192 40 512 0.76 303844500971a9544e816b6a8ab3a461
.text 12288 23080 23552 7.18 4967b97470e20c579600e6b0a33cead6
.ghfhj 36864 15445 15872 7.13 4bd6360b70af9faeac00d98153378349
.data 53248 1510 1536 5.83 e6848d5290c317b444960216541f1337
.jihfd 57344 872 1024 7.09 7025ce1a6319857b2b553c87a3a421b2
.oiyuh 61440 1760 2048 7.30 1e433ddb5e1078302bcb011bdd56d001
.vcxv 65536 1320 1536 7.26 99174bb39d99939a9569a3ae0fa89dce
.oiuhgf 69632 1320 1536 7.28 1c9088b7d3a5ea3193d498e50aca5543
.ryfg 73728 1760 2048 7.30 4a274483ac8276ad13694e5837414a6e
.fdsgf 77824 1760 2048 7.29 002837f372a5e7dbef4f0ebe68dbfdb9
.rsrc 81920 20709 1024 4.85 89b802f65ad45d5db8ccbd2b4d3ec4a5
.reloc 106496 792 1024 5.37 fff7a42855ede4d409d1f026443b3d43

PE Imports....................:

[[ntoskrnl.exe]]
ZwReadFile, KeInitializeMutex, HalExamineMBR, KeDetachProcess, KeUnstackDetachProcess, RtlUpcaseUnicodeChar, PsGetProcessId, MmFlushImageSection, wcslen, IoGetCurrentProcess, RtlVolumeDeviceToDosName, CcSetReadAheadGranularity, RtlTimeToSecondsSince1980, ExUuidCreate, IoAllocateWorkItem, MmAddVerifierThunks, KeSetTimer, FsRtlLookupLastLargeMcbEntry, IoReadPartitionTable, IoCreateSymbolicLink, FsRtlNotifyUninitializeSync, RtlCompareMemoryUlong, wcsspn, RtlSecondsSince1980ToTime, CcInitializeCacheMap

PE Resources..................:

Resource type Number of resources
RT_MESSAGETABLE 1

Resource language Number of resources
ENGLISH US 1[/FONT]
[FONT=inherit]First seen by VirusTotal[/FONT]

2012-10-22 20:13:24 UTC ( 2 minutes ago )
[FONT=inherit]Last seen by VirusTotal[/FONT]

2012-10-22 20:13:24 UTC ( 2 minutes ago )
[FONT=inherit]File names (max. 25)[/FONT]

  1. smb.sys
[/FONT]
 
SystemLook 30.07.11 by jpshortstuff
Log created at 13:19 on 22/10/2012 by Romeo Jr Chacon
Administrator - Elevation successful
========== filefind ==========
Searching for "smb.sys"
C:\Windows\System32\drivers\smb.sys--a---- 66560 bytes[20:29 25/09/2012][04:45 11/04/2009] F31D7577BE73DF2B6B512C44E241B284
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys--a---- 66560 bytes[02:34 21/01/2008][02:34 21/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6
-= EOF =-
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys | C:\Windows\System32\drivers\smb.sys

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-10-22.02 - Romeo Jr Chacon 10/22/2012 14:08:06.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1919.1143 [GMT -7:00]
Running from: c:\users\Romeo Jr Chacon\Desktop\ComboFix.exe
Command switches used :: c:\users\Romeo Jr Chacon\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --> c:\windows\System32\drivers\smb.sys
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-22 21:15 . 2012-10-22 21:15--------d-----w-c:\users\Default\AppData\Local\temp
2012-10-21 07:20 . 2012-08-23 18:3132120----a-w-c:\windows\system32\TURegOpt.exe
2012-10-21 07:20 . 2012-08-23 18:3121880----a-w-c:\windows\system32\authuitu.dll
2012-10-16 19:46 . 2012-10-22 00:43--------d-----w-c:\windows\system32\catroot2
2012-10-13 15:55 . 2012-10-13 15:55--------d-----w-c:\users\Default\AppData\Roaming\TuneUp Software
2012-10-12 04:13 . 2012-10-12 06:3373656----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-12 04:13 . 2012-10-12 06:33696760----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-10-12 03:27 . 2012-10-12 03:27--------d-----w-c:\programdata\Norton
2012-10-11 03:36 . 2012-10-02 19:292557288----a-w-c:\windows\system32\nvsvcr.dll
2012-10-11 03:32 . 2012-10-02 22:206127464----a-w-c:\windows\system32\nvopencl.dll
2012-10-11 03:32 . 2012-10-02 22:202574696----a-w-c:\windows\system32\nvcuvid.dll
2012-10-11 03:32 . 2012-10-02 22:2019906920----a-w-c:\windows\system32\nvoglv32.dll
2012-10-11 03:32 . 2012-10-02 22:2010837352----a-w-c:\windows\system32\drivers\nvlddmkm.sys
2012-10-11 03:32 . 2012-10-02 22:201867112----a-w-c:\windows\system32\nvcuvenc.dll
2012-10-11 03:32 . 2012-10-02 22:207697768----a-w-c:\windows\system32\nvcuda.dll
2012-10-11 03:32 . 2012-10-02 22:2017559912----a-w-c:\windows\system32\nvcompiler.dll
2012-10-10 17:48 . 2012-09-13 13:282048----a-w-c:\windows\system32\tzres.dll
2012-10-10 17:48 . 2012-06-02 00:02985088----a-w-c:\windows\system32\crypt32.dll
2012-10-10 17:48 . 2012-06-02 00:0298304----a-w-c:\windows\system32\cryptnet.dll
2012-10-10 17:48 . 2012-06-02 00:02133120----a-w-c:\windows\system32\cryptsvc.dll
2012-10-10 17:48 . 2012-08-24 15:53172544----a-w-c:\windows\system32\wintrust.dll
2012-10-10 17:48 . 2012-08-29 11:273602816----a-w-c:\windows\system32\ntkrnlpa.exe
2012-10-10 17:48 . 2012-08-29 11:273550080----a-w-c:\windows\system32\ntoskrnl.exe
2012-10-09 19:49 . 2012-10-09 19:49--------d-----w-c:\programdata\stw-audio
2012-10-07 23:56 . 2012-10-07 23:56--------d-----w-c:\programdata\Leawo
2012-10-07 23:56 . 2011-03-02 10:43175616----a-w-c:\windows\system32\unrar.dll
2012-10-05 03:07 . 2012-10-05 03:07--------d-----w-c:\program files\Novation
2012-10-03 22:21 . 2012-10-05 02:58--------d-----w-c:\program files\Rob Papen
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-10-01 22:28 . 2012-10-01 22:28159744----a-w-c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-10-01 22:28 . 2012-10-01 22:28--------d-----w-c:\program files\QuickTime
2012-10-01 22:26 . 2012-10-01 22:26--------d-----w-c:\program files\NewBlue
2012-10-01 22:12 . 2011-02-26 23:17506824----a-w-c:\windows\system32\prodad-codec.dll
2012-10-01 22:11 . 2012-10-01 22:16--------d-----w-c:\programdata\proDAD
2012-10-01 22:11 . 2012-10-01 22:12--------d-----w-c:\program files\proDAD
2012-10-01 22:11 . 2003-07-09 16:4345056----a-w-c:\windows\system32\BFXSrcFilter.ax
2012-10-01 22:11 . 2003-07-01 22:4969632----a-w-c:\windows\system32\MtxPreview.dll
2012-10-01 22:11 . 2003-07-01 22:4949152----a-w-c:\windows\system32\MtxParhBFXPreview.dll
2012-10-01 22:11 . 2003-06-26 16:04237568----a-r-c:\windows\system32\qtmlClient.dll
2012-10-01 22:11 . 2003-01-20 15:0849152----a-w-c:\windows\system32\CvoAPI.dll
2012-10-01 22:11 . 2012-10-01 22:11--------d-----w-c:\program files\Boris FX, Inc
2012-10-01 22:06 . 2012-10-01 22:29--------d-----w-c:\programdata\eSellerate
2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\program files\SmartSound Software
2012-10-01 22:05 . 2012-10-01 22:06--------d-----w-c:\programdata\SmartSound Software Inc
2012-10-01 22:04 . 2012-10-01 22:04--------d-----w-c:\programdata\InterVideo
2012-10-01 22:01 . 2012-10-01 22:01--------d-----w-c:\program files\Windows Media Components
2012-10-01 02:43 . 2012-10-01 02:45--------d-----w-c:\program files\CCleaner
2012-09-30 04:47 . 2012-09-30 04:47--------d-----w-c:\program files\Common Files\Wondershare
2012-09-30 04:46 . 2011-11-17 23:0816640----a-w-c:\windows\system32\drivers\WsAudioDevice_383.sys
2012-09-30 04:46 . 2012-09-30 04:46--------d-----w-c:\program files\Wondershare
2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Common Files\xing shared
2012-09-30 03:52 . 2012-09-30 03:52--------d-----w-c:\program files\Real
2012-09-28 22:07 . 2005-05-26 22:342297552----a-w-c:\windows\system32\d3dx9_26.dll
2012-09-28 22:04 . 2012-10-12 18:40--------d--h--w-c:\windows\msdownld.tmp
2012-09-28 22:04 . 2012-10-14 02:48--------d-----w-C:\Games
2012-09-28 21:38 . 2012-09-28 21:38--------d-----w-c:\program files\LUXONIX
2012-09-28 21:38 . 2005-03-24 15:26491520----a-w-c:\windows\system32\msvcr80.dll
2012-09-28 21:37 . 2012-09-28 21:372249----a-w-C:\FLVDirect.exe
2012-09-28 20:55 . 2012-09-28 20:55--------d-----w-c:\program files\IK Multimedia
2012-09-28 17:38 . 2012-09-28 17:40--------d-----w-c:\programdata\Protexis
2012-09-28 17:36 . 2012-10-01 22:03--------d-----w-c:\programdata\Corel
2012-09-28 17:36 . 2012-09-28 17:36--------d-----w-c:\program files\Common Files\Protexis
2012-09-28 17:35 . 2012-10-01 22:01--------d-----w-c:\program files\Corel
2012-09-28 16:42 . 2012-09-28 16:44--------d-----w-c:\programdata\regid.1986-12.com.adobe
2012-09-28 16:37 . 2012-09-28 16:37--------d-----w-c:\program files\Common Files\Adobe AIR
2012-09-28 14:48 . 2012-09-28 14:48--------d-----w-c:\program files\Edirol
2012-09-28 14:11 . 2012-09-28 14:11--------d-----w-c:\programdata\4Front
2012-09-28 14:10 . 2012-09-28 14:11--------d-----w-c:\program files\TruePianos
2012-09-28 02:42 . 2012-09-28 02:421060864----a-w-c:\windows\system32\mfc71.dll
2012-09-28 02:42 . 2003-06-20 19:281777664----a-w-c:\windows\system32\gdiplus.dll
2012-09-27 18:12 . 2012-09-30 03:52499712----a-w-c:\windows\system32\msvcp71.dll
2012-09-27 18:12 . 2012-09-30 03:52348160----a-w-c:\windows\system32\msvcr71.dll
2012-09-27 17:38 . 2011-05-23 09:52153088----a-w-c:\windows\system32\xvid.ax
2012-09-27 17:38 . 2011-05-23 07:46645632----a-w-c:\windows\system32\xvidcore.dll
2012-09-27 17:38 . 2011-05-30 13:42240640----a-w-c:\windows\system32\xvidvfw.dll
2012-09-27 17:38 . 2012-09-27 17:38--------d-----w-c:\program files\Xvid
2012-09-27 17:31 . 2012-09-27 17:31--------dc----w-c:\windows\system32\DRVSTORE
2012-09-27 17:31 . 2012-08-21 20:0126840----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iPod
2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\programdata\Apple Computer
2012-09-27 17:31 . 2012-09-27 17:31--------d-----w-c:\program files\iTunes
2012-09-27 17:22 . 2012-09-27 17:22--------d-----w-c:\program files\Apple Software Update
2012-09-27 17:20 . 2012-09-27 17:20--------d-----w-c:\program files\Bonjour
2012-09-27 17:20 . 2012-09-27 21:57--------d-----w-c:\program files\Common Files\Apple
2012-09-27 17:20 . 2012-09-27 17:22--------d-----w-c:\programdata\Apple
2012-09-27 13:21 . 2012-09-27 13:21--------d-----w-c:\program files\PlatinumHideIP
2012-09-27 12:57 . 2012-09-27 12:57--------d-----w-c:\programdata\PlatinumHideIP
2012-09-27 12:06 . 2012-09-27 12:06--------d-----w-c:\program files\PowerISO
2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{E26B3878-7CEC-469C-B449-5CAA336DF8CD}
2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\program files\Common Files\Native Instruments
2012-09-27 03:59 . 2012-09-27 03:59--------dc-h--w-c:\programdata\{C78336EC-F2EB-4640-99A4-DFE96581B90B}
2012-09-27 03:59 . 2012-09-29 15:44--------d-----w-c:\program files\Native Instruments
2012-09-27 03:59 . 2012-09-27 03:59--------d-----w-c:\programdata\Native Instruments
2012-09-26 20:00 . 2012-09-26 20:00413696----a-w-c:\windows\system32\wrap_oal.dll
2012-09-26 20:00 . 2012-09-26 20:00110592----a-w-c:\windows\system32\OpenAL32.dll
2012-09-26 11:26 . 2012-10-01 22:04--------d-----w-c:\program files\Common Files\InstallShield
2012-09-26 11:15 . 2012-09-26 11:15--------d-----w-c:\program files\ASIO4ALL v2
2012-09-26 11:15 . 2012-10-09 19:52--------d-----w-c:\program files\VstPlugins
2012-09-26 11:15 . 2011-10-11 14:451431552----a-w-c:\windows\system32\rewire.dll
2012-09-26 11:15 . 2009-09-15 09:141554944----a-w-c:\windows\system32\vorbis.acm
2012-09-26 11:14 . 2012-09-26 11:14--------d-----w-c:\program files\Outsim
2012-09-26 11:11 . 2012-09-26 11:15--------d-----w-c:\program files\Image-Line
2012-09-26 02:01 . 2012-09-26 02:01679936----a-w-c:\windows\system32\Fliqlo.scr
2012-09-26 02:01 . 2012-09-26 02:01--------d-----w-c:\programdata\Screentime
2012-09-26 01:59 . 2012-09-26 01:59--------d-----w-c:\windows\system32\Macromed
2012-09-25 22:53 . 2012-09-25 22:54--------d-----w-c:\programdata\WinZip
2012-09-25 22:41 . 2012-09-25 22:43--------d-----w-c:\programdata\AVG
2012-09-25 22:41 . 2012-09-25 22:41--------d-sh--w-c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F}
2012-09-25 22:31 . 2012-09-25 22:31--------d-----w-C:\$AVG
2012-09-25 22:29 . 2012-10-22 04:34--------d-----w-c:\program files\AVG
2012-09-25 22:27 . 2012-09-25 22:27--------d--h--w-c:\programdata\Common Files
2012-09-25 22:21 . 2012-09-25 22:21--------d-----w-c:\program files\FrostWire 5
2012-09-25 22:10 . 2012-09-25 22:10--------d-----w-c:\program files\RocketDock
2012-09-25 22:08 . 2012-10-22 04:34--------d-----w-c:\users\UpdatusUser
2012-09-25 22:07 . 2012-10-02 19:29645992----a-w-c:\windows\system32\nvvsvc.exe
2012-09-25 22:07 . 2012-10-02 19:2962312----a-w-c:\windows\system32\nvshext.dll
2012-09-25 22:07 . 2012-10-02 19:29108392----a-w-c:\windows\system32\nvmctray.dll
2012-09-25 22:07 . 2012-10-02 19:292853224----a-w-c:\windows\system32\nvsvc.dll
2012-09-25 22:07 . 2012-10-02 19:283965288----a-w-c:\windows\system32\nvcpl.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-02 22:20 . 2012-02-10 05:431009512----a-w-c:\windows\system32\nvdispco32.dll
2012-10-02 22:20 . 2008-01-21 02:3215309160----a-w-c:\windows\system32\nvd3dum.dll
2012-09-25 21:21 . 2012-09-25 21:214096----a-w-c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2012-08-24 07:57 . 2012-08-24 07:57113104----a-w-c:\windows\system32\drivers\scdemu.sys
2012-08-21 20:01 . 2012-08-21 20:01106928----a-w-c:\windows\system32\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-03-01 180224]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"Wondershare Helper Compact.exe"="c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2012-02-28 1679360]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-09-30 296096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Wireless Connection Manager.lnk - c:\program files\D-Link\DWA-552 revA\wirelesscm.exe [2012-9-25 517440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"UpdReg"=c:\windows\UpdReg.EXE
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-10-12 06:33]
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000Core.job
- c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2321283058-4084574830-2792957718-1000UA.job
- c:\users\Romeo Jr Chacon\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 21:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=;ftp=;https=;
TCP: DhcpNameServer = 10.0.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-22 14:15
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2012-10-22 14:17:23
ComboFix-quarantined-files.txt 2012-10-22 21:17
ComboFix2.txt 2012-10-22 04:53
.
Pre-Run: 583,559,942,144 bytes free
Post-Run: 583,537,700,864 bytes free
.
- - End Of File - - E3BA1419E0B18091CBFE81BF2E0D17B8
 
Can I download a different Antivirus? Maybe Norton. AVG is acting up and I keep getting the Windows Installer could not be accessed error.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-21 15:06:43
-----------------------------
15:06:43.944 OS Version: Windows 6.0.6002 Service Pack 2
15:06:43.945 Number of processors: 1 586 0x7F02
15:06:43.946 ComputerName: STUDIO UserName:
15:06:45.716 Initialize success
15:10:57.293 AVAST engine defs: 12102101
15:11:03.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
15:11:03.942 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
15:11:03.951 Disk 0 MBR read successfully
15:11:03.956 Disk 0 MBR scan
15:11:03.962 Disk 0 Windows VISTA default MBR code
15:11:03.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
15:11:04.015 Disk 0 scanning sectors +1465145344
15:11:04.122 Disk 0 scanning C:\Windows\system32\drivers
15:11:12.955 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
15:11:16.518 Disk 0 trace - called modules:
15:11:16.534 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
15:11:16.539 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84a37a28]
15:11:16.546 3 CLASSPNP.SYS[875a38b3] -> nt!IofCallDriver -> [0x83b90aa0]
15:11:16.562 5 acpi.sys[8060f6bc] -> nt!IofCallDriver -> \Device\00000058[0x83b8aa88]
15:11:18.112 AVAST engine scan C:\Windows
15:11:21.294 AVAST engine scan C:\Windows\system32
15:14:57.262 AVAST engine scan C:\Windows\system32\drivers
15:15:06.426 File: C:\Windows\system32\drivers\smb.sys **INFECTED** Win32:Sirefef-AMS [Rtk]
15:15:10.430 AVAST engine scan C:\Users\Romeo Jr Chacon
15:28:38.631 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
15:28:38.633 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-22 15:08:27
-----------------------------
15:08:27.234 OS Version: Windows 6.0.6002 Service Pack 2
15:08:27.234 Number of processors: 1 586 0x7F02
15:08:27.250 ComputerName: STUDIO UserName:
15:08:41.290 Initialize success
15:08:41.415 AVAST engine defs: 12082100
15:08:53.629 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000053
15:08:53.629 Disk 0 Vendor: WDC_WD75 15.0 Size: 715404MB BusType: 6
15:08:53.645 Disk 0 MBR read successfully
15:08:53.645 Disk 0 MBR scan
15:08:53.661 Disk 0 Windows VISTA default MBR code
15:08:53.661 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 715402 MB offset 2048
15:08:53.661 Disk 0 scanning sectors +1465145344
15:08:53.739 Disk 0 scanning C:\Windows\system32\drivers
15:09:00.774 Service scanning
15:09:14.611 Modules scanning
15:09:18.823 Disk 0 trace - called modules:
15:09:18.839 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
15:09:18.855 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84430740]
15:09:18.855 3 CLASSPNP.SYS[86fa48b3] -> nt!IofCallDriver -> [0x83597e00]
15:09:18.870 5 acpi.sys[806116bc] -> nt!IofCallDriver -> \Device\00000053[0x835a29c0]
15:09:20.508 AVAST engine scan C:\Windows
15:09:26.218 AVAST engine scan C:\Windows\system32
15:11:46.821 AVAST engine scan C:\Windows\system32\drivers
15:12:01.890 AVAST engine scan C:\Users\Romeo Jr Chacon
15:18:17.261 Disk 0 MBR has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\MBR.dat"
15:18:17.308 The log file has been saved successfully to "C:\Users\Romeo Jr Chacon\Desktop\aswMBR.txt"
 
Looks good :)

Any current issues?

==============================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Yes, the file is still infected.
I ran a complete scan using AVAST and it detected the same infection.

I'll be posting the OTL log here in a bit.
 
This topic is marked as abandoned and closed due to inactivity.
This member will NOT be eligible to receive any more help in malware removal forum.
 
Status
Not open for further replies.
Back