Author Topic: multi-prong virus attack (Read 1914 times)

rshaffer4444 · « **on:** March 25, 2011, 23:11:10 »

Hi,

This started with a warning from Windows that system files had been changed. I promptly stepped on them with a month old System Restore checkpoint backup.

The next day, Windows did not recognize the .exe extension and nothing would run. I found a registry update file on the internet, specifically for this problem, and ran it on the infected machine. We could then run .exe files.

I then noticed that search engine results had been hijacked. I browsed for a solution from another computer and found the combofix.exe program. I ran it and it discovered and removed a root kit. Browser searches then worked ok.

The following day, I discovered that Windows Update could not be set to automatic update and I got a system tray warning that it was off. I discovered that the Windows Update service didn't appear in the services window. I again searched the net and tried a suggestion to register one of the service's supporting .dll files. That worked.

I checked my clamwin virus scan from earlier that morning and it had found freshly infected files with the Trojan.GenericFF-1 virus. I tried to scan one of the files at the virustotal site, but my browser could not find the site. I had tried to get more information about the virus on the internet and noticed that my browser could not find many of the sites.

I decided to find out more about the combofix.exe that seemed to do such a comprehensive job and discovered that I was not supposed to run it without expert help. So, here I am asking for expert help. Below is the DDS.txt paste and I will attach ark.txt and attach.txt. If you request, I will also send the combofix.txt file that I saved.

Thank you in advance for your help.

-Randy

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Linda at 12:15:46.00 on Fri 03/25/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.504 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\7-Zip\7zFM.exe
C:\DOCUME~1\LINDA~1.AST\LOCALS~1\Temp\7zO30.tmp\procexp.exe
C:\Program Files\Vim\vim73\gvim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Linda.ASTRO\My Documents\Downloads\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\linda.astro\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Google Update] "c:\documents and settings\linda.astro\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users.windows\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\linda~1.ast\applic~1\mozilla\firefox\profiles\rysm992e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\linda.astro\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 163840]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-24 136176]
.
=============== Created Last 30 ================
.
2011-03-25 17:51:19   --------   d-----w-   c:\program files\Vim
2011-03-24 18:52:42   --------   dc----w-   c:\docume~1\linda~1.ast\locals~1\applic~1\Temp
2011-03-24 18:52:29   --------   dc----w-   c:\docume~1\linda~1.ast\locals~1\applic~1\Google
2011-03-22 23:13:42   --------   dcsha-r-   C:\cmdcons
2011-03-22 23:11:04   98816   ----a-w-   c:\windows\sed.exe
2011-03-22 23:11:04   89088   ----a-w-   c:\windows\MBR.exe
2011-03-22 23:11:04   256512   ----a-w-   c:\windows\PEV.exe
2011-03-22 23:11:04   161792   ----a-w-   c:\windows\SWREG.exe
2011-03-22 19:43:20   0   ----a-w-   c:\windows\Hrojided.bin
2011-03-22 18:20:35   140288   ----a-w-   c:\windows\Qmatea.exe
2011-03-22 18:20:09   135168   --sha-r-   c:\windows\system32\tlntadmns.dll
2011-03-07 18:14:59   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-03-07 18:14:59   --------   d-----w-   c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
.
============= FINISH: 12:17:59.96 ===============

[attachment deleted by admin]

Derek · « **Reply #1 on:** March 26, 2011, 06:16:51 »

yes post the log combofix made the first time it ran so we can see what it did fix
There are a few things in the dds log that need fixing

rshaffer4444 · « **Reply #2 on:** March 26, 2011, 12:01:32 »

ComboFix.log:

ComboFix 11-03-22.04 - Linda 03/22/2011 17:23:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.747 [GMT -6:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Linda.ASTRO\Application Data\53EDA83F5B95C01C5347AD06157CA168
c:\documents and settings\Linda.ASTRO\Application Data\53EDA83F5B95C01C5347AD06157CA168\asp70vdviss.exe
c:\documents and settings\Linda.ASTRO\Application Data\53EDA83F5B95C01C5347AD06157CA168\enemies-names.txt
c:\documents and settings\Linda.ASTRO\Application Data\53EDA83F5B95C01C5347AD06157CA168\local.ini
c:\documents and settings\Linda.ASTRO\Application Data\Adobe\plugs
c:\documents and settings\Linda.ASTRO\Application Data\Adobe\shed
c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\mxb.exe
C:\Images
c:\images\printer_image_faded.gif
c:\images\Thumbs.db
c:\program files\AdwareAlert
c:\program files\AdwareAlert\DataBaseNew.ref
c:\program files\AdwareAlert\Log\log_2006_10_15_21_02_39.log
c:\program files\AdwareAlert\Log\log_2006_10_15_21_02_56.log
c:\program files\AdwareAlert\Log\log_2006_10_15_21_04_10.log
c:\program files\AdwareAlert\Log\log_2006_10_15_21_04_12.log
c:\program files\AdwareAlert\Settings\CustomScan.stg
c:\program files\AdwareAlert\Settings\IgnoreList.stg
c:\program files\AdwareAlert\Settings\ScanInfo.stg
c:\program files\AdwareAlert\Settings\SelectedFolders.stg
c:\program files\AdwareAlert\Settings\Settings.stg
c:\program files\Hotbar
c:\program files\newdotnet
c:\program files\newdotnet\nncore.dll
c:\program files\newdotnet\readme.html
c:\program files\newdotnet\uninstall.exe
c:\windows\Downloaded Program Files\Logs
c:\windows\Downloaded Program Files\Temp
c:\windows\KPDO71.dll
c:\windows\ufemuhifopa.dll
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-22 19:43 . 2011-03-22 19:43   0   ----a-w-   c:\windows\Hrojided.bin
2011-03-22 19:43 . 2011-03-22 19:43   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\{58241350-C8C8-4383-AD22-5FABE6670289}
2011-03-22 19:43 . 2011-03-22 19:43   --------   dcsh--w-   c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-03-22 18:35 . 2011-03-22 18:35   --------   dcsh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2011-03-22 18:20 . 2011-03-22 18:20   140288   ----a-w-   c:\windows\Qmatea.exe
2011-03-22 18:20 . 2011-03-22 18:20   135168   --sha-r-   c:\windows\system32\tlntadmns.dll
2011-03-21 22:01 . 2011-03-21 22:01   108544   -c----w-   c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe
2011-03-07 18:14 . 2011-03-07 18:14   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Esbwba"="c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe" [2011-03-21 108544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\documents and settings\Administrator.ASTRO\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator.ASTRO\Application Data\lpuninstall.exe [2010-10-8 8134344]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 2:02 PM 163840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\User_Feed_Synchronization-{388E541C-49F3-4027-9787-C71E3DBB5962}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Linda.ASTRO\Application Data\Mozilla\Firefox\Profiles\rysm992e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {58241350-C8C8-4383-AD22-5FABE6670289} - c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\{58241350-C8C8-4383-AD22-5FABE6670289}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-asp70vdviss.exe - c:\documents and settings\Linda.ASTRO\Application Data\53EDA83F5B95C01C5347AD06157CA168\asp70vdviss.exe
HKCU-Run-Uxecapaxim - c:\windows\KPDO71.dll
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKLM-Run-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
HKLM-Run-Hcecuhiqijoyiqop - c:\windows\ufemuhifopa.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 17:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(912)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MFC71.DLL
c:\windows\System32\MSVCP71.dll
.
Completion time: 2011-03-22 17:43:22
ComboFix-quarantined-files.txt 2011-03-22 23:43
.
Pre-Run: 53,149,908,992 bytes free
Post-Run: 54,778,740,736 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1F6DC6DDCEB2FEB61E927E8C704783C2

Derek · « **Reply #3 on:** March 26, 2011, 13:01:14 »

That dealt with a TDSS rootkit, but there is more still to do

download an updated version of combofix & make sure it is placed on desktop

Download ComboFix from Here or Hereto your Desktop.
don't click it to run it, but follow advice below

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)
Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished
Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

This will create a zip file inside C:\QooBox\quarantine named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38]-Submit_2008-01-17@17.50.zip

or to
http://www.bleepingcomputer.com/submit-malware.php?channel=38

[attachment deleted by admin]

rshaffer4444 · « **Reply #4 on:** March 26, 2011, 14:00:57 »

Quarantine.zip uploaded to your site.

Results from latest ComboFix run:

ComboFix 11-03-25.01 - Linda 03/26/2011 7:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.484 [GMT -6:00]
Running from: c:\documents and settings\Linda.ASTRO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Linda.ASTRO\Desktop\CFScript.txt
.
file zipped: c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe
file zipped: c:\windows\Qmatea.exe
file zipped: c:\windows\system32\tlntadmns.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\tlntadmns.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-25 17:51 . 2011-03-25 17:51   --------   d-----w-   c:\program files\Vim
2011-03-24 18:57 . 2011-03-24 18:57   --------   dc----w-   c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Temp
2011-03-24 18:52 . 2011-03-24 18:52   --------   dc----w-   c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google
2011-03-22 19:43 . 2011-03-22 19:43   0   ----a-w-   c:\windows\Hrojided.bin
2011-03-22 19:43 . 2011-03-22 19:43   --------   dcsh--w-   c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-03-22 18:35 . 2011-03-22 18:35   --------   dcsh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2011-03-22 18:20 . 2011-03-22 18:20   140288   ----a-w-   c:\windows\Qmatea.exe
2011-03-07 18:14 . 2011-03-07 18:14   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-22_23.40.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-25 13:59 . 2011-03-25 13:59   16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2004-08-10 11:00 . 2011-03-25 14:03   67772 c:\windows\system32\perfc009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   67772 c:\windows\system32\perfc009.dat
+ 2011-03-24 18:52 . 2011-03-24 18:52   21504 c:\windows\Installer\468739e.msi
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\ARPPRODUCTICON.exe
+ 2004-08-10 11:00 . 2011-03-25 14:03   433364 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   433364 c:\windows\system32\perfh009.dat
+ 2011-03-24 18:54 . 2011-03-24 18:54   840192 c:\windows\Installer\46873a3.msi
+ 2010-05-13 16:49 . 2011-03-23 22:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
- 2010-05-13 16:49 . 2010-10-16 18:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2011-01-22 06:59 . 2011-01-22 06:59   4240384 c:\windows\Installer\4ee2c13.msp
- 2009-07-18 14:23 . 2011-03-09 10:00   37943240 c:\windows\system32\MRT.exe
+ 2009-07-18 14:23 . 2011-03-03 01:56   37943240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-03-24 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\documents and settings\Administrator.ASTRO\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator.ASTRO\Application Data\lpuninstall.exe [2010-10-8 8134344]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 2:02 PM 163840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2011 12:52 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFCATCHME
*NewlyCreated* - UXTDRPOB
*NewlyCreated* - WUAUSERV
*Deregistered* - CFcatchme
*Deregistered* - PROCEXP141
*Deregistered* - RKREVEAL150
*Deregistered* - uxtdrpob
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003Core.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003UA.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\User_Feed_Synchronization-{388E541C-49F3-4027-9787-C71E3DBB5962}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Linda.ASTRO\Application Data\Mozilla\Firefox\Profiles\rysm992e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 07:33
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe 108544 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'csrss.exe'(852)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-26 07:38:16
ComboFix-quarantined-files.txt 2011-03-26 13:38
ComboFix2.txt 2011-03-25 12:38
.
Pre-Run: 54,350,434,304 bytes free
Post-Run: 54,409,723,904 bytes free
.
- - End Of File - - CDE55D58CBCE7AE66ECC150E5E12056F
Upload was successful

Derek · « **Reply #5 on:** March 26, 2011, 15:37:06 »

it looks like 2 of the files either didn't delete or got immediately recreated

lets try again with CF set diiferently

reboot

Delete any existing cfscript.txt from desktop

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum

[attachment deleted by admin]

rshaffer4444 · « **Reply #6 on:** March 26, 2011, 16:15:44 »

latest combofix.txt:

ComboFix 11-03-25.01 - Linda 03/26/2011 9:46.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.507 [GMT -6:00]
Running from: c:\documents and settings\Linda.ASTRO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Linda.ASTRO\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe"
"c:\windows\Hrojided.bin"
"c:\windows\Qmatea.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-25 17:51 . 2011-03-25 17:51   --------   d-----w-   c:\program files\Vim
2011-03-24 18:57 . 2011-03-24 18:57   --------   dc----w-   c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Temp
2011-03-24 18:52 . 2011-03-24 18:52   --------   dc----w-   c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google
2011-03-22 19:43 . 2011-03-22 19:43   0   ----a-w-   c:\windows\Hrojided.bin
2011-03-22 19:43 . 2011-03-22 19:43   --------   dcsh--w-   c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-03-22 18:35 . 2011-03-22 18:35   --------   dcsh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2011-03-22 18:20 . 2011-03-22 18:20   140288   ----a-w-   c:\windows\Qmatea.exe
2011-03-07 18:14 . 2011-03-07 18:14   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-22_23.40.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-25 13:59 . 2011-03-25 13:59   16384 c:\windows\Temp\Perflib_Perfdata_7a0.dat
+ 2004-08-10 11:00 . 2011-03-25 14:03   67772 c:\windows\system32\perfc009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   67772 c:\windows\system32\perfc009.dat
+ 2011-03-24 18:52 . 2011-03-24 18:52   21504 c:\windows\Installer\468739e.msi
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\ARPPRODUCTICON.exe
+ 2004-08-10 11:00 . 2011-03-25 14:03   433364 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   433364 c:\windows\system32\perfh009.dat
+ 2011-03-24 18:54 . 2011-03-24 18:54   840192 c:\windows\Installer\46873a3.msi
+ 2010-05-13 16:49 . 2011-03-23 22:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
- 2010-05-13 16:49 . 2010-10-16 18:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2011-01-22 06:59 . 2011-01-22 06:59   4240384 c:\windows\Installer\4ee2c13.msp
- 2009-07-18 14:23 . 2011-03-09 10:00   37943240 c:\windows\system32\MRT.exe
+ 2009-07-18 14:23 . 2011-03-03 01:56   37943240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-03-24 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\documents and settings\Administrator.ASTRO\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator.ASTRO\Application Data\lpuninstall.exe [2010-10-8 8134344]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 2:02 PM 163840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2011 12:52 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CFCATCHME
*NewlyCreated* - UXTDRPOB
*NewlyCreated* - WUAUSERV
*Deregistered* - CFcatchme
*Deregistered* - PROCEXP141
*Deregistered* - RKREVEAL150
*Deregistered* - uxtdrpob
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003Core.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003UA.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\User_Feed_Synchronization-{388E541C-49F3-4027-9787-C71E3DBB5962}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Linda.ASTRO\Application Data\Mozilla\Firefox\Profiles\rysm992e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 09:59
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\System32\MSVCP71.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1124)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
- - - - - - - > 'csrss.exe'(852)
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-26 10:04:22
ComboFix-quarantined-files.txt 2011-03-26 16:04
ComboFix2.txt 2011-03-26 13:39
ComboFix3.txt 2011-03-25 12:38
.
Pre-Run: 54,400,921,600 bytes free
Post-Run: 54,397,079,552 bytes free
.
- - End Of File - - 024BE6318B44649964623CA21B5156CA

Derek · « **Reply #7 on:** March 26, 2011, 16:23:47 »

please reboot & run it again
these files are normally deleted on reboot
once we see the next log, if they haven't gone we can try something different

rshaffer4444 · « **Reply #8 on:** March 26, 2011, 16:53:56 »

latest2 combofix.txt:

ComboFix 11-03-25.04 - Linda 03/26/2011 10:38:48.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.635 [GMT -6:00]
Running from: c:\documents and settings\Linda.ASTRO\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Linda.ASTRO\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe"
"c:\windows\Hrojided.bin"
"c:\windows\Qmatea.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-02-26 to 2011-03-26 )))))))))))))))))))))))))))))))
.
.
2011-03-25 17:51 . 2011-03-25 17:51   --------   d-----w-   c:\program files\Vim
2011-03-24 18:57 . 2011-03-24 18:57   --------   dc----w-   c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Temp
2011-03-24 18:52 . 2011-03-24 18:52   --------   dc----w-   c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Google
2011-03-24 18:52 . 2011-03-25 18:00   --------   dc----w-   c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google
2011-03-22 19:43 . 2011-03-22 19:43   0   ----a-w-   c:\windows\Hrojided.bin
2011-03-22 19:43 . 2011-03-22 19:43   --------   dcsh--w-   c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-03-22 18:35 . 2011-03-22 18:35   --------   dcsh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2011-03-22 18:20 . 2011-03-22 18:20   140288   ----a-w-   c:\windows\Qmatea.exe
2011-03-21 22:01 . 2011-03-26 13:20   108544   -c--a-w-   c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe
2011-03-07 18:14 . 2011-03-07 18:14   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-22_23.40.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-26 16:28 . 2011-03-26 16:28   16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2004-08-10 11:00 . 2011-03-26 16:32   67772 c:\windows\system32\perfc009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   67772 c:\windows\system32\perfc009.dat
+ 2011-03-24 18:52 . 2011-03-24 18:52   21504 c:\windows\Installer\468739e.msi
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2011-03-24 18:54 . 2011-03-24 18:54   25214 c:\windows\Installer\{FB4F9000-04FC-11E0-85D2-001AA037B01E}\ARPPRODUCTICON.exe
+ 2004-08-10 11:00 . 2011-03-26 16:32   433364 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2011-03-22 23:24   433364 c:\windows\system32\perfh009.dat
+ 2011-03-24 18:54 . 2011-03-24 18:54   840192 c:\windows\Installer\46873a3.msi
+ 2010-05-13 16:49 . 2011-03-23 22:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
- 2010-05-13 16:49 . 2010-10-16 18:18   295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2011-01-22 06:59 . 2011-01-22 06:59   4240384 c:\windows\Installer\4ee2c13.msp
- 2009-07-18 14:23 . 2011-03-09 10:00   37943240 c:\windows\system32\MRT.exe
+ 2009-07-18 14:23 . 2011-03-03 01:56   37943240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-03-24 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-05-24 86016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
.
c:\documents and settings\Administrator.ASTRO\Start Menu\Programs\Startup\
Uninstall LastPass RunOnce.lnk - c:\documents and settings\Administrator.ASTRO\Application Data\lpuninstall.exe [2010-10-8 8134344]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-4 176128]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 2:02 PM 163840]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/24/2011 12:52 PM 136176]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\LINDA~1.AST\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\LINDA~1.AST\LOCALS~1\Temp\CFcatchme.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-24 18:52]
.
2011-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003Core.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-2025429265-725345543-1003UA.job
- c:\documents and settings\Linda.ASTRO\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-25 18:52]
.
2011-03-26 c:\windows\Tasks\User_Feed_Synchronization-{388E541C-49F3-4027-9787-C71E3DBB5962}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Linda.ASTRO\Application Data\Mozilla\Firefox\Profiles\rysm992e.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-26 10:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(644)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-03-26 10:51:07
ComboFix-quarantined-files.txt 2011-03-26 16:51
ComboFix2.txt 2011-03-26 16:04
ComboFix3.txt 2011-03-26 13:39
ComboFix4.txt 2011-03-25 12:38
.
Pre-Run: 54,387,425,280 bytes free
Post-Run: 54,384,660,480 bytes free
.
- - End Of File - - CDB7D7ADEEEE1FDC2DD5C002CBABED08

Derek · « **Reply #9 on:** March 26, 2011, 17:44:19 »

still there

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger. (Vista users right click, run as Administrator)
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Code: [Select]

Files to delete:
c:\documents and settings\Linda.ASTRO\Application Data\Esbwba.exe
c:\windows\Hrojided.bin
c:\windows\Qmatea.exe

In the avenger window, click the Paste Script from Clipboard, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
After your PC has completed the necessary reboot, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log

The Spykiller

News:

Sponsored Adverts

Sponsored Ads

Welcome to The Spykiller

INSTRUCTIONS - Read This Before Posting For Malware Removal Help