Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: BankerFox a &; Win32/nuqel Trojan

  1. #11
    Administrator GT500's Avatar
    Join Date
    May 2010
    Location
    Fortville, Indiana, USA
    Posts
    32
    OK. I'll 'subscribe' to the topic so that I get an e-mail when you reply.
    For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...

  2. #12
    Junior Member
    Join Date
    Jan 2011
    Posts
    28
    OK-----------

  3. #13
    Junior Member
    Join Date
    Jan 2011
    Posts
    28
    If you decide to run against Obama, let me know, you got my vote---All came back as far as i can tell. While ComboFix was loading a message stated that on start-up a black screen will appear & to disregard it. Is this going to be from now on? Do i reboot now? Do i need to remove the Win Recovery Consol or anything else?

  4. #14
    Administrator GT500's Avatar
    Join Date
    May 2010
    Location
    Fortville, Indiana, USA
    Posts
    32
    The black screen can be removed fairly easily, but lets worry about that after we are done.

    ComboFix should have restarted your computer automatically when it was done. Did it open a log in Notepad at some point?
    For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...

  5. #15
    Junior Member
    Join Date
    Jan 2011
    Posts
    28
    Went out of town yesterday--am back now. Yes i kept the Notepad on my desktop. I have not restarted it yet, so no black screen yet.
    Last edited by mmisko; 01-23-2011 at 12:04 PM. Reason: adding something else

  6. #16
    Junior Member
    Join Date
    Jan 2011
    Posts
    28

    Attaching Notepad Findings

    ComboFix 11-01-20.04 - mike 01/21/2011 18:41:43.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.309 [GMT -6:00]
    Running from: c:\documents and settings\mike\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\mike\My Documents\DPE.DUS
    c:\documents and settings\mike\My Documents\Readiris.DUS
    c:\windows\BackUp
    c:\windows\BackUp\TB040716.DAT
    c:\windows\Downloaded Program Files\temp
    c:\windows\Help\BJC5100.HLP
    c:\windows\system32\Temp

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-22 to 2011-01-22 )))))))))))))))))))))))))))))))
    .

    2011-01-21 23:02 . 2011-01-21 23:02 -------- d-----w- c:\program files\MSXML 4.0
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\mike\Application Data\Malwarebytes
    2011-01-21 21:49 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-21 21:49 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-21 18:42 . 2011-01-21 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-01-12 02:11 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-12 02:11 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-12 02:10 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-12 02:09 . 2011-01-12 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-12 01:00 . 2011-01-12 01:00 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-11 22:00 . 2011-01-11 22:00 -------- d-----w- c:\windows\system32\scripting
    2011-01-11 21:59 . 2011-01-11 22:00 -------- d-----w- c:\windows\l2schemas
    2011-01-11 19:31 . 2011-01-11 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2011-01-13 08:47 . 2008-01-11 23:25 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:40 . 2008-01-11 23:25 47440 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:40 . 2008-01-11 23:25 100176 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-13 08:39 . 2008-01-11 23:25 94544 -c--a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-13 08:37 . 2008-01-11 23:25 23632 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2008-01-11 23:25 29392 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
    2007-07-09 14:25 . 2007-07-09 14:24 15732984 -c--a-w- c:\program files\Google_Earth_BZXD.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries &;;; legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-08-31 26112]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    America Online Tray Icon.lnk - c:\recycler\S-1-5-21-2771580065-2752991226-3942243025-1006\Dc3.0a\aoltray.exe [N/A]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
    backup=c:\windows\pss\Camio Viewer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Watch.lnk
    backup=c:\windows\pss\Watch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mike^Start Menu^Programs^Startup^eTomi Pro On Startup.lnk]
    path=c:\documents and settings\mike\Start Menu\Programs\Startup\eTomi Pro On Startup.lnk
    backup=c:\windows\pss\eTomi Pro On Startup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 -c--a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=2 (0x2)
    "Pml Driver HPZ12"=3 (0x3)
    "ose"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\SYSTEM32\\java.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:@xpsp2res.dll,-22017

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/11/2011 8:11 PM 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswF sBlk.sys [1/11/2011 8:11 PM 17744]
    R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [1/13/2002 2:25 AM 65916]
    S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\dm9usb.sys [3/21/2002 8:14 AM 21376]
    S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\SYSTEM32\DRIVERS\islp2nds.sys [10/3/2002 5:07 PM 611840]
    S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/18/2002 6:59 PM 54083]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.suntrust.com/portal/serv...;;cached=false
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8992
    IE: &;;;AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    TCP: {5A36D4C7-BC8E-45C3-9031-1F250C0B0F9E} = 24.165.200.40,24.165.200.35
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-3D Pinball Express - c:\program files\Cosmi\3D Pinball Express\DeIsL1.isu
    AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
    AddRemove-DC Series 1 - c:\program files\DC Series 1\uninst.exe
    AddRemove-Las Vegas Super Casino Plus - c:\program files\Cosmi\LvscPlus\DeIsL1.isu



    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-21 18:49
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2011-01-21 18:53:57
    ComboFix-quarantined-files.txt 2011-01-22 00:53

    Pre-Run: 15,980,007,424 bytes free
    Post-Run: 16,082,763,776 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    - - End Of File - - 5D94AB491216B36B2A93F47655161DAD


    After everything came back i ran CC Cleaner--Just to let you know.
    Last edited by mmisko; 01-23-2011 at 12:50 PM. Reason: adding something

  7. #17
    Administrator GT500's Avatar
    Join Date
    May 2010
    Location
    Fortville, Indiana, USA
    Posts
    32
    OK, I have written a script that will tell ComboFix how to delete some things that I saw in the log. Here are instructions on what to do with the script.
    1. Turn off your Anti-Virus software.

    2. Click your Start button, go to All Programs (or just Programs on Vista), go to Accessories, and then open Notepad.

    3. Please copy and paste the contents of the CODE box below into Notepad (here is a link to instructions if you do not know how to copy and paste):

      Code:
      http://www.gt500.org/forums/showthread.php?t=14
      
      KillAll::
      
      DDS::
      uInternet Settings,ProxyOverride = <local>
      uInternet Settings,ProxyServer = http=127.0.0.1:8992
    4. Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop).

    5. Close Notepad and verify that the CFScript file is saved on your desktop.

    6. Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon:


    When finished, it will display a new log in Notepad. Please either copy and paste the contents of that log into a reply, or save the log on your desktop and attach it to a reply.
    For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...

  8. #18
    Junior Member
    Join Date
    Jan 2011
    Posts
    28
    ComboFix Results

    ComboFix 11-01-20.04 - mike 01/24/2011 11:21:22.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.318 [GMT -6:00]
    Running from: c:\documents and settings\mike\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\mike\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\patch.exe
    c:\windows\Readme.txt
    c:\windows\ST6UNST.000

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
    .

    2011-01-22 01:22 . 2011-01-22 01:22 -------- d-----w- c:\program files\CCleaner
    2011-01-21 23:02 . 2011-01-21 23:02 -------- d-----w- c:\program files\MSXML 4.0
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\mike\Application Data\Malwarebytes
    2011-01-21 21:49 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-21 21:49 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-21 18:42 . 2011-01-21 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-01-12 02:28 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2011-01-12 02:11 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-12 02:11 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-12 02:10 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-12 02:09 . 2011-01-12 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-12 01:00 . 2011-01-12 01:00 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-11 22:00 . 2011-01-11 22:00 -------- d-----w- c:\windows\system32\scripting
    2011-01-11 21:59 . 2011-01-11 22:00 -------- d-----w- c:\windows\l2schemas
    2011-01-11 19:31 . 2011-01-11 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2011-01-13 08:47 . 2008-01-11 23:25 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:40 . 2008-01-11 23:25 47440 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:40 . 2008-01-11 23:25 100176 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-13 08:39 . 2008-01-11 23:25 94544 -c--a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-13 08:37 . 2008-01-11 23:25 23632 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2008-01-11 23:25 29392 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
    2007-07-09 14:25 . 2007-07-09 14:24 15732984 -c--a-w- c:\program files\Google_Earth_BZXD.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-08-31 26112]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    America Online Tray Icon.lnk - c:\recycler\S-1-5-21-2771580065-2752991226-3942243025-1006\Dc3.0a\aoltray.exe [N/A]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
    backup=c:\windows\pss\Camio Viewer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Watch.lnk
    backup=c:\windows\pss\Watch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mike^Start Menu^Programs^Startup^eTomi Pro On Startup.lnk]
    path=c:\documents and settings\mike\Start Menu\Programs\Startup\eTomi Pro On Startup.lnk
    backup=c:\windows\pss\eTomi Pro On Startup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 -c--a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=2 (0x2)
    "Pml Driver HPZ12"=3 (0x3)
    "ose"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\SYSTEM32\\java.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:@xpsp2res.dll,-22017

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/11/2011 8:11 PM 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswF sBlk.sys [1/11/2011 8:11 PM 17744]
    R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [1/13/2002 2:25 AM 65916]
    S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\dm9usb.sys [3/21/2002 8:14 AM 21376]
    S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\SYSTEM32\DRIVERS\islp2nds.sys [10/3/2002 5:07 PM 611840]
    S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/18/2002 6:59 PM 54083]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.suntrust.com/portal/serv...y&cached=false
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    TCP: {5A36D4C7-BC8E-45C3-9031-1F250C0B0F9E} = 24.165.200.40,24.165.200.35
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-24 11:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2284)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Common Files\aolshare\aolshcpy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\wltrysvc.exe
    c:\windows\System32\bcmwltry.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\wanmpsvc.exe
    c:\windows\System32\MsPMSPSv.exe
    .
    ************************************************** ************************
    .
    Completion time: 2011-01-24 11:50:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-24 17:50
    ComboFix2.txt 2011-01-22 00:53

    Pre-Run: 15,989,542,912 bytes free
    Post-Run: 15,975,378,944 bytes free

    - - End Of File - - 14D995C9B7FD98950B20BE42BC89139B

  9. #19
    Junior Member
    Join Date
    Jan 2011
    Posts
    28
    Notepad Findings
    ComboFix 11-01-20.04 - mike 01/24/2011 11:21:22.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.318 [GMT -6:00]
    Running from: c:\documents and settings\mike\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\mike\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\patch.exe
    c:\windows\Readme.txt
    c:\windows\ST6UNST.000

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
    .

    2011-01-22 01:22 . 2011-01-22 01:22 -------- d-----w- c:\program files\CCleaner
    2011-01-21 23:02 . 2011-01-21 23:02 -------- d-----w- c:\program files\MSXML 4.0
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\mike\Application Data\Malwarebytes
    2011-01-21 21:49 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-21 21:49 . 2011-01-21 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-21 21:49 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-21 18:42 . 2011-01-21 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-01-12 02:28 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2011-01-12 02:11 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-12 02:11 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-12 02:10 . 2010-12-31 20:06 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-12 02:09 . 2011-01-12 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2011-01-12 01:00 . 2011-01-12 01:00 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-01-11 22:00 . 2011-01-11 22:00 -------- d-----w- c:\windows\system32\scripting
    2011-01-11 21:59 . 2011-01-11 22:00 -------- d-----w- c:\windows\l2schemas
    2011-01-11 19:31 . 2011-01-11 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco Systems

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2011-01-13 08:47 . 2008-01-11 23:25 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:40 . 2008-01-11 23:25 47440 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:40 . 2008-01-11 23:25 100176 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-13 08:39 . 2008-01-11 23:25 94544 -c--a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-13 08:37 . 2008-01-11 23:25 23632 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2008-01-11 23:25 29392 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
    2007-07-09 14:25 . 2007-07-09 14:24 15732984 -c--a-w- c:\program files\Google_Earth_BZXD.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-08-31 26112]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    America Online Tray Icon.lnk - c:\recycler\S-1-5-21-2771580065-2752991226-3942243025-1006\Dc3.0a\aoltray.exe [N/A]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Camio Viewer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Camio Viewer.lnk
    backup=c:\windows\pss\Camio Viewer.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Watch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Watch.lnk
    backup=c:\windows\pss\Watch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^mike^Start Menu^Programs^Startup^eTomi Pro On Startup.lnk]
    path=c:\documents and settings\mike\Start Menu\Programs\Startup\eTomi Pro On Startup.lnk
    backup=c:\windows\pss\eTomi Pro On Startup.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    2004-04-05 21:33 99480 -c--a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=2 (0x2)
    "Pml Driver HPZ12"=3 (0x3)
    "ose"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\SYSTEM32\\java.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:@xpsp2res.dll,-22017

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/11/2011 8:11 PM 294608]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswF sBlk.sys [1/11/2011 8:11 PM 17744]
    R3 Ich;Ich;c:\windows\SYSTEM32\DRIVERS\Ich.sys [1/13/2002 2:25 AM 65916]
    S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\dm9usb.sys [3/21/2002 8:14 AM 21376]
    S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\SYSTEM32\DRIVERS\islp2nds.sys [10/3/2002 5:07 PM 611840]
    S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\SYSTEM32\DRIVERS\LSWLNDS.sys [9/18/2002 6:59 PM 54083]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.suntrust.com/portal/serv...y&cached=false
    IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    TCP: {5A36D4C7-BC8E-45C3-9031-1F250C0B0F9E} = 24.165.200.40,24.165.200.35
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    ************************************************** ************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-24 11:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2284)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Common Files\aolshare\aolshcpy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\wltrysvc.exe
    c:\windows\System32\bcmwltry.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\wanmpsvc.exe
    c:\windows\System32\MsPMSPSv.exe
    .
    ************************************************** ************************
    .
    Completion time: 2011-01-24 11:50:29 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-24 17:50
    ComboFix2.txt 2011-01-22 00:53

    Pre-Run: 15,989,542,912 bytes free
    Post-Run: 15,975,378,944 bytes free

    - - End Of File - - 14D995C9B7FD98950B20BE42BC89139B

  10. #20
    Administrator GT500's Avatar
    Join Date
    May 2010
    Location
    Fortville, Indiana, USA
    Posts
    32
    Weird, my forums didn't send me an e-mail when you posted your ComboFix log.

    Anyway, that's looking much better. However, it is a good idea to run an online virus scan through ESET to make sure that ComboFix got everything. Here are the steps:
    1. Turn off your anti-virus software.

    2. Click on this link.

    3. Click on the "ESET Online Scanner" button.

    4. Put a check in the box that says "YES, I accept the Terms of Use."

    5. Click the 'Start' button just to the right of the checkbox.

    6. Uncheck the box that says "Remove found threats" (this is very important).

    7. Click on "Advanced settings".

    8. Put a check in the box that says "Scan for potentially unsafe applications".

    9. Verify that "Scan for potentially unwanted applications" is also checked.

    10. Verify that "Enable Anti-Stealth technology" is also checked.

    11. Click the 'Start' button in the lower-right corner of the page, and it will begin downloading it's database, and then it will start scanning.

    12. When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."

    13. Save that text file on your desktop, and then copy and paste it into a reply for me.

    14. Close the ESET online scan.


    I will take a look at the log, and let you know if anything needs removed.
    For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •