Jump to content

3934230198:1231650837.exe Cant Stop!


Hizzle G
 Share

Recommended Posts

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

You are back!!! :adios:

 

Have to go out for a while, and will be back this evening o/a 7:00PM USA Central Time!!

 

Will post back additional instructions then.

 

The file C:\Windows\3934230198 is now in a locked dummy folder. We should be able to run other tools.

Link to comment
Share on other sites

Hizzle G,

 

If you have ComboFix (CF) already on your Desktop, please remove it! We'll download an updated version.

 

If for some reason CF does not run, do not worry, there is a program to identify files affected by this rootkit, and a way to change their permissions so they can run.

 

However, give ComboFix a whirl on its own first.

 

 

Please do the following:

 

Download ComboFix

 

 

Save ComboFix.exe to your Desktop!!

 

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications, usually via a right clicking on the System Tray icon. They may interfere with the running of CF.

 

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link

 

 

Double-click on ComboFix.exe to run the program.

 

When given the option, DO install the Recovery Console . This program can come in very handy at times, and this way there is no need to burn a CD.

 

Click on Yes, to continue scanning for malware.

 

When finished, CF produces a report.

 

Please provide a copy of the C:\ComboFix.txt in your reply.

 

 

Notes:

 

1.Do not mouse-click the ComboFix window while it is running.

This action may cause it to stall.

 

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

 

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to comment
Share on other sites

ComboFix 11-08-28.01 - chuck 08/28/2011 19:48:03.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1625 [GMT -5:00]

Running from: c:\documents and settings\chuck\Desktop\ComboFix.exe

AV: Ashampoo Anti-MalWare *Disabled/Updated* {91BDFB4E-BA7E-4ABC-9472-A79BA394CA4B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\chuck\WINDOWS

c:\program files\Downloaded Installers

c:\program files\Downloaded Installers\{2A79ECEA-ADD3-48DE-A50D-18A7DEE3E7A8}\setup.msi

c:\program files\StartNow Toolbar

c:\program files\StartNow Toolbar\Resources\images\engine_images.png

c:\program files\StartNow Toolbar\Resources\images\engine_maps.png

c:\program files\StartNow Toolbar\Resources\images\engine_news.png

c:\program files\StartNow Toolbar\Resources\images\engine_videos.png

c:\program files\StartNow Toolbar\Resources\images\engine_web.png

c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png

c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png

c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png

c:\program files\StartNow Toolbar\Resources\images\icon_games.png

c:\program files\StartNow Toolbar\Resources\images\icon_msn.png

c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png

c:\program files\StartNow Toolbar\Resources\images\icon_travel.png

c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png

c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png

c:\program files\StartNow Toolbar\Resources\images\Thumbs.db

c:\program files\StartNow Toolbar\Resources\installer.xml

c:\program files\StartNow Toolbar\Resources\protect\index.html

c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css

c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png

c:\program files\StartNow Toolbar\Resources\protect\window.css

c:\program files\StartNow Toolbar\Resources\protect\window.js

c:\program files\StartNow Toolbar\Resources\reactivate\index.html

c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png

c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.js

c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png

c:\program files\StartNow Toolbar\Resources\skin\separator.png

c:\program files\StartNow Toolbar\Resources\skin\splitter.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png

c:\program files\StartNow Toolbar\Resources\toolbar.xml

c:\program files\StartNow Toolbar\Resources\update.xml

c:\program files\StartNow Toolbar\Toolbar32.dll

c:\program files\StartNow Toolbar\uninstall.dat

c:\windows\$NtUninstallKB13955$

c:\windows\$NtUninstallKB13955$\3004999524

c:\windows\$NtUninstallKB13955$\3063316458\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

c:\windows\$NtUninstallKB13955$\3063316458\click.tlb

c:\windows\$NtUninstallKB13955$\3063316458\L\jnbvezlc

c:\windows\$NtUninstallKB13955$\3063316458\loader.tlb

c:\windows\$NtUninstallKB13955$\3063316458\U\$80000000

c:\windows\$NtUninstallKB13955$\3063316458\U\@00000001

c:\windows\$NtUninstallKB13955$\3063316458\U\@000000c0

c:\windows\$NtUninstallKB13955$\3063316458\U\@000000cb

c:\windows\$NtUninstallKB13955$\3063316458\U\@000000cf

c:\windows\$NtUninstallKB13955$\3063316458\U\@80000000

c:\windows\$NtUninstallKB13955$\3063316458\U\@800000c0

c:\windows\$NtUninstallKB13955$\3063316458\U\@800000cb

c:\windows\$NtUninstallKB13955$\3063316458\U\@800000cf

c:\windows\system32\c_95385.nls

c:\windows\system32\drivers\1028_DELL_XPS_MM061 .MRK

c:\windows\system32\drivers\DELL_XPS_MM061 .MRK

.

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected

Restored copy from - The cat found it :)

Infected copy of c:\windows\system32\wscript.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wscript.exe

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!

.

Infected copy of c:\windows\system32\Ati2evxx.exe was found and disinfected

Restored copy from - c:\windows\system32\ReinstallBackups\0000\DriverFiles\ati2evxx.exe

.

c:\program files\Intel\WiFi\bin\EvtEng.exe . . . is infected!!

.

c:\program files\iPod\bin\iPodService.exe . . . is infected!!

.

c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!

.

c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe . . . is infected!!

.

c:\program files\PCPitstop\PCPitstopScheduleService.exe . . . is infected!!

.

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe . . . is infected!!

.

c:\program files\Intel\WiFi\bin\S24EvMon.exe . . . is infected!!

.

c:\program files\Intel\WiFi\bin\WLKeeper.exe . . . is infected!!

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_RKHIT

-------\Service_b6967fea

-------\Service_RkHit

-------\Legacy_Updater_Service_for_StartNow_Toolbar

-------\Service_Updater Service for StartNow Toolbar

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))

.

.

2011-08-29 00:44 . 2008-04-13 19:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-08-28 19:13 . 2011-08-28 19:13 -------- d-----w- c:\windows\3934230198

2011-08-28 06:51 . 2011-08-28 06:51 -------- d-----w- c:\program files\Cisco Systems

2011-08-28 06:10 . 2011-08-28 06:10 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\PCHealth

2011-08-28 06:10 . 2011-08-28 06:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Cisco Systems

2011-08-18 21:33 . 2011-08-18 21:33 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG

2011-08-18 21:33 . 2011-08-18 21:33 -------- d-----w- c:\program files\Free Download Manager

2011-08-17 23:30 . 2011-08-17 23:31 4176704 ----a-r- C:\thekitty.com.exe

2011-08-17 23:14 . 2011-08-17 23:14 4176704 ----a-r- C:\thecat.com.exe

2011-08-17 22:34 . 2011-08-17 22:34 -------- d-----w- c:\documents and settings\chuck\Local Settings\Application Data\SolarWinds

2011-08-17 22:34 . 2011-08-17 22:34 -------- d-----w- c:\program files\SolarWinds

2011-08-17 02:40 . 2011-08-17 02:40 -------- d-----w- c:\windows\Internet Logs

2011-08-15 23:32 . 2011-08-17 02:30 -------- d-----w- c:\program files\Kapha Anti-Malware

2011-08-15 22:32 . 2011-08-15 22:32 -------- d-----w- c:\documents and settings\chuck\Local Settings\Application Data\Ashampoo

2011-08-15 22:31 . 2011-08-16 00:01 -------- d-----w- c:\program files\hizz

2011-08-14 23:15 . 2011-08-14 23:16 -------- d-----w- c:\documents and settings\Administrator

2011-08-14 22:33 . 2011-08-14 22:41 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-08-14 22:19 . 2011-08-14 22:19 -------- d-----w- c:\program files\Trend Micro

2011-08-14 22:08 . 2011-08-14 22:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-14 22:02 . 2011-08-14 22:02 -------- d-----w- c:\documents and settings\chuck\Application Data\Malwarebytes

2011-08-14 22:01 . 2011-08-14 22:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2011-08-14 16:00 . 2011-08-14 16:06 -------- d-----w- c:\program files\Anti Trojan Elite

2011-08-12 11:16 . 2011-08-12 11:16 -------- d-----w- c:\program files\FYZip

2011-08-12 01:51 . 2011-08-12 01:51 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple

2011-08-11 23:52 . 2011-08-12 00:00 -------- d-----w- c:\program files\Run-Time

2011-08-11 03:04 . 2011-08-11 03:04 -------- d-----w- c:\program files\iPod

2011-08-11 02:55 . 2011-08-11 02:55 -------- d-----w- c:\program files\Bonjour

2011-08-01 02:47 . 2011-08-01 02:47 -------- d-----w- c:\documents and settings\chuck\Application Data\Oberon Media

2011-08-01 02:47 . 2011-08-01 02:52 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP

2011-08-01 02:46 . 2011-08-14 15:07 -------- d-----w- c:\program files\Yahoo! Games

2011-07-30 23:52 . 2011-08-13 22:20 -------- d-----w- c:\documents and settings\chuck\riotsGamesLogs

2011-07-30 16:37 . 2000-01-01 00:00 988032 ----a-w- c:\windows\system32\drivers\HSF_DPV.sys

2011-07-30 16:37 . 2000-01-01 00:00 731136 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys

2011-07-30 16:37 . 2000-01-01 00:00 212992 ----a-w- c:\windows\system32\UCI32M19.dll

2011-07-30 16:37 . 2000-01-01 00:00 209536 ----a-w- c:\windows\system32\drivers\HSFHWAZL.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-14 22:27 . 2011-05-26 17:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 16:20 . 2011-07-12 16:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 16:20 . 2011-07-12 16:20 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 14:10 . 2010-08-12 01:46 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 21:16 . 2011-04-02 04:19 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2010-08-10 09:57 . 2010-08-11 22:24 135680 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]

@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"

[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]

2011-03-02 15:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Download Nitro"="c:\program files\PCPitstop\Download Nitro\pcpitstop-nitro.exe" [2010-12-02 3588888]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-06-27 3077528]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-08-10 761947]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2010-08-10 45056]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"PC MaticRT"="c:\program files\PCPitstop\PC MaticRT\PCMaticRT.exe" [2011-05-10 667800]

"Info Center"="c:\program files\PCPitstop\Info Center\InfoCenter.exe" [2011-04-22 24216]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2011-01-12 1400832]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-12 1210640]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2000-01-01 405504]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

.

c:\documents and settings\Hizzle\Start Menu\Programs\Startup\

.Memeo AutoBackup Launcher.lnk.dcm [2010-8-9 689]

.Memeo AutoSync Launcher.lnk.dcm [2010-8-9 685]

Memeo AutoBackup Launcher.lnk - c:\documents and settings\Hizzle\Application Data\Microsoft\Installer\{39A908FD-7322-41AE-B374-C7A076B2FC97}\NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe [N/A]

Memeo AutoSync Launcher.lnk - c:\program files\Memeo\AutoSync\MemeoLauncher.exe [N/A]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\common\\america's army 3\\Binaries\\AA3Game.exe"=

"c:\\Program Files\\BitLord 1.2\\Bitlord files\\bitlord.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Xtreme 2\\dfx2.exe"=

"c:\\Program Files\\NovaLogic\\Delta Force Xtreme 2\\UPDATE.EXE"=

"c:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\PCPitstop\\Info Center\\InfoCenter.exe"=

"c:\\Program Files\\SolarWinds\\SolarWinds Real-time NetFlow Analyzer\\NetFlowRealtime.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Free Download Manager\\fdm.exe"=

"c:\\WINDOWS\\system32\\WgaTray.exe"=

"c:\\Documents and Settings\\chuck\\Desktop\\SoftonicDownloader_for_burncdcc.exe"=

"d:\\Setup.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

"58815:TCP"= 58815:TCP:Pando Media Booster

"58815:UDP"= 58815:UDP:Pando Media Booster

.

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/3/2011 10:31 PM 21464]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/3/2011 10:31 PM 69976]

R3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [5/24/2011 5:51 PM 6609920]

S2 AAMW_WSC_Service_XP;Ashampoo Anti-Malware WSC Service;c:\program files\Ashampoo\Ashampoo Anti-Malware\AAMW_WSC_Service_XP.exe --> c:\program files\Ashampoo\Ashampoo Anti-Malware\AAMW_WSC_Service_XP.exe [?]

S2 AAMWService;Ashampoo Anti-Malware Service;c:\program files\Ashampoo\Ashampoo Anti-Malware\AAMW_Service.exe --> c:\program files\Ashampoo\Ashampoo Anti-Malware\AAMW_Service.exe [?]

S2 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe --> c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe [?]

S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe --> c:\program files\PCPitstop\PCPitstopScheduleService.exe [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [5/4/2011 8:18 PM 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [5/4/2011 8:18 PM 8456]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm

TCP: DhcpNameServer = 10.0.3.246 10.0.1.9 192.168.1.1

FF - ProfilePath - c:\documents and settings\chuck\Application Data\Mozilla\Firefox\Profiles\9xgi0p4o.default\

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-iTunesHelper - g:\itunes\iTunesHelper.exe

HKLM-Run-Anti Trojan Elite - c:\program files\hizz\TJEnder.exe

HKLM-Run-Ashampoo Anti-Malware Guard - c:\program files\Ashampoo\Ashampoo Anti-Malware\AAMW_Guard.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-28 19:56

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):8e,ab,f7,76,9a,93,24,80,c3,2d,c0,40,55,7a,7f,77,c9,12,45,18,9d,

6b,85,a3,ac,f8,25,c6,24,06,a9,46,1b,e5,4b,8c,9d,36,a3,ab,00,00,00,00,00,00,\

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{eb9b92c9-32cf-456a-8589-cfc5b5ba0384}]

@Denied: (Full) (Everyone)

"Model"=dword:000000a9

"Therad"=dword:0000001f

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,7c,a3,58,23,ec,af,2d,15,15,ef,a1,46,54,19,6c,0d,35,95,e0,f3,7c,6d,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1148)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\netprovcredman.dll

.

- - - - - - - > 'explorer.exe'(1564)

c:\windows\system32\WININET.dll

c:\program files\Internet Download Manager\IDMShellExt.dll

c:\windows\system32\netprovcredman.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Completion time: 2011-08-28 19:59:07 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-29 00:59

.

Pre-Run: 49,795,575,808 bytes free

Post-Run: 50,000,650,240 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 8965D46BC5A3E1FB29BFB3D989154207

Link to comment
Share on other sites

Hizzle G,

 

how do i remove these programs that it zapped? I cant delete them....the ones that we tried to run.

^^We will take care of that later.^^

 

You did a great job with the DummyMaker, TDSSKiller and ComboFix routines!! :rocks:

 

 

 

We do need to take care of some files that are showing as infected on the CF report:

 

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe . . . is infected!!

c:\program files\Intel\WiFi\bin\EvtEng.exe . . . is infected!!

c:\program files\iPod\bin\iPodService.exe . . . is infected!!

c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!

c:\program files\PCPitstop\PC MaticRT\PCPitstopRTService.exe . . . is infected!!

c:\program files\PCPitstop\PCPitstopScheduleService.exe . . . is infected!!

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe . . . is infected!!

c:\program files\Intel\WiFi\bin\S24EvMon.exe . . . is infected!!

c:\program files\Intel\WiFi\bin\WLKeeper.exe . . . is infected!!

 

Let's give the following a whirl:

 

Please download Malwarebytes Anti-Malware

Save it to your Desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the program.
  • When the installation begins, follow the prompts and do not make changes to the settings.
  • When the installation is finished, leave both of these checked:

    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish
MBAM automatically starts and you are asked to update the program
  • If an update is found, the program automatically updates.
  • Press the OK button to close the box and continue.
On the Scanner tab:
  • Select the Perform Full Scan option.
  • Then, click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • When the scan is finished, a message appears "The scan completed successfully. Click 'Show Results' to display all entries found".
  • Click OK to close the message and continue with the removal process.
Back at the main Scanner screen:
  • Click on Show Results button to see a list of any malware found.
  • Make sure everything is checked, and click Remove Selected.
  • When removal is completed, a log report opens in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer. Please do so immediately. Failure to reboot prevents MBAM from removing the malware.

 

 

Please copy/paste the contents of the MBAM report in your reply, and exit MBAM.

Link to comment
Share on other sites

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

 

Database version: 7600

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

8/28/2011 10:51:46 PM

mbam-log-2011-08-28 (22-51-45).txt

 

Scan type: Full scan (C:\|D:\|)

Objects scanned: 308893

Time elapsed: 29 minute(s), 9 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

Link to comment
Share on other sites

The following scan may take a while:

 

Please run an ESET Online Scan

 

**Note**

You need to use Internet explorer for this scan.

Also, please turn off the real time scanner of your AntiVirus program while performing the scan!!

 

Click on the ESET Online Scanner (green button) Download

 

After accepting terms of use, click Start

 

When asked, allow the activeX control to install.

 

Click Start once again

 

Make sure the following options:

  • Remove found threats is unticked
  • Scan Archives option is ticked

Click on Advanced Settings, ensure the following options are ticked:

  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

Click Scan

  • Wait for the scan to finish. (It may take a while!)
  • Click on copy to clipboard, and paste the results of the scan in your reply.
  • You may also find the results at C:\Program Files\Eset\Eset Online Scanner\log.txt

 

Signing off for tonight.

 

See you tomorrow.

Link to comment
Share on other sites

C:\Documents and Settings\chuck\Application Data\Sun\Java\Deployment\cache\6.0\24\61020098-3f1b231b multiple threats

C:\Documents and Settings\chuck\Application Data\Sun\Java\Deployment\cache\6.0\63\6b6d993f-6b37c85b multiple threats

C:\Documents and Settings\chuck\Desktop\cnet_ashampoo_anti-malware_1_21_sm_exe.exe a variant of Win32/InstallCore.B application

C:\Documents and Settings\chuck\Local Settings\temp\ICReinstall\cnet_ashampoo_anti-malware_1_21_sm_exe.exe a variant of Win32/InstallCore.B application

C:\Program Files\hizz\hizz\AAMW_Service.exe Win32/Patched.HN trojan

C:\Program Files\hizz\hizz\AAMW_WSC_Service_XP.exe Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Intel\WiFi\bin\EvtEng.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Intel\WiFi\bin\S24EvMon.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Intel\WiFi\bin\WLKeeper.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\PCPitstop\PCPitstopScheduleService.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\PCPitstop\PC MaticRT\PCPitstopRTService.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\Toolbar32.dll.vir Win32/Toolbar.Zugo.A application

C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\wscript.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Win32/Sirefef.CO trojan

C:\RECYCLER\S-1-5-21-1454471165-73586283-682003330-1003\Dc20.exe a variant of Win32/InstallCore.B application

Link to comment
Share on other sites

Hizzle G,

 

Please download Security Check:

http://screen317.changelog.fr/SecurityCheck.exe

 

Save it to the Desktop.

Double click SecurityCheck.exe and follow the onscreen instructions (in the black box.)

When done, a Notepad document opens automatically: checkup.txt

 

Please post the contents of checkup.txt in your reply.

 

~~~~

Next, please download TFC (Temp File Cleaner, by OldTimer):

http://oldtimer.geekstogo.com/TFC.exe

 

Save to your Desktop.

 

TFC closes all open application windows, so, save any work in progress.

 

Double-click TFC.exe to run the program.

If prompted, click "Yes" to reboot.

 

When done, click 'Save' (bottom right), and save the report to your Desktop.

 

Please post the TFC report in your reply.

 

~~~~

Also, please Clear the Java Cache (How to):

http://www.java.com/en/download/help/plugin_cache.xml

 

 

There are some files that ESET is showing as being infected, and they belong to: Ashampoo Anti-Malware.

However, I do not see this program installed in: Start > Control Panel > Add/Remove Programs area.

 

Could you please check there and let me know if you see Ashampoo listed?

 

Thanks!

Edited by Aaflac
Link to comment
Share on other sites

Results of screen317's Security Check version 0.99.7

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Out of date Java installed!

Adobe Flash Player 10.3.181.26

Adobe Reader 9.4.5

Out of date Adobe Reader installed!

Mozilla Firefox (x86 en-US..) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe

``````````End of Log````````````

Link to comment
Share on other sites

md tempdir0

copy "C:\Windows\System32\Drivers\ACPI.sys" tempdir0

copy "C:\Windows\System32\Drivers\AFD.sys" tempdir0

copy "C:\Windows\System32\Drivers\APPDRV.sys" tempdir0

copy "C:\Windows\System32\Drivers\atapi.sys" tempdir0

copy "C:\Windows\System32\Drivers\ati2mtag.sys" tempdir0

copy "C:\Windows\System32\Drivers\audstub.sys" tempdir0

copy "C:\Windows\System32\Drivers\bcm4sbxp.sys" tempdir0

copy "C:\Windows\System32\Drivers\Cdrom.sys" tempdir0

copy "C:\Windows\System32\Drivers\CmBatt.sys" tempdir0

copy "C:\Windows\System32\Drivers\Compbatt.sys" tempdir0

copy "C:\Windows\System32\Drivers\Disk.sys" tempdir0

copy "C:\Windows\System32\Drivers\dmio.sys" tempdir0

copy "C:\Windows\System32\Drivers\dmload.sys" tempdir0

copy "C:\Windows\System32\Drivers\FltMgr.sys" tempdir0

copy "C:\Windows\System32\Drivers\Ftdisk.sys" tempdir0

copy "C:\Windows\System32\Drivers\GEARAspiWDM.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\msgpc.sys" tempdir0

copy "C:\Windows\System32\Drivers\HDAudBus.sys" tempdir0

copy "C:\Windows\System32\Drivers\HidUsb.sys" tempdir0

copy "C:\Windows\System32\Drivers\HSFHWAZL.sys" tempdir0

copy "C:\Windows\System32\Drivers\HSF_DPV.sys" tempdir0

copy "C:\Windows\System32\Drivers\HTTP.sys" tempdir0

copy "C:\Windows\System32\Drivers\i8042prt.sys" tempdir0

copy "C:\Windows\System32\Drivers\Imapi.sys" tempdir0

copy "C:\Windows\System32\Drivers\intelppm.sys" tempdir0

copy "C:\Windows\System32\Drivers\IpNat.sys" tempdir0

copy "C:\Windows\System32\Drivers\IPSec.sys" tempdir0

copy "C:\Windows\System32\Drivers\isapnp.sys" tempdir0

copy "C:\Windows\System32\Drivers\Kbdclass.sys" tempdir0

copy "C:\Windows\System32\Drivers\kbdhid.sys" tempdir0

copy "C:\Windows\System32\Drivers\kmixer.sys" tempdir0

copy "C:\Windows\System32\Drivers\mdmxsdk.sys" tempdir0

copy "C:\Windows\System32\Drivers\Mouclass.sys" tempdir0

copy "C:\Windows\System32\Drivers\mouhid.sys" tempdir0

copy "C:\Windows\System32\Drivers\MRxDAV.sys" tempdir0

copy "C:\Windows\System32\Drivers\MRxSmb.sys" tempdir0

copy "C:\Windows\System32\Drivers\mssmbios.sys" tempdir0

copy "C:\Windows\System32\Drivers\NdisTapi.sys" tempdir0

copy "C:\Windows\System32\Drivers\Ndisuio.sys" tempdir0

copy "C:\Windows\System32\Drivers\NdisWan.sys" tempdir0

copy "C:\Windows\System32\Drivers\NetBIOS.sys" tempdir0

copy "C:\Windows\System32\Drivers\NetBT.sys" tempdir0

copy "C:\Windows\System32\Drivers\NETwLx32.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\NWADIenum.sys" tempdir0

copy "C:\Windows\System32\Drivers\ohci1394.sys" tempdir0

copy "C:\Windows\System32\Drivers\PCI.sys" tempdir0

copy "C:\Windows\System32\Drivers\PCIIde.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\raspptp.sys" tempdir0

copy "C:\Windows\System32\Drivers\PSched.sys" tempdir0

copy "C:\Windows\System32\Drivers\Ptilink.sys" tempdir0

copy "C:\Windows\System32\Drivers\RasAcd.sys" tempdir0

copy "C:\Windows\System32\Drivers\Rasl2tp.sys" tempdir0

copy "C:\Windows\System32\Drivers\RasPppoe.sys" tempdir0

copy "C:\Windows\System32\Drivers\Raspti.sys" tempdir0

copy "C:\Windows\System32\Drivers\Rdbss.sys" tempdir0

copy "C:\Windows\System32\Drivers\RDPCDD.sys" tempdir0

copy "C:\Windows\System32\Drivers\rdpdr.sys" tempdir0

copy "C:\Windows\System32\Drivers\redbook.sys" tempdir0

copy "C:\Windows\System32\Drivers\rimmptsk.sys" tempdir0

copy "C:\Windows\System32\Drivers\rimsptsk.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\RimSerial.sys" tempdir0

copy "C:\Windows\System32\Drivers\risdptsk.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\rixdptsk.sys" tempdir0

copy "C:\Windows\System32\Drivers\RootMdm.sys" tempdir0

copy "C:\Windows\System32\Drivers\s24trans.sys" tempdir0

copy "C:\Windows\System32\Drivers\sbaphd.sys" tempdir0

copy "C:\Windows\System32\Drivers\sbapifs.sys" tempdir0

copy "C:\Windows\System32\Drivers\sr.sys" tempdir0

copy "C:\Windows\System32\Drivers\Srv.sys" tempdir0

copy "C:\Windows\System32\Drivers\STHDA.sys" tempdir0

copy "C:\Windows\System32\Drivers\swenum.sys" tempdir0

copy "C:\Windows\System32\Drivers\SynTP.sys" tempdir0

copy "C:\Windows\System32\Drivers\sysaudio.sys" tempdir0

copy "C:\Windows\System32\Drivers\Tcpip.sys" tempdir0

copy "C:\Windows\System32\Drivers\TermDD.sys" tempdir0

copy "C:\Windows\System32\Drivers\tosporte.sys" tempdir0

copy "C:\Windows\System32\Drivers\Tosrfcom.sys" tempdir0

copy "C:\Windows\System32\Drivers\Update.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbccgp.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbehci.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbhub.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbprint.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbscan.sys" tempdir0

copy "C:\Windows\System32\Drivers\usbuhci.sys" tempdir0

copy "C:\Windows\System32\drivers\vga.sys" tempdir0

copy "C:\Windows\System32\Drivers\Wanarp.sys" tempdir0

copy "C:\Windows\System32\Drivers\wdmaud.sys" tempdir0

copy "C:\Windows\System32\DRIVERS\HSF_CNXT.sys" tempdir0

copy "C:\Windows\System32\Drivers\WmiAcpi.sys" tempdir0

copy "C:\Windows\System32\Drivers\WS2IFSL.sys" tempdir0

 

attrib -r 3934230198

attrib -h 3934230198

attrib -s 3934230198

del 3934230198

rd 3934230198

dir c:\windows\system32\drivers

Link to comment
Share on other sites

Thanks!

 

Now that you have an AV installed, use the computer and see if any malware issues come up. Hopefully not.

 

I'm signing off for tonight, but will take a good look at all the info you provided, and see if there is anything else we need to do.

 

See you tomorrow.

Link to comment
Share on other sites

Hizzle G,

 

Was not able to get back to you yesterday, Was overcome by events… My apology. Glad you have lots of patience! :mrgreen:

 

If you've had any malware problems, please give an update. Hopefully not!

 

Before we proceed to clean up some of the programs and their reports that have accumulated on your Desktop, or in you C:\ drive, we need to scan the system with this special tool, since some of them are not 'deletable':

 

  • Please download Junction.zip
  • Save to the Desktop.
  • Unzip the file and save junction.exe in the Windows directory (C:\Windows). No need to run it.

Go to Start > Run, and copy/paste the following command in the Open box and click OK:

 

cmd /c junction -s c:\ >log.txt&log.txt

 

A command window opens and scans the system.

Wait until a log file opens.

 

Please copy/paste the log.txt in your reply.

 

Thanks!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share


×
×
  • Create New...