Am I infected?

aliEnRIK

Thats it. Ill check the logs when I have time

aaroncaz

Thank you Rik.

aliEnRIK

Open notepad and copy/paste the text in RED below

File::
c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
c:\windows\system32\drivers\RapportBuka.sys

Dirlook::
c:\users\Carol & Aaron\AppData\Local\istnwynyg


Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

aaroncaz

Sorry how do i get to the combofix?

aaroncaz

Should i have a combofix icon on my desktop? I don't have one. sorry.

aaroncaz

Ok when I drag it into your icon(if this is right) it just changes to a white page with what i've copied and pasted, nothing else happens.

aaroncaz

Ok think I have (eventually ) got it, shall take my son to school at 8, then return and do it.

aaroncaz

Ok I made an combofix icon on desktop, dragged file into it,(which then disappeared) and Combo started, this is log:


ComboFix 10-05-16.02 - Carol & Aaron 18/05/2010 8:26.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1915.932 [GMT 1:00]
Running from: c:\users\Carol & Aaron\Downloads\ComboFix.exe
Command switches used :: c:\users\Carol & Aaron\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\Trusteer\Rapport\store\exts\Rapport BukaBroom\13897\RapportBuka.sys"
"c:\programdata\Trusteer\Rapport\store\exts\Rapport BukaBroom\13897\RapportBukaBroom.dll"
"c:\windows\system32\drivers\RapportBuka.sys"
.

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 07:32 . 2010-05-18 07:33

---

d

---

w- c:\users\Carol & Aaron\AppData\Local\temp
2010-05-18 07:32 . 2010-05-18 07:32

---

d

---

w- c:\users\Public\AppData\Local\temp
2010-05-18 07:32 . 2010-05-18 07:32

---

d

---

w- c:\users\Default\AppData\Local\temp
2010-05-16 15:42 . 2010-05-16 15:42

---

d

---

w- c:\program files\Trend Micro
2010-05-16 12:50 . 2010-05-16 14:22

---

d

---

w- c:\users\Carol & Aaron\AppData\Local\istnwynyg
2010-05-12 05:18 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 16:27 . 2008-08-07 16:54

---

d

---

w- c:\program files\Common Files\Wise Installation Wizard
2010-05-17 16:27 . 2009-01-17 17:02

---

d

---

w- c:\program files\SUPERAntiSpyware
2010-05-16 13:38 . 2009-01-17 14:32

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-05-12 07:27 . 2006-11-02 11:18

---

d

---

w- c:\program files\Windows Mail
2010-05-12 07:24 . 2008-08-07 16:58

---

d

---

w- c:\programdata\Microsoft Help
2010-05-06 09:36 . 2009-10-03 06:04 221568

---

w- c:\windows\system32\MpSigStub.exe
2010-04-29 14:39 . 2009-01-17 14:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-01-17 14:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 09:00 . 2009-08-22 18:58

---

d

---

w- c:\users\Carol & Aaron\AppData\Roaming\HpUpdate
2010-03-09 16:25 . 2010-03-31 05:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-31 05:11 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33 . 2010-04-14 05:24 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 09:02 . 2010-03-03 09:02 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbDF2C.tmp.exe
2010-02-25 21:11 . 2010-02-25 21:11 390528 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys
2010-02-25 21:11 . 2010-02-25 21:11 249856 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll
2010-02-24 12:18 . 2010-02-24 12:18 388096 ----a-r- c:\users\Carol & Aaron\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-24 07:50 . 2008-12-12 19:03 114968 ----a-w- c:\users\Carol & Aaron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:10 . 2010-04-14 05:24 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-14 05:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-14 05:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:06 . 2010-03-11 05:58 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 05:57 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 05:57 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 14:07 . 2010-04-14 05:24 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-18 14:07 . 2010-04-14 05:24 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 14:07 . 2010-04-14 05:24 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-18 13:30 . 2010-04-14 05:24 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 11:28 . 2010-04-14 05:24 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Carol & Aaron\AppData\Local\istnwynyg ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-07 68856]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-08-16 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"NDSTray.exe"="NDSTray.exe" [BU]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Skytel"="Skytel.exe" [2007-11-20 1826816]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-29 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Toshiba TEMPRO"="c:\program files\Toshiba TEMPRO\TemproTray.exe" [2009-04-21 1045904]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\users\Carol & Aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):c2,6c,d0,99,50,e7,c9,01

R1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 135664]
S1 aswSP;avast! Self Protection; [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-16 40960]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files\Toshiba TEMPRO\TemproSvc.exe [2009-04-21 116104]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2008-02-06 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2009-04-24 347648]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-24 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 09:03]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 09:03]
.
.

---

Supplementary Scan

---

.
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
FF - ProfilePath - c:\users\Carol & Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\ly84ky8w.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 08:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????5`?u??P?#?x?#???#???#??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-05-18 08:36:20
ComboFix-quarantined-files.txt 2010-05-18 07:36
ComboFix2.txt 2010-05-17 17:57
ComboFix3.txt 2010-05-17 16:42
ComboFix4.txt 2010-05-16 15:37

Pre-Run: 75,944,251,392 bytes free
Post-Run: 75,709,595,648 bytes free

- - End Of File - - 27161919460A3B69E0A45F7D9F82E452


I hope this was correct.

aliEnRIK

Youve done your bit correctly but its not worked (Mainly as this site puts spaces in when it shouldnt which annoys the hell out of me)

Open up hidden files and folders ~
http://www.bleepingcomputer.com/tutorials/tutorial130.html

Open malwarebytes
Goto MORE TOOLS
then RUN TOOL
Then search for and manually delete them using the malwarebytes tool ~
"c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBuka.sys"
"c:\programdata\Trusteer\Rapport\store\exts\RapportBukaBroom\13897\RapportBukaBroom.dll"
"c:\windows\system32\drivers\RapportBuka.sys"

aaroncaz

shall try that now thanks.