FBI Ransome virus- Desktop taken over!

Gizmos_dad

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.10.09.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
New User :: OWNER-F95FE0CE0 [administrator]
17/10/2012 19:25:45
mbam-log-2012-10-17 (19-25-45).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231797
Time elapsed: 10 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 2
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$2b44823f7348049a83c27ebfcb5beefd\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-484763869-790525478-1417001333-1005\$2b44823f7348049a83c27ebfcb5beefd\n.) Good: (fastprox.dll) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\RECYCLER\S-1-5-18\$2b44823f7348049a83c27ebfcb5beefd\n (Trojan.Agent.MRGGen) -> Delete on reboot.
C:\RECYCLER\S-1-5-21-484763869-790525478-1417001333-1005\$2b44823f7348049a83c27ebfcb5beefd\n (Trojan.Agent.MRGGen) -> Delete on reboot.
C:\Documents and Settings\New User\Local Settings\Temp\s9uvsi6pyv07bj2q.exe (Trojan.Agent.BH) -> Quarantined and deleted successfully.
(end)

Also this

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.10.17.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
New User :: OWNER-F95FE0CE0 [administrator]
17/10/2012 19:44:55
mbam-log-2012-10-17 (19-44-55).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229067
Time elapsed: 9 minute(s), 11 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Hijack.SHELL32) -> Bad: (fastprox.dll) Good: (shell32.dll) -> Quarantined and repaired successfully.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Gizmos_dad

waddler_8 wrote: »

That's attach.txt - there should be another DDS.txt

DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by New User at 19:43:07 on 2012-10-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.1247 [GMT 1:00]
.
.
============== Running Processes ================
.
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\windows\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB}
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: %SYSTEMROOT%\system32\nvLsp.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1350152033312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://my-remote.eu.johnsoncontrols.com/https/adebuns12.eu.jci.com/dwa8W.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{42D1AEEA-8600-4877-AC8A-663B5D2AB3E0} : DHCPNameServer = 192.168.1.1 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\new user\desktop\VCdRom.sys [2001-12-19 8576]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-14 399432]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2009-9-24 75040]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-29 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-10-17 40776]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\Mtc0303.sys [2007-7-4 32896]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [2009-9-24 59264]
S0 rpekojj;rpekojj;c:\windows\system32\drivers\kudfrft.sys --> c:\windows\system32\drivers\kudfrft.sys [?]
S1 nflviuqa;nflviuqa;\??\c:\windows\system32\drivers\nflviuqa.sys --> c:\windows\system32\drivers\nflviuqa.sys [?]
S1 qhwxidei;qhwxidei;\??\c:\windows\system32\drivers\qhwxidei.sys --> c:\windows\system32\drivers\qhwxidei.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-1 133104]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-29 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 250808]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys --> c:\windows\system32\drivers\ew_hwusbdev.sys [?]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 flashusb;flashusb;c:\windows\system32\drivers\flashusb.sys [2012-6-3 16384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-10-22 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-1 133104]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\drivers\ew_jucdcacm.sys --> c:\windows\system32\drivers\ew_jucdcacm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys --> c:\windows\system32\drivers\ew_jubusenum.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2012-6-3 15896]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2009-9-24 16512]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\zteusbnet.sys --> c:\windows\system32\drivers\ZTEusbnet.sys [?]
.
=============== Created Last 30 ================
.
2012-10-17 18:42:19 40776 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-16 19:54:20

---

d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-09 14:04:02

---

dc----w- c:\documents and settings\new user\local settings\application data\PCHealth
2012-09-23 11:01:58 101120 -c--a-r- c:\windows\system32\drivers\ewusbmdm.sys
2012-09-23 11:01:10

---

dc----w- c:\documents and settings\new user\application data\Vodafone
2012-09-23 11:00:40

---

dc----w- c:\documents and settings\all users\application data\Vodafone
2012-09-23 11:00:27

---

dc----w- c:\program files\Vodafone
2012-09-23 11:00:08

---

dc----w- c:\documents and settings\new user\local settings\application data\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
.
==================== Find3M ====================
.
2012-10-09 17:02:42 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:02:41 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-07 16:04:46 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 19:05:15 13816 -c--a-w- c:\windows\system32\unikey.sys
2012-08-28 15:14:53 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 -c----w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 -c----w- c:\windows\system32\html.iec
.
============= FINISH: 19:43:39.92 ===============

waddler_8

There's still signs of infection - Sirefef (aka ZeroAccess rootkit)

If you're not going to wipe it & reinstall go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• IMPORTANT! Ensure you temporarily turn off any antivirus before running. Instructions here
• Double click combofix.exe & follow the prompts closely.
• Combofix may reboot the PC several times.
• When it's finished, it will automatically produce a log. Post the contents of that log.
• It can also be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course. As this malware is particularly hard to remove, it may take combofix slightly longer than stated.

john1

Before doing any drastic options spend an hour so so running this on your infected machine Download instructions as follows


http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx

waddler_8

Not much point at this stage really. Kaspersky's fully scanned the drive, MBAM's done it's bit & combofix should take out the remaining ZeroAccess stragglers.

Gizmos_dad

Ok
Will run Combofix tonight and post results.

Thanx

GD

waddler_8

Gizmos_dad wrote: »

The MSE (microsoft security essentials ) has stopped working, also not updating and also the IE has also stopped working. i,e no internet.

The infection prevents windows updates and damages other parts of the OS - combofix should sort it.

Gizmos_dad

OK here is combofix scan results.

Interesting point.... Ran combofix and it supposedly had cleaned the machine. However avast root scan had already been scheduled to run before and when that ran after the combofix, it also found a rootkit virus same as combofix ,,,sirefef or something like that. I'm hoping between the two they have fixed the problem


ComboFix 12-10-17.05 - New User 18/10/2012 2:22.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.1236 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\New User\Application Data\msconfig.ini
c:\documents and settings\New User\Application Data\Toolbar4
c:\documents and settings\Owner\WINDOWS
c:\windows\system32\AdbWinApi.dll
c:\windows\system32\msstdfmt.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.

---

\Legacy_NVSVC

---

\Service_NVSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-18 to 2012-10-18 )))))))))))))))))))))))))))))))
.
.
2012-10-18 01:22 . 2012-10-18 01:22

---

dc----w- c:\windows\LastGood.Tmp
2012-10-17 19:00 . 2012-10-17 19:03

---

dc----w- c:\documents and settings\New User\Local Settings\Application Data\Google
2012-10-17 19:00 . 2012-08-21 09:13 355632 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-17 19:00 . 2012-08-21 09:13 21256 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-17 19:00 . 2012-08-21 09:13 35928 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-17 19:00 . 2012-08-21 09:13 54232 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-17 19:00 . 2012-08-21 09:13 729752 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-17 19:00 . 2012-08-21 09:13 97608 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-17 19:00 . 2012-08-21 09:13 89624 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-17 19:00 . 2012-08-21 09:13 25256 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-17 18:59 . 2012-08-21 09:12 41224 -c--a-w- c:\windows\avastSS.scr
2012-10-17 18:59 . 2012-08-21 09:12 227648 -c--a-w- c:\windows\system32\aswBoot.exe
2012-10-17 18:58 . 2012-10-17 18:58

---

dc----w- c:\program files\AVAST Software
2012-10-17 18:58 . 2012-10-17 18:58

---

dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-10-16 19:54 . 2012-10-17 00:34

---

d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-09 14:04 . 2012-10-09 14:04

---

dc----w- c:\documents and settings\New User\Local Settings\Application Data\PCHealth
2012-09-23 11:01 . 2008-07-04 13:33 101120 -c--a-r- c:\windows\system32\drivers\ewusbmdm.sys
2012-09-23 11:01 . 2012-09-23 11:01

---

dc----w- c:\documents and settings\New User\Application Data\Vodafone
2012-09-23 11:01 . 2012-09-23 11:01

---

dc----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-09-23 11:01 . 2012-09-23 11:01

---

dc----w- c:\documents and settings\LocalService\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00

---

dc----w- c:\documents and settings\All Users\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00

---

dc----w- c:\program files\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00

---

dc----w- c:\documents and settings\New User\Local Settings\Application Data\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 17:02 . 2012-03-30 07:38 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:02 . 2011-05-15 12:06 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 18:54 . 2012-02-29 22:19 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 19:05 . 2012-08-30 19:05 13816 -c--a-w- c:\windows\system32\unikey.sys
2012-08-28 15:14 . 2008-04-14 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2008-04-14 12:00 43520 -c----w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2008-04-14 12:00 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-14 12:00 385024 -c----w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 -c--a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-10-17 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13545472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-15 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 19:06 59280 -c--a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 18:33 421776 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-29 18:54 766536 -c--a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-10-09 14:33 2086912 -c--a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 14:24 13545472 -c--a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-17 14:24 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-15 16:23 417792 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-31 14:05 16806912

---

w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [17/10/2012 20:00 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/10/2012 20:00 355632]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\New User\Desktop\VCdRom.sys [19/12/2001 11:45 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/10/2012 20:00 21256]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/09/2012 17:22 399432]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 15:32 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/02/2012 23:19 22856]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\Mtc0303.sys [04/07/2007 08:52 32896]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [24/09/2009 17:03 59264]
S0 rpekojj;rpekojj;c:\windows\system32\drivers\kudfrft.sys --> c:\windows\system32\drivers\kudfrft.sys [?]
S1 nflviuqa;nflviuqa;\??\c:\windows\system32\drivers\nflviuqa.sys --> c:\windows\system32\drivers\nflviuqa.sys [?]
S1 qhwxidei;qhwxidei;\??\c:\windows\system32\drivers\qhwxidei.sys --> c:\windows\system32\drivers\qhwxidei.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/02/2012 23:19 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/03/2012 08:38 250808]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 flashusb;flashusb;c:\windows\system32\drivers\flashusb.sys [03/06/2012 13:19 16384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/10/2009 16:35 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [03/06/2012 13:20 15896]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys --> c:\windows\system32\DRIVERS\ZTEusbnet.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:02]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-10-18 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-17 09:12]
.
2012-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc12f45672ead6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
2012-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc12f456b0e7fa.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.bigseekpro.com/gsmevolution0/{F29811B0-13BC-4072-B9AA-209A234F0ABB}
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
SafeBoot-MsMpSvc
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\SAMSUNG\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\SAMSUNG\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\SAMSUNG\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\SAMSUNG\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-18 02:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\M*i*c*r*o*-*B*o*x* *"!\Micro-Box A.I.0\RestorePointInfo]
"SequenceNumber"="322"
.

---

DLLs Loaded Under Running Processes

---

.
- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\nvLsp.dll
.
- - - - - - - > 'explorer.exe'(412)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\RALINK\Common\RalinkRegistryWriter.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-18 02:41:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-18 01:41
.
Pre-Run: 125,267,480,576 bytes free
Post-Run: 125,674,242,048 bytes free
.
- - End Of File - - 099BA8452698347227A26ADDF2CA3612

waddler_8

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Was the machine offline or did the installation fail? It's important that the recovery console is installed.

As per the tutorial "without it, Combofix shall not attempt fixing of some serious infections"

Gizmos_dad

Hi Waddler_8 thanks for update

Just downloaded recovery console and followed the instructions. Ran the combofix again and it coming up with error code " boot partition cannot be enumerated correctly"

What's next continue with malware scan or cancel?

I have cancelled it, as it doesn't seem right to me.

GD