[Resolved K] RootkitRevealer found a rootkit

[kevinf80]

Thanks for the logs and the update, post the complete ESET log when you`re ready. As you can see ESET has already flagged two files, we will have to upload those for analysis. Do the following:

Please visit
Virustotal

• Click the Browse... button
  
• Navigate to the file C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\hsearch40.exe or just copy/paste it in.
  
• Click the Scan it tab
  
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Copy and paste the results back here please.
• Repeat the above steps for the following file.

C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\setup.exe

Next,

I`d like you to navigate here C:\Qoobox & find ComboFix-quarantined-files.txt post the contents of that file in your reply..

[kevinf80]

Its been over a week since your last reply willynilly, are you still with us?

[willynilly]

Hi Kevin,

Yes, I'm back.  I was away last week for business with no access to my systems.  This past Sunday I attempted to run the ESET scan again and after 5+ hours it was 93% complete, but I had to stop it and get sleep.

I intend to delete some files that I really don't use but have kept, to reduce the about 420G on that dirve down a bit.  I will re-run ESET this Saturday (start it in the morning not evening ) and close out this malware incident with you.

Thanks for checking back with me.  I haven't forgotten you either or the great work you and the team do.

[kevinf80]

Ok thanks for the update, don`t worry about reply times, just respond when you can. I have similar problems at times which make it difficult for me.
The forum software will auto close your thread after 11 days, i`ll prompt after 7 if you have not replied by then...

Kevin

[willynilly]

Hi Kevin,

I cleaned out a lot of files that I really didn't use from my D drive and reran eSet scan.  I got the same 2 questionable files found (which aren't really questionable as they are education material from a CEH course).
I uploaded both to VirusTotal and copied results (below also).  I copied the Qoobox file also, but noticed it didn't have the .ax video files that were accidently removed earlier, but I found another file called "ComboFix2" that did have them listed so I added that file below also.  Thank you for your help and long lasting patience

====================================
ESET SCAN results

C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\hsearch40.exe   probably a variant of Win32/Agent.BC trojan
C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\setup.exe   probably a variant of Win32/Agent.BC trojan

====================================
VirusTotal results from first file

SHA256:

3205e8f8f6dc5400bdcfcb00984c9933d515739a8445c8910128ace294a39091



























Detection ratio:

4 / 41



Analysis date:

 2010-07-17 18:38:43 UTC ( 1 year, 10 months ago )







0



0

 
More details





Antivirus

Result

Update




a-squared

Riskware.PSWTool.Win32.PdfCracker!IK

20100717



AhnLab-V3

-

20100716



AntiVir

-

20100716



Antiy-AVL

-

20100715



Authentium

-

20100717



Avast

-

20100717



Avast5

-

20100717



AVG

-

20100717



BitDefender

-

20100717



CAT-QuickHeal

-

20100716



ClamAV

-

20100717



Comodo

-

20100717



DrWeb

-

20100717



eSafe

-

20100715



eTrust-Vet

-

20100716



F-Prot

-

20100717



F-Secure

-

20100717



Fortinet

-

20100717



GData

-

20100717



Ikarus

not-a-virus:PSWTool.Win32.PdfCracker

20100717



Jiangmin

-

20100717



Kaspersky

not-a-virus:PSWTool.Win32.PdfCracker.s

20100717



McAfee

-

20100717



McAfee-GW-Edition

-

20100716



Microsoft

-

20100717



NOD32

-

20100717



Norman

-

20100717



nProtect

-

20100717



Panda

Suspicious file

20100717



PCTools

-

20100717



Rising

-

20100716



Sophos

-

20100717



Sunbelt

-

20100717



SUPERAntiSpyware

-

20100717



Symantec

-

20100717



TheHacker

-

20100716



TrendMicro

-

20100717



TrendMicro-HouseCall

-

20100717



VBA32

-

20100716



ViRobot

-

20100717



VirusBuster

-

20100716

 Comments
Votes
Additional information



No comments




 














































You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community




















































Blog | Twitter | contact@virustotal.com | Google groups | TOS & Privacy Policy

====================================
VirusTotal results from second file

SHA256:

3205e8f8f6dc5400bdcfcb00984c9933d515739a8445c8910128ace294a39091



























Detection ratio:

4 / 41



Analysis date:

 2010-07-17 18:38:43 UTC ( 1 year, 10 months ago )







0



0

 
More details





Antivirus

Result

Update




a-squared

Riskware.PSWTool.Win32.PdfCracker!IK

20100717



AhnLab-V3

-

20100716



AntiVir

-

20100716



Antiy-AVL

-

20100715



Authentium

-

20100717



Avast

-

20100717



Avast5

-

20100717



AVG

-

20100717



BitDefender

-

20100717



CAT-QuickHeal

-

20100716



ClamAV

-

20100717



Comodo

-

20100717



DrWeb

-

20100717



eSafe

-

20100715



eTrust-Vet

-

20100716



F-Prot

-

20100717



F-Secure

-

20100717



Fortinet

-

20100717



GData

-

20100717



Ikarus

not-a-virus:PSWTool.Win32.PdfCracker

20100717



Jiangmin

-

20100717



Kaspersky

not-a-virus:PSWTool.Win32.PdfCracker.s

20100717



McAfee

-

20100717



McAfee-GW-Edition

-

20100716



Microsoft

-

20100717



NOD32

-

20100717



Norman

-

20100717



nProtect

-

20100717



Panda

Suspicious file

20100717



PCTools

-

20100717



Rising

-

20100716



Sophos

-

20100717



Sunbelt

-

20100717



SUPERAntiSpyware

-

20100717



Symantec

-

20100717



TheHacker

-

20100716



TrendMicro

-

20100717



TrendMicro-HouseCall

-

20100717



VBA32

-

20100716



ViRobot

-

20100717



VirusBuster

-

20100716

 Comments
Votes
Additional information



No comments




 














































You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community




















































Blog | Twitter | contact@virustotal.com | Google groups | TOS & Privacy Policy

====================================
Combofix-quarantined-files.txt contents

2012-04-29 11:31:53 . 2012-04-29 11:31:53            1,002 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_NNI.reg.dat
2012-04-29 11:31:53 . 2012-04-29 11:31:53            1,114 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_ILPUTXJWWD.reg.dat
2012-04-29 11:31:04 . 2012-04-29 11:31:04           14,190 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-29 11:21:34 . 2012-04-29 11:21:34                0 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2012-04-29 11:18:00 . 2012-04-29 11:21:34               62 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-08-18 13:13:04 . 2011-03-20 00:58:08            1,919 ----a-w-  C:\Qoobox\Quarantine\C\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\searchplugins\bing-zugo.xml.vir

====================================
Combofix2.txt contents

ComboFix 12-04-28.01 - Jay 04/28/2012  18:17:54.3.4 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3327.2032 [GMT -4:00]
Running from: c:\users\Jay\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jay\AppData\Roaming\.#
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch\clients.json
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch\tabs.json
c:\windows\system32\aac_parser.ax
c:\windows\system32\ac3DX.ax
c:\windows\system32\AVCDX.ax
c:\windows\system32\bdaplgin.ax
c:\windows\system32\cero.rs
c:\windows\system32\CoreAAC.ax
c:\windows\system32\csrr.rs
c:\windows\system32\DiracSplitter.ax
c:\windows\system32\esrb.rs
c:\windows\system32\FLACDX.ax
c:\windows\system32\g711codc.ax
c:\windows\system32\grb.rs
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\kstvtune.ax
c:\windows\system32\Kswdmcap.ax
c:\windows\system32\ksxbar.ax
c:\windows\system32\MatroskaDX.ax
c:\windows\system32\MPCDx.ax
c:\windows\system32\Mpeg2Data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\MSDvbNP.ax
c:\windows\system32\MSNP.ax
c:\windows\system32\oflc.rs
c:\windows\system32\pegi-fi.rs
c:\windows\system32\pegi-pt.rs
c:\windows\system32\pegi.rs
c:\windows\system32\pegibbfc.rs
c:\windows\system32\psisrndr.ax
c:\windows\system32\RealMediaDX.ax
c:\windows\system32\RLAPEDec.ax
c:\windows\system32\RLMPCDec.ax
c:\windows\system32\RLOgg.ax
c:\windows\system32\RLSpeexDec.ax
c:\windows\system32\RLTheoraDec.ax
c:\windows\system32\RLVorbisDec.ax
c:\windows\system32\TAKDSDecoder.ax
c:\windows\system32\TTADSDecoder.ax
c:\windows\system32\TTADSSplitter.ax
c:\windows\system32\usk.rs
c:\windows\system32\VBICodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\WEB.rs
c:\windows\system32\WSTPager.ax
c:\windows\system32\xvid.ax
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-28 to 2012-04-28  )))))))))))))))))))))))))))))))
.
.
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Jay\AppData\Local\temp
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-28 20:11 . 2012-04-28 20:11   9310   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-04-28 20:11 . 2012-04-28 20:11   8646   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-04-28 20:11 . 2012-04-28 20:11   6429   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-04-28 20:11 . 2012-04-28 20:11   63115   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-04-28 20:11 . 2012-04-28 20:11   4599   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-04-28 20:11 . 2012-04-28 20:11   8613   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-04-28 20:11 . 2012-04-28 20:11   5927   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-04-28 20:11 . 2012-04-28 20:11   1651   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-04-28 20:11 . 2012-04-28 20:11   6910   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-04-28 20:11 . 2012-04-28 20:11   8288   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-04-28 20:11 . 2012-04-28 20:11   6208   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-04-28 20:11 . 2012-04-28 20:11   18541   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-04-28 20:10 . 2012-04-28 20:10   51852   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-04-28 20:10 . 2012-04-28 20:10   20719   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-04-28 20:10 . 2012-04-28 20:10   8782   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-04-28 20:10 . 2012-04-28 20:10   7271   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-04-28 20:10 . 2012-04-28 20:10   23327   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-04-28 18:36 . 2012-04-28 18:36   --------   d-----w-   C:\_OTM
2012-04-23 23:00 . 2012-04-28 12:07   --------   d-----w-   c:\windows\system32\drivers\N360\0602000.009
2012-04-22 14:18 . 2011-11-24 02:23   35960   ----a-r-   c:\windows\system32\drivers\SymIMV.sys
2012-04-22 01:40 . 2012-03-01 05:46   19824   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-22 01:40 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-22 01:40 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-22 01:40 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-22 01:40 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-04-22 01:40 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-06 19:42 . 2012-04-21 18:50   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-01 21:11 . 2012-04-23 22:39   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-01 21:11 . 2012-04-22 15:44   157352   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-01 21:11 . 2012-04-22 15:44   129976   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 18:50 . 2011-05-20 01:09   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-10-11 17:38   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-24 18:02 . 2012-03-04 17:57   141944   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-17 05:34 . 2012-03-13 23:27   826880   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-13 23:27   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-13 23:27   24576   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-12 02:35 . 2010-09-10 19:56   231760   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2012-02-10 05:38 . 2012-03-13 23:27   1077248   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-03 03:54 . 2012-03-13 23:27   2343424   ----a-w-   c:\windows\system32\win32k.sys
2012-04-22 15:44 . 2012-03-03 19:02   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 16:06   163328   --sha-r-   c:\windows\System32\flvDX.dll
2007-02-21 17:47   31232   --sha-r-   c:\windows\System32\msfDX.dll
2008-03-16 19:30   216064   --sha-r-   c:\windows\System32\nbDX.dll
2010-01-07 04:00   107520   --sha-r-   c:\windows\System32\TAKDSDecoder.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotkeyMon"="AsusSender.exe" [2011-07-13 34728]
"HotkeyService"="AsusSender.exe" [2011-07-13 34728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-07 13797920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"SuperHybridEngine"="AsusSender.exe" [2011-07-13 34728]
"LivCam"="c:\program files\ASUS\LivCam\LivCam.exe" [2009-10-17 284160]
"LiveUpdate"="AsusSender.exe" [2011-07-13 34728]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-11-20 83240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-20 1594664]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2010-07-28 69632]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-09-24 129648]
"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2011-12-16 220744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\D-Link\SharePort Utility\Spnuhelper.exe [2009-12-11 40960]
R2 PelService;Session Launcher Service;c:\program files\Lenovo\Lenovo Mouse Suite\PelService.exe [2010-04-22 184320]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 253088]
R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-03-15 54384]
R3 ILPUTXJWWD;ILPUTXJWWD;c:\users\Jay\AppData\Local\Temp\ILPUTXJWWD.exe

R3 MEMOQDRV;MemoQ Voice Recorder;c:\windows\system32\DRIVERS\memoqdrv.sys [2010-01-22 25664]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-22 129976]
R3 NNI;NNI;c:\users\Jay\AppData\Local\Temp\NNI.exe

S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2011-02-09 11832]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120413.001\BHDrvx86.sys [2012-04-02 821880]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0602000.009\ccSetx86.sys [2011-11-04 132744]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120427.001\IDSvix86.sys [2012-03-09 368248]
S1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\DRIVERS\pelmoubt.sys [2009-04-23 18432]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe [2012-03-27 138232]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe [2009-09-15 44312]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-11-25 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-11-25 29472]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-03 106104]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-11 66592]
S3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\DRIVERS\pelbtm.sys [2007-09-20 13312]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 18:50]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.

[kevinf80]

mmmm, if you trust those files that ESET flagged that is fine by me. Just realize that 4 hits at VT makes them very suspect, I would not have them on my system.

Regarding the legit files that Combofix removed, I need to see the exact address to the quarantine folder. Go to the following folder;

C:\Qoobox Inside will be this file ComboFix-quarantined-files.txt copy and paste that to your reply, Also give an update on current issues and concerns...

Kevin

[willynilly]

Hi Kevin,

Here is the contents of the Qoobox quarrenty files,  but the .ax files aren't in there.  I am afraid that in my attempt to learn something during early on, that I clobbered the original file you are looking for.  Since I have taken backups of the drive, I plan on locating and restoring the .ax files from the c:\system\system32 backup directory.

========================================
ComboFox-quarantined-files.txt

2012-04-29 11:31:53 . 2012-04-29 11:31:53            1,002 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_NNI.reg.dat
2012-04-29 11:31:53 . 2012-04-29 11:31:53            1,114 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Service_ILPUTXJWWD.reg.dat
2012-04-29 11:31:04 . 2012-04-29 11:31:04           14,190 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-04-29 11:21:34 . 2012-04-29 11:21:34                0 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2012-04-29 11:18:00 . 2012-04-29 11:21:34               62 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2010-08-18 13:13:04 . 2011-03-20 00:58:08            1,919 ----a-w-  C:\Qoobox\Quarantine\C\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\searchplugins\bing-zugo.xml.vir
========================================

those malware files won't be executed, they are simply part of the video education tools.  Perhaps one day I will copy onto a VMware machine and actually take the video course.

Thank you. 

 

[kevinf80]

Ok, as those .ax files are no longer in the quarantine folder I cannot "De-Quarantine" them. If you have backups then you should be OK...

How is your system responding now, are there any remaining issues or concerns?

Kevin

[willynilly]

Hi Kevin,

The machine is running fine, I will get those files restored from my Norton or Windows backup files.  Even without them, I can't notice anything not working, so whatever they are, I don't usually use them anyway.

If I need to undo any tools or things, just let me know.  I left a support donation for you and the SpywareHammer team.   You guys are providing a temendous rescue service to the rest of us malware victims.

Thank you.

[kevinf80]

Ok do the following:-

Step 1[/b

Remove Combofix now that we're done with it

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

The above procedure will delete the following:

• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

It is very important that you get a successful uninstall because of the extra functions done at the same time, let me know if this does not happen.

Step 2

Remove ESET online scanner:

• Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  
• Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.
  

Step 3

• Download OTC by OldTimer and save it to your desktop. Alternative mirror
  
• Double click icon to start the program.
  If you are using Vista or Windows 7, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.
• This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted.

Step 4

Go here http://www.filehippo.com/updatechecker/ run the FileHippo update checker, update all applications as suggested by the update checker. Ignore any Beta updates.

Step 5

Download TFC  to your desktop, from either of the following links
 Link 1
 Link 2

• Save any open work. TFC will close all open application windows.
• Double-click TFC.exe to run the program. Vista or Windows 7 users right click and select “Run as Administartor”
• If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds.  TFC may re-boot your system, if not Re-boot it yourself to  complete cleaning process <---- Very Important

Keep TFC it is an excellent utility to keep your system optimized, it empties all user temp folders, Java cache etc etc.  Always remember to re-boot after a run, even if not prompted

Let me know if those steps complete OK, also if any remaining issues or concerns...

Kevin

[willynilly]

 Hi Kevin

alll the uninstallers and the cleanup and update programs ran perfectly.   Updater and TFC are great little programs which I will run as part of my vigilance.

So, thank you, yet again.  I have learned from you about checking for (not going to attempt fixing anything) malware. 

You guys provide a service that is of incredable value to all of us that are bitten in the internet jungle.

I am so glad I know were to find you when I am in trouble again.

By the way, I mention you by name to the people I know.  I like to share the wealth with others.   

[kevinf80]

Thankyou very much for the kind words, please be aware that all the helpers here are of the highest quality. It does not matter who responds to a thread, the service will always be the same.
I actually completed my Malware Fighting training here at SpywareHammer, so in my opinion I learned from the best. 

Since this issue appears to be resolved the topic has been closed. Glad we could help. 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.