Cleo
-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Cleo
-
-
Hi Chris,
That site confused me a little but here's a link to the results when I re-ran it just now:
http://www.virustotal.com/analisis/c98adbd...58bf-1258374365
and here's the results as I ATTEMPTED to copy-paste them yesterday:
File atiide.sys received on 2009.11.15 23:54:46 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.10 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.10 -
Antiy-AVL 2.0.3.7 2009.11.10 -
Authentium 5.2.0.5 2009.11.10 -
Avast 4.8.1351.0 2009.11.10 -
AVG 8.5.0.423 2009.11.10 -
BitDefender 7.2 2009.11.10 -
CAT-QuickHeal 10.00 2009.11.10 -
ClamAV 0.94.1 2009.11.10 -
Comodo 2905 2009.11.10 -
DrWeb 5.0.0.12182 2009.11.10 -
eSafe 7.0.17.0 2009.11.10 -
eTrust-Vet 35.1.7113 2009.11.10 -
F-Prot 4.5.1.85 2009.11.10 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.10 -
GData 19 2009.11.10 -
Ikarus T3.1.1.74.0 2009.11.10 -
Jiangmin 11.0.800 2009.11.10 -
K7AntiVirus 7.10.892 2009.11.09 -
Kaspersky 7.0.0.125 2009.11.10 -
McAfee 5797 2009.11.09 -
McAfee+Artemis 5797 2009.11.09 -
McAfee-GW-Edition 6.8.5 2009.11.10 -
Microsoft 1.5202 2009.11.10 -
NOD32 4592 2009.11.10 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.10 -
Panda 10.0.2.2 2009.11.09 -
PCTools 7.0.3.5 2009.11.10 -
Prevx 3.0 2009.11.16 -
Rising 22.21.01.09 2009.11.10 -
Sophos 4.47.0 2009.11.10 -
Sunbelt 3.2.1858.2 2009.11.10 -
Symantec 1.4.4.12 2009.11.10 -
TheHacker 6.5.0.2.064 2009.11.09 -
TrendMicro 9.0.0.1003 2009.11.10 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.10.2029 2009.11.10 -
VirusBuster 4.6.5.0 2009.11.09 -
Additional information
File size: 5632 bytes
MD5...: 899c9f94ed5ec5eff71aa6e17a084419
SHA1..: d0ee636952be2368e6abbf0392deadedc58bde2b
SHA256: c98adbd906afdbe541bffa05798e04efb0464c4028f8fbeac9c219ef0d0958bf
ssdeep: 96:Nbe9h9T9OxE2Gv9f+73XDWza+XABc3GouPOsqqjbkI30fVI4LRvES9Gj:he9h
9T9Hnv9+DH0smifis
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0xe58
timedatestamp.....: 0x40609e07 (Tue Mar 23 20:28:55 2004)
machinetype.......: 0x14c (I386)
( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0xb84 0xc00 6.31 64a344a5283cb2eb5961a491b6cf1b26
.rdata 0xf00 0xad 0x100 4.09 a7a647fe85110f30e877a767d45b1da6
.data 0x1000 0x2 0x80 0.00 f09f35a5637839458e462e6350ecbce4
INIT 0x1080 0x80 0x80 3.73 bc6d0604d805230d661f7f06079dafac
.rsrc 0x1100 0x468 0x480 3.21 eb54e685b7f8c671a7687c4c2339b402
.reloc 0x1580 0x52 0x80 3.31 46cf3771960da20b71390417cc2cd0f2
( 1 imports )
> PCIIDEX.SYS: PciIdeXSetBusData, PciIdeXInitialize, PciIdeXGetBusData
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: ATI Technologies Inc.
copyright....: Copyright© ATI Technologies Inc. 2000-2004
product......: ATI IDE BUS Master Controller Driver
description..: ATI IDE BUS Master Controller Driver
original name: Atiide.sys
internal name: Atiide.sys
file version.: 1.00.0000.2 built by: WinDDK
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Here is F-Secure's online scanner report:
Scanning Report
Monday, November 16, 2009 00:19:36 - 11:52:16
Computer name: FRED
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ E:\
13 malware found
TrackingCookie.Questionmarket (spyware)
* System (Disinfected)
TrackingCookie.2o7 (spyware)
* System (Disinfected)
TrackingCookie.Advertising (spyware)
* System (Disinfected)
TrackingCookie.Atdmt (spyware)
* System (Disinfected)
TrackingCookie.Adtech (spyware)
* System (Disinfected)
TrackingCookie.Adform (spyware)
* System (Disinfected)
TrackingCookie.Doubleclick (spyware)
* System (Disinfected)
TrackingCookie.Revsci (spyware)
* System (Disinfected)
TrackingCookie.Adbrite (spyware)
* System (Disinfected)
TrackingCookie.Mediaplex (spyware)
* System (Disinfected)
TrackingCookie.Atwola (spyware)
* System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
* System (Disinfected)
TrackingCookie.Imrworldwide (spyware)
* System (Disinfected)
Statistics
Scanned:
* Files: 176482
* System: 3332
* Not scanned: 100
Actions:
* Disinfected: 13
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0
Files not scanned:
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL
* C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP
* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE
* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB830680$\KEYMGR.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL
* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLPA.EXE
* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLMP.EXE
* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRPAMP.EXE
* C:\WINDOWS\$NTUNINSTALLKB828012$\NTOSKRNL.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPT32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPTSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\HHCTRL.OCX
* C:\WINDOWS\$NTUNINSTALLKB826939$\HH.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\HHSETUP.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\ITSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\HTML32.CNV
* C:\WINDOWS\$NTUNINSTALLKB826939$\MAGNIFY.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\LOCATOR.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\MIGWIZ.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\MSCONV97.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\MRXSMB.SYS
* C:\WINDOWS\$NTUNINSTALLKB826939$\NARRATOR.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\NEWDEV.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\NTDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\OLE32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\OSK.EXE
* C:\WINDOWS\$NTUNINSTALLKB826939$\PCHSHELL.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\RASPPTP.SYS
* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCRT4.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCSS.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SHMEDIA.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SRRSTR.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\SRV.SYS
* C:\WINDOWS\$NTUNINSTALLKB826939$\WINSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB826939$\ZIPFLDR.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS
* C:\WINDOWS\$NTUNINSTALLKB822624$\HAL.DLL
Options
Scanning engines:
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics
And here is your security check's check up thing:
Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
McAfee Security Scan
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
Java 6 Update 15
Java 6 Update 3
Java 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_04
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
As for what issues remain:
It's pretty much all cleared up, thank you! Sort of in dribs and drabs. The second error message on start-up cleared after the first round, I was able to open my windows security centre and firewall after the most recent round except this. It's still slow but it was before so that's nothing new. I think combofix managed to get rid of what was really worrying me, the tr/dropper.gen one because antivir hasn't detected it for ages now.
The only thing still outsstanding is on re-start I get a message from outlook express saying it can compact files to save disc space, which fair enough but I don't use outlook express at all so still find that weird.
Thank you again for all your help,
Cleo
-
Hi,
No worries.
Here is the new Combofix log:
ComboFix 09-11-15.01 - Cleo 15/11/2009 1:28.2.1 - FAT32x86
Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cleo\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.
2009-11-15 01:28 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-15 01:28 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro
2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes
2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 18:33 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-10 18:33 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2
2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java
2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent
2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-29 08:08 . 2006-06-23 10:33 916480 ------w- c:\windows\system32\wininet.dll
2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 00:30 . 2009-10-11 12:11 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-09_23.45.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 08:58 . 2009-11-14 08:58 16384 c:\windows\Temp\Perflib_Perfdata_84.dat
+ 2004-05-18 07:31 . 2009-11-12 23:25 166712 c:\windows\system32\FNTCACHE.DAT
- 2004-05-18 07:31 . 2009-07-14 13:29 166712 c:\windows\system32\FNTCACHE.DAT
+ 2004-05-18 05:27 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2008-10-16 23:21 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2008-09-02 23:42 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080]
"ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784]
"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [02/09/2008 19:50 5632]
R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 12:16 143360]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/07/2009 22:51 108289]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [20/07/2009 10:37 69632]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [20/07/2009 10:36 619136]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-09-02 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/
FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 01:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}
-
Hi, thank you for your prompt response.
I've updated MBAM, here is the log:
Malwarebytes' Anti-Malware 1.41
Database version: 3130
Windows 5.1.2600 Service Pack 3
08/11/2009 23:20:29
mbam-log-2009-11-08 (23-20-29).txt
Scan type: Quick Scan
Objects scanned: 107204
Time elapsed: 20 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I then ran Combofix, first turning off my virus scanners as instructed. However, partway through Combofix restarted my computer as a rootkit (?) was found and when the computer restarted Avira Antivir restarted too. Anyway, here is the log for Combofix:
ComboFix 09-11-08.03 - Cleo 09/11/2009 23:20.1.1 - NTFSx86
Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-117609710-1500820517-682003330-1003
c:\recycler\S-1-5-21-1192141612-79458676-1314586074-1003
c:\recycler\S-1-5-21-331646997-3410284032-914650695-1003
E:\resycled
e:\resycled\boot.com
Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.
2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro
2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes
2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET
2009-10-11 12:11 . 2009-08-25 00:30 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 16:28 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-08 16:28 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2
2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java
2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent
2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-29 08:08 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll
.
------- Sigcheck -------
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll
c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080]
"ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784]
"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-07-29 619136]
S0 atiide;atiide;c:\windows\System32\DRIVERS\atiide.sys [2004-04-14 5632]
S2 ANISERVICE;Airgo Networks NIC Service;c:\windows\System32\aniServ.exe [2004-09-30 143360]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [2008-05-12 69632]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-09-02 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/
FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-TkBellExe - realsched.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 23:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}
-
Hi, I'm sorry about my previous post, I should have read more clearly before posting.
I'm reposting the things still happening after I ran MBAM and Hijackthis.
"Antivir keeps popping up with TR/Dropper.Gen (trojan), found at c:\windows\system32\tldwsp.dll and it can't seem to delete it or quarantine it, just deny it access. My internet SOMETIMES seems to redirect itself but not often? There's some things in the running processes I'm not sure should be and at start up there're a couple of errors, one about outlook express even though I don't use it."
"my firewall (I use the windows one) is turned off and can't turn on again when I try." I can't turn on the entire windows security entre for that matter.
MBAM log:
Malwarebytes' Anti-Malware 1.41
Database version: 3115
Windows 5.1.2600 Service Pack 3
07/11/2009 15:24:55
mbam-log-2009-11-07 (15-24-55).txt
Scan type: Quick Scan
Objects scanned: 106993
Time elapsed: 20 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe pqrs.tmo printer) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:35, on 07/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\EDIMAX\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-21-2419218687-2945963250-3034659895-1006 Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (User '?')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe
--
End of file - 7921 bytes
-
Ok, now I'm quite worried, I've just noticed my firewall (I use the windows one) is turned off and can't turn on again when I try.
-
Hi,
I'm sorry not to be able to post a lot of detail but I think I have a virus. Antivir keeps popping up with TR/Dropper.Gen (trojan), found at c:\windows\system32\tldwsp.dll and it can't seem to delete it or quarantine it, just deny it access. My internet SOMETIMES seems to redirect itself but not often? There's some things in the running processes I'm not sure should be and at start up there're a couple of errors, one about outlook express even though I don't use it. What should I do?
Thanks,
Cleo
Still having some problems
in Resolved Malware Removal Logs
Posted
Hi Chris,
Sorry for the delay in response. I typed in 'Combofix /u' as asked and I think it removed itself, it seemed to run again. I've still got the .exe on my desktop, I'm assuming I'm ok to delete that also.
I've deleted checkup and updated Java and Adobe, replacing those old versions you mentioned.
There are no more erors left, except this outlook one.
I've also taken a look at that link you sent me, re outlook. I'm not sure that's my problem because what's confusing me about the outlook error is the fact I don't use outlook on this computer at all? So I'm a little concerned to be receiving error messages from a program I've never used.
This is the exact error, it only pops up on start-up:
"to free up disk space, outlook express can compact messages. This may take up to a few minutes.
OK/Cancel"
Why would this happen if I do not use the program?
Thanks again,
Cleo