Jump to content

anomiegirl

Members
  • Posts

    1
  • Joined

  • Last visited

Everything posted by anomiegirl

  1. Hiya, My comp is infected with one of the Gumblar variants. I ran the full Malwarebytes scan and followed all of the instructions, removing a bunch of infected files and restarting. A second scan finds no bad files but Gumblar is still active in Firefox and IE. What should I try next? Below and attached are the requested files. Thanks a million for your help with this! Sara DDS (Ver_09-12-01.01) - NTFSx86 Run by SM at 16:29:31.04 on Sat 01/23/2010 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.703.204 [GMT -5:00] AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\sm56hlpr.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\PROGRA~1\SYMANT~1\DWHWIZRD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\SM\Desktop\Defogger.exe C:\Documents and Settings\SM\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s mSearchAssistant = hxxp://www.google.com/ie BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File BHO: Cole2k Media Toolbar Helper: {c672f4ab-780b-45c0-baec-91f455c86f8d} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Cole2k Media Toolbar: {2d2de234-ab9f-4345-9d17-94fa78ba37e3} - c:\program files\cole2k media toolbar\v3.2.0.0\Cole2k_Media_Toolbar.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [OpAgent] "c:\program files\scansoft\omnipage15.0\OpAgent.exe" /agent uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [Aim6] mRun: [WINDVDPatch] CTHELPER.EXE mRun: [updReg] c:\windows\UpdReg.EXE mRun: [Jet Detection] "c:\program files\creative\sblive\program\ADGJDet.exe" mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe" mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe" mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [sMSERIAL] sm56hlpr.exe mRun: [VTTimer] VTTimer.exe mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe" mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe" mRun: [PDF3 Registry Controller] "c:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe" mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe" mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?a5bd677ba2a342a7b3596b77d4ae9cbc IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?a5bd677ba2a342a7b3596b77d4ae9cbc IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: NavLogon - c:\windows\system32\NavLogon.dll Hosts: 67.196.132.52 www.google.com Hosts: 67.196.132.52 www.google.de ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\sm\applic~1\mozilla\firefox\profiles\8nc2shog.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-6-23 1715904] R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [2006-2-27 166504] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-22 38224] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\naveng.sys [2010-1-22 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\navex15.sys [2010-1-22 1323568] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568] S3 DLKRTS;D-Link DFE-538TX 10/100 Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2001-10-17 25434] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-6-23 124608] S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2007-9-9 14336] =============== Created Last 30 ================ 2010-01-23 21:28:36 0 ----a-w- c:\documents and settings\sm\defogger_reenable 2010-01-22 23:21:38 0 d-----w- c:\docume~1\sm\applic~1\Malwarebytes 2010-01-22 23:21:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-22 23:21:31 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-22 23:21:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-22 23:21:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-01-04 00:46:57 0 d-----w- c:\windows\system32\XPSViewer 2010-01-04 00:45:33 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2010-01-04 00:45:33 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2010-01-04 00:45:33 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2010-01-04 00:45:33 575488 ------w- c:\windows\system32\xpsshhdr.dll 2010-01-04 00:45:33 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2010-01-04 00:45:33 1676288 ------w- c:\windows\system32\xpssvcs.dll 2010-01-04 00:45:33 117760 ------w- c:\windows\system32\prntvpt.dll 2010-01-04 00:45:32 0 d-----w- C:\089b83764155d567d9 2010-01-04 00:40:47 0 d-----w- c:\program files\MSXML 6.0 ==================== Find3M ==================== 2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll 2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll ============= FINISH: 16:30:10.88 =============== Malwarebytes' Anti-Malware 1.44 Database version: 3618 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 1/23/2010 9:45:58 AM mbam-log-2010-01-23 (09-45-58).txt Scan type: Full Scan (C:\|) Objects scanned: 199607 Time elapsed: 1 hour(s), 12 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.