Jump to content

I am infected


Recommended Posts

Hello, I have recently become infected with a trojan. It redirects my webpages and doesn't allow me to look up sites pertaining to antivirus software. It also doesn't let me open my malwarebytes or hijackthis, nor am I able to system restore to an earlier date. I currently am not using any antivirus software. Here are the mbam logs and hijackthis logs (only after renaming the .exe files did they work of course):

Malwarebytes' Anti-Malware 1.37

Database version: 2232

Windows 5.1.2600 Service Pack 2

6/4/2009 9:31:54 PM

mbam-log-2009-06-04 (21-31-54).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178056

Time elapsed: 22 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

---------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:47:06 PM, on 6/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\WINDOWS\system32\hphmon03.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\ehome\ehtray.exe

C:\DAEMON\daemon.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Aim2\aim.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Scanner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cdn.eyewonder.com/100125/750212/852...movies/zathura/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O1 - Hosts: 94.232.248.66 antivirsystem.com

O1 - Hosts: 94.232.248.66 www.antivirsystem.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\DAEMON\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [lphcvnlj0endg] C:\WINDOWS\system32\lphcvnlj0endg.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [AIM] C:\Aim2\aim.exe -cnetwait.odl

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: My_AutoWarkey_Script.lnk = C:\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Aim2\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mc.nacs.uci.edu/mcweb/awswax.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab

O20 - AppInit_DLLs: gdbggu.dll

O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--

End of file - 7022 bytes

-----------------------------------

Any help would be GREATLY appreciated. Thanks.

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT) by double-clicking the desktop shortcut and choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O1 - Hosts: 94.232.248.66 antivirsystem.com

O1 - Hosts: 94.232.248.66 www.antivirsystem.com

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O4 - HKLM\..\Run: [lphcvnlj0endg] C:\WINDOWS\system32\lphcvnlj0endg.exe

O20 - AppInit_DLLs: gdbggu.dll

Close HJT & Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Next, please perform a rootkit scan:

  • Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as dork.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • For Firefox
    • Open Firefox and click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • When downloading, choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back ARK.txt and C:\Combofix.txt

Link to post
Share on other sites

Okay, here are the Combofix and Rootkit scan logs. Combofix is posted, but the rootkit log is attached.

ComboFix 09-06-05.05 - Owner 06/05/2009 17:58.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1012.731 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\dork.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\desktop.ini

C:\msn.exe

c:\windows\system32\drivers\UACoedeeekydryfwul.sys

c:\windows\system32\UACbxknedhrqokhdby.dat

c:\windows\system32\UACdqcjarqsevmqkxy.log

c:\windows\system32\UACejlcrqqmhtvguft.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjorpvtqtmxjynbv.dll

c:\windows\system32\UAClsixxtyyfnxsack.db

c:\windows\system32\UACpmmasmrndttasvo.log

c:\windows\system32\UACqanogtbitmmpxol.dll

c:\windows\system32\UACrcvppkfidkqpmxq.dll

c:\windows\system32\UACrdrxgrsggqnfwir.log

c:\windows\system32\UACvdfrsorsupuuhda.dll

c:\windows\system32\UACywecragefytxadj.dll

c:\windows\system32\wglxpama.ini

c:\windows\Tasks\funfzvvg.job

D:\Autorun.inf

D:\Desktop.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))))))

.

2009-06-05 23:09 . 2009-06-05 23:09 -------- d-----w- C:\Ark

2009-06-05 22:21 . 2009-06-05 22:21 -------- d-----w- C:\AVG

2009-06-05 05:06 . 2009-06-05 05:06 -------- d-----w- C:\AVG Internet Security 8.5

2009-06-05 04:46 . 2009-06-05 23:05 -------- d-----w- C:\Scanner

2009-06-05 03:29 . 2009-06-05 04:37 -------- d-----w- C:\malware

2009-06-04 17:46 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-04 17:46 . 2009-06-04 17:52 -------- d-----w- C:\stuff

2009-06-04 17:46 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-04 06:09 . 2009-06-04 06:09 -------- d-----w- C:\Azureus

2009-06-04 06:07 . 2009-06-04 06:07 -------- d-----w- c:\program files\Vuze

2009-06-04 02:48 . 2006-04-20 15:34 29752 ------w- c:\windows\system32\InstHelper.dll

2009-06-04 02:48 . 2005-06-30 02:50 94720 ----a-w- c:\windows\system32\dneinobj.dll

2009-06-04 02:48 . 2005-06-30 02:50 110080 ----a-w- c:\windows\system32\drivers\dne2000.sys

2009-06-04 02:48 . 2005-05-17 11:51 5315 ----a-w- c:\windows\system32\drivers\CVirtA.sys

2009-06-04 02:48 . 2006-04-20 15:34 193584 ----a-w- c:\windows\system32\CSGina.dll

2009-06-03 21:20 . 2009-06-03 21:20 -------- d-----w- C:\DVDVideoSoft2

2009-05-30 00:59 . 2009-05-30 01:44 -------- d-----w- C:\castlevania

2009-05-17 06:44 . 2009-03-19 17:42 217088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\eyoermj5.default\extensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll

2009-05-12 20:22 . 2009-05-30 18:44 -------- d-----w- C:\Full Tilt Poker

2009-05-10 07:11 . 2009-05-10 07:16 -------- d-----w- C:\Music 3

2009-05-10 07:01 . 2009-05-10 07:09 -------- d-----w- C:\Music 4

2009-05-10 06:47 . 2009-05-10 06:56 -------- d-----w- C:\Music 2

2009-05-10 06:34 . 2009-05-10 06:44 -------- d-----w- C:\Music 1

2009-05-10 02:08 . 2009-05-10 02:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim

2009-05-09 05:24 . 2009-05-09 05:24 -------- d-----w- c:\windows\system32\wbem\Repository

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-05 22:24 . 2008-07-06 07:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8

2009-06-05 05:06 . 2007-07-21 19:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus

2009-06-04 18:25 . 2009-04-22 11:48 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-04 06:08 . 2005-05-24 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-03 21:20 . 2008-07-17 07:00 -------- d-----w- c:\program files\Common Files\DVDVideoSoft

2009-05-10 17:17 . 2005-09-23 08:06 -------- d-----w- c:\program files\Winamp

2009-05-10 04:46 . 2007-11-15 02:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-10 01:47 . 2007-06-13 23:30 -------- d-----w- c:\program files\Sony

2009-05-10 01:46 . 2005-10-04 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2009-05-10 01:44 . 2007-06-18 04:41 -------- d-----w- c:\program files\Real

2009-05-10 01:44 . 2005-05-24 22:46 -------- d-----w- c:\program files\Common Files\Real

2009-05-10 01:40 . 2009-01-19 05:17 -------- d-----w- c:\program files\Dyyno

2009-05-10 01:38 . 2005-09-23 08:09 -------- d-----w- c:\program files\DivX

2009-04-22 11:49 . 2005-09-23 23:37 72504 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-22 11:47 . 2009-04-22 11:47 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org

2009-04-22 11:45 . 2009-04-22 11:45 -------- d-----w- c:\program files\JRE

2009-04-22 11:45 . 2009-04-22 11:45 -------- d-----w- c:\program files\OpenOffice.org 3

2009-04-22 11:43 . 2006-06-30 17:49 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2

2009-04-22 11:42 . 2005-04-13 17:41 -------- d-----w- c:\program files\Java

2009-03-31 23:34 . 2009-03-31 23:34 0 ----a-w- C:\LOG2C.tmp

2009-03-31 07:06 . 2009-03-31 07:06 0 ----a-w- C:\LOG1B2.tmp

2009-03-31 06:00 . 2009-03-31 06:00 0 ----a-w- C:\LOG1AD.tmp

2009-03-14 06:36 . 2009-03-14 06:36 498 ----a-w- c:\windows\eReg.dat

2005-09-16 01:26 . 2005-09-25 05:22 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\aim2\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-05-10 7086080]

"HPHmon03"="c:\windows\system32\hphmon03.exe" [2003-01-31 311296]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2003-01-31 196608]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"DAEMON Tools"="c:\daemon\daemon.exe" [2005-12-10 133016]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 19:05 356352 ----a-w- c:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Aim2\\aim.exe"=

"c:\\Curse\\CurseClient.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

"6112:TCP"= 6112:TCP:Battlenet

"6112:UDP"= 6112:UDP:Battlenet

R1 SASDIFSV;SASDIFSV;c:\superantispyware\sasdifsv.sys [1/15/2009 5:17 PM 8944]

R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]

S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Owner\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Owner\LOCALS~1\Temp\DMSKSSRh.sys [?]

S3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://www.gatewaybiz.com

uInternet Connection Wizard,ShellNext = hxxp://cdn.eyewonder.com/100125/750212/852804/popup.html?null=&clickTag1=http%3A//twx.doubleclick.net/click%253Bh%3Dv5%7C32fe%7C3%7C0%7C%252a%7Cp%253B20546504%253B0-0%253B1%253B11588134%253B2-120%7C90%253B12299198%7C12317094%7C1%253B%253B%257Esscs%253D%253fhttp%253a%252f%252fwww.sonypictures.com/movies/zathura/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\eyoermj5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\eyoermj5.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmasque.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-05 18:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\superantispyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\ehome\ehRecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\ehome\ehmsas.exe

c:\windows\system32\dllhost.exe

.

**************************************************************************

.

Completion time: 2009-06-06 18:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-06-06 01:07

Pre-Run: 56,129,511,424 bytes free

Post-Run: 67,741,982,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

205 --- E O F --- 2009-05-24 07:05

ARK1.txt

ARK1.txt

Link to post
Share on other sites

It looks like Combofix got everything. How's your PC running now?

Your ARK log was very long as a result of the combination of the UAC rootkit and Daemon Tools which behaves like a rootkit.

Let's reset any policies disrupted by the infection.

Download FixPolicies, a self-extracting ZIP file, and save it to your desktop:

http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

  • Double-click FixPolicies.exe
  • Click the "Install" button on the bottom toolbar of the box that opens.
  • The program will create a new Folder called FixPolicies.
  • Double-click to open the new Folder, and then double-click the file Fix_Policies.cmd located within this folder.
  • A black box (command Window) will briefly appear and then close.

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Check the boxes the following two boxes:
    • enable "Remove found threats"
    • Scan unwanted applications

    [*]Click the Scan button to begin scanning.

    [*]When the scan is done the log is automatically saved. To retrieve it

    • Close the ESET scan Window.
    • Now open a run line by clicking Start >> Run...
    • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    • The Scan results will now display in Notepad

    [*]Please copy and paste the ESET scan report that can be found in this location

    C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Next, run an updated MBAM scan.

Please post back the ESET scan report, the MBAM log, and a new HJT log.

Link to post
Share on other sites

My computer seems to be running better now but what do I know? After using eset+mbam, they appear to have picked up either new or existing trojans so I'm not sure. Okay, here are my eset, mbam, and hijackthis logs.

ESETSmartInstaller@High as downloader log:

all ok

# version=6

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.5863

# api_version=3.0.2

# EOSSerial=411b4a271a931d4d9e88e01f66244d70

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-06-06 03:31:52

# local_time=2009-06-05 08:31:52 (-0800, Pacific Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# scanned=80740

# found=13

# cleaned=13

# scan_time=3220

C:\fantasy.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\27\62318b5b-14777128 multiple threats (deleted - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\v1r10 IRC/Flooder.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\v1r3 probably a variant of IRC/Goodbot trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\v1r6 IRC/Flooder.gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\v1r8 Win32/Randon worm (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\v1rg1n IRC/Cloner.BA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Program Files\My Love\x IRC/Sliv.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACejlcrqqmhtvguft.dll.vir Win32/Olmarik.HZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvdfrsorsupuuhda.dll.vir a variant of Win32/Kryptik.PS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACywecragefytxadj.dll.vir Win32/Olmarik.IA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\wglxpama.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACoedeeekydryfwul.sys.vir a variant of Win32/Olmarik.ID trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000

====================================================

Malwarebytes' Anti-Malware 1.37

Database version: 2235

Windows 5.1.2600 Service Pack 2

6/5/2009 9:06:08 PM

mbam-log-2009-06-05 (21-06-04).txt

Scan type: Full Scan (C:\|)

Objects scanned: 166184

Time elapsed: 26 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Qoobox\quarantine\C\WINDOWS\system32\UACjorpvtqtmxjynbv.dll.vir (Trojan.TDSS) -> No action taken.

c:\Qoobox\quarantine\C\WINDOWS\system32\UACqanogtbitmmpxol.dll.vir (Trojan.TDSS) -> No action taken.

c:\Qoobox\quarantine\C\WINDOWS\system32\UACrcvppkfidkqpmxq.dll.vir (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025309.sys (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025310.dll (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025311.dll (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025312.dll (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025313.dll (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025314.dll (Trojan.TDSS) -> No action taken.

c:\system volume information\_restore{4653e8f8-6519-4964-b7bd-828d96fbcc0e}\RP251\A0025315.dll (Trojan.TDSS) -> No action taken.

===============================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:08:16 PM, on 6/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe

C:\WINDOWS\system32\hphmon03.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\ehome\ehtray.exe

C:\DAEMON\daemon.exe

C:\WINDOWS\zHotkey.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Aim2\aim.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Scanner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cdn.eyewonder.com/100125/750212/852...movies/zathura/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [showWnd] ShowWnd.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [intelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [DAEMON Tools] "C:\DAEMON\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CHotkey] zHotkey.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [AIM] C:\Aim2\aim.exe -cnetwait.odl

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: My_AutoWarkey_Script.lnk = C:\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Aim2\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.eset.com

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://mc.nacs.uci.edu/mcweb/awswax.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} (DyynoX Class) - http://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab

O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--

End of file - 6691 bytes

Link to post
Share on other sites

Those items flagged by MBAM are not new (it was blocked by the rootkit before), and there are really only two new detections by ESET. I expected some detections in Qoobox, which is the Combofix quarantine folder, and in system volume information (system restore data), they are NOT active malware so don't worry

Empty Java Cache from within Java Program -

Open Control Panel and click the Java symbol. Under the Temporary Internet Files section, click settings, and delete Temporary Internet Files and Program applets. You'll receive a warning that only expert users should do this, but proceed anyway.

Or follow these directions:

http://support.f-secure.com/enu/home/virus...javacache.shtml

Unless this folder is essential, I would remove the entire contents and the ffolder itself, because of infected detections within it:

C:\Program Files\My Love\

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 14:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: Java SE Runtime Environment (JRE) 6 Update 14 - "This release includes several key security updates, the highly anticipated 64-bit Java Plug-In (for 64-bit browsers only), Windows Server 2008 support, and performance improvements of Java and JavaFX applications", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 14 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. The Yahoo Toolbar is prechecked for installation with this version of Java. Make sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

14. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

_________________________________________________________

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\dork.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

If I asked you to download and run an ARK (Antirootkit program), then delete the contents of the C:\ARK folder and then delete the folder itself.

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Link to post
Share on other sites

Hm, I have no idea what that mylove folder was and after opening it, it only had a couple 1kb files that were .dat files or something like that, can't remember since I deleted it quickly. I've proceeded to update all my software and java and will continue to regularly scan my computer using updated malwarebytes. Thank you very much for the help, I cannot begin to express my appreciation for this wonderful service you provide.

Link to post
Share on other sites

  • Root Admin

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.