Jump to content

need pro help with removal


Recommended Posts

Curiously if anyone responding is affiliated with mbam, I know that this malware has been around for quite some time and whatever version is on my machine is not detected by mbam; do you know if they're trying to incorperate removal for this? I have seen recently a huge influx of new infections reported by many people, but I've known this to be around for quite some time. Just wondering... anyway I'll post my logs though I dont think they'll be much help, I somewhat know what I am looking at. Additonally I was wondering if this 'browser redirect/ overclick.cn' malware whatever it is, has a name? And lastly gmer picked up quite a bit of malicious looking files/keys/etc which I am assuming is the problem, but as far as I know it could be a completely different problem. Anyway if you'd like my gmer log I can post it, but obviously your instructions are ultimately what will help clean my pc up! :D

Malwarebytes' Anti-Malware 1.38

Database version: 2366

Windows 5.1.2600 Service Pack 3

7/3/2009 2:35:21 AM

mbam-log-2009-07-03 (02-35-21).txt

Scan type: Quick Scan

Objects scanned: 85514

Time elapsed: 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:42:24 AM, on 7/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\JWPEN.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab

O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)

O23 - Service: HWSuperPowerTablet - HanWang - C:\WINDOWS\system32\JWPEN.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 3367 bytes

Link to post
Share on other sites

  • Staff

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!

This is somewhat suicidal in today's digital world.

That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/

This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

Link to post
Share on other sites

I scan my system routinely with Dr.Web CureIt and mbam; I'm trying to run things as lite as possible, and I'm fairly good at avoiding malicious software/web domains. My problem with most antivirus software is that the active protection consumes resources all the time when its protection is needed very rarely. While it may be very effective against KNOWN infections it provides little help against NEW infections. That being said, I'm not trying to be difficult or defiant for any reason and I proceeded as directed.

Avira AntiVir Personal

Report file date: Friday, July 03, 2009 22:20

Scanning for 1446709 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : malfy

Computer name : DANNY

Version information:

BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00

AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:47

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36

ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 02:46:53

ANTIVIR2.VDF : 7.1.4.173 306688 Bytes 7/2/2009 02:46:54

ANTIVIR3.VDF : 7.1.4.180 29696 Bytes 7/3/2009 02:46:55

Engineversion : 8.2.0.204

AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:04

AESCRIPT.DLL : 8.1.2.13 426362 Bytes 7/4/2009 02:46:59

AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 17:02:01

AERDL.DLL : 8.1.2.2 438642 Bytes 7/4/2009 02:46:59

AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:20

AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/4/2009 02:46:58

AEHEUR.DLL : 8.1.0.137 1823095 Bytes 7/4/2009 02:46:58

AEHELP.DLL : 8.1.3.6 205174 Bytes 7/4/2009 02:46:55

AEGEN.DLL : 8.1.1.48 348532 Bytes 7/4/2009 02:46:55

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40

AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 22:07:20

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58

RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:

Jobname.............................: Local Drives

Configuration file..................: c:\program files\avira\antivir desktop\alldrives.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, E:, F:, G:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Friday, July 03, 2009 22:20

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'jwpen.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

25 processes with 25 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '42' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

Begin scan in 'D:\'

Search path D:\ could not be opened!

System error [21]: The device is not ready.

Begin scan in 'E:\'

Search path E:\ could not be opened!

System error [21]: The device is not ready.

Begin scan in 'F:\'

Search path F:\ could not be opened!

System error [21]: The device is not ready.

Begin scan in 'G:\'

Search path G:\ could not be opened!

System error [21]: The device is not ready.

End of the scan: Friday, July 03, 2009 22:41

Used time: 21:05 Minute(s)

The scan has been done completely.

8549 Scanned directories

264423 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

264422 Files not concerned

3217 Archives were scanned

1 Warnings

1 Notes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:17:04 PM, on 7/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\JWPEN.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)

O23 - Service: HWSuperPowerTablet - HanWang - C:\WINDOWS\system32\JWPEN.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 3579 bytes

Link to post
Share on other sites

  • Staff

Most Antivirus have good heuristic detections.

I am also very careful where I surf and avoid malware, but I still have Avira installed and I'm glad I installed it and runs as a realtime guard since it has already blocked a lot of drive by installs (malware downloaded via legit webpages for example).

In your case, it should have happened exactly the same, because I suspect you are dealing with the "skynet" rootkit. Once this one gets installed, it can avoid detection of other scanners.

I do know that Avira already blocks its install, but once installed, it won't detect anymore.

Anyway... * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

ComboFix 09-07-03.03 - malfy 07/04/2009 3:14.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1709 [GMT -5:00]

Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\malfy\Local Settings\Application Data\{0FE51EEA-1E6F-4F0F-8305-8E012627B986}

c:\documents and settings\malfy\Local Settings\Application Data\{0FE51EEA-1E6F-4F0F-8305-8E012627B986}\chrome.manifest

c:\documents and settings\malfy\Local Settings\Application Data\{0FE51EEA-1E6F-4F0F-8305-8E012627B986}\chrome\content\_cfg.js

c:\documents and settings\malfy\Local Settings\Application Data\{0FE51EEA-1E6F-4F0F-8305-8E012627B986}\chrome\content\overlay.xul

c:\documents and settings\malfy\Local Settings\Application Data\{0FE51EEA-1E6F-4F0F-8305-8E012627B986}\install.rdf

c:\windows\system32\drivers\hjgruilnsrqxti.sys

c:\windows\system32\hjgruigwkdphoo.dat

c:\windows\system32\hjgruikpmpiqjo.dll

c:\windows\system32\hjgruiltnyycrw.dat

c:\windows\system32\hjgruitliqouem.dll

c:\windows\system32\mlfcache.dat

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_hjgruidipbfpcb

((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))

.

2009-07-04 02:45 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-07-04 02:45 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-07-04 02:45 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-07-04 02:45 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-07-04 02:45 . 2009-07-04 02:45 -------- d-----w- c:\program files\Avira

2009-07-04 02:45 . 2009-07-04 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-06-28 20:30 . 2009-06-28 20:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-06-24 03:25 . 2009-07-04 04:42 -------- d-----w- c:\program files\Steam

2009-06-19 07:24 . 2009-06-19 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles

2009-06-10 08:01 . 2009-06-10 08:01 -------- d-----w- c:\windows\ie8updates

2009-06-10 05:59 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-06-10 05:59 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-04 07:32 . 2007-05-19 19:52 -------- d-----w- c:\program files\PokerStars

2009-07-03 07:52 . 2007-06-01 06:20 -------- d-----w- c:\program files\QuickTime

2009-07-01 06:16 . 2003-03-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2009-06-24 09:48 . 2008-03-12 22:25 -------- d-----w- c:\program files\Warcraft III

2009-06-21 06:23 . 2009-02-19 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-21 06:23 . 2009-04-09 23:26 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-20 21:56 . 2009-04-10 08:11 80 ----a-w- c:\windows\system32\HWTablet.bin

2009-06-17 16:27 . 2009-02-19 19:42 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-17 16:27 . 2009-02-19 19:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-15 05:10 . 2009-02-09 23:04 -------- d-----w- c:\program files\Full Tilt Poker

2009-05-29 05:32 . 2007-05-08 21:32 -------- d-----w- c:\program files\mIRC

2009-05-14 00:15 . 2007-05-13 00:40 -------- d-----w- c:\program files\Common Files\Adobe

2009-05-14 00:06 . 2009-05-14 00:06 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-05-13 05:15 . 2006-06-23 17:33 915456 ----a-w- c:\windows\system32\wininet.dll

2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys

2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll

2009-04-15 02:53 . 2009-04-15 02:53 1078 ----a-r- c:\documents and settings\malfy\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_294823.exe

2009-04-15 02:53 . 2009-04-15 02:53 1078 ----a-r- c:\documents and settings\malfy\Application Data\Microsoft\Installer\{26E30F32-01C0-47EF-930B-D36B676B86A9}\_18be6784.exe

2009-04-14 23:31 . 2008-03-12 22:29 78175 ----a-w- c:\windows\War3Unin.dat

2009-04-10 00:52 . 2009-01-02 21:04 383645136 ----a-w- c:\documents and settings\malfy\Application Data\ijjigame\U_GBOUND_setup.exe

2007-07-26 19:32 . 2007-05-14 03:47 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-07-26 19:32 . 2007-05-14 03:47 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-26 19:32 . 2007-05-14 03:47 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-07-26 19:32 . 2007-05-14 03:47 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-07-26 19:32 . 2007-05-14 03:47 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-13 8429568]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-10 16126464]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-13 1626112]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]

backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG311v3 Smart Wizard.lnk]

backup=c:\windows\pss\NETGEAR WG311v3 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"MySQL"=2 (0x2)

"Apache2.2"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista Server

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 hypen;Hy Pen;c:\windows\system32\drivers\HYPEN.sys [4/10/2009 3:11 AM 10548]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/3/2009 9:45 PM 108289]

R2 HWSuperPowerTablet;HWSuperPowerTablet;c:\windows\system32\jwpen.exe [4/10/2009 3:11 AM 221184]

S2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]

S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [6/13/2008 4:05 AM 24635]

--- Other Services/Drivers In Memory ---

*Deregistered* - HYCtl

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\shutdown.job

- c:\windows\system32\shutdown.exe [2003-03-31 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\malfy\Application Data\Mozilla\Firefox\Profiles\mkp52r85.default\

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-04 03:18

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]

"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68,

66,62,6c,65,00,00

"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6f,6d,63,67,6c,64,6d,66,6a,68,63,6a,66,

70,61,6c,68,6e,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)

c:\windows\system32\MrvGINA.dll

.

Completion time: 2009-07-04 3:19

ComboFix-quarantined-files.txt 2009-07-04 08:19

ComboFix2.txt 2009-02-27 21:35

Pre-Run: 40,518,942,720 bytes free

Post-Run: 40,560,955,392 bytes free

182 --- E O F --- 2009-06-10 08:01

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff
I'm curious, what does "je m'en fous" mean?
That means "I don't care" :unsure:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.