Jump to content

Trojan.agent WINDOW\system32\ESQULzcounter


Recommended Posts

I persistently get this trojan on reboot. Its redirecting google searches, other than that the computer seems to work fine. I have posted the mbamlog below. Any help is appreciated! Thanks!

Malwarebytes' Anti-Malware 1.39

Database version: 2532

Windows 5.1.2600 Service Pack 3

30/07/2009 6:38:08 PM

mbam-log-2009-07-30 (18-38-05).txt

Scan type: Quick Scan

Objects scanned: 101118

Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:32:27 PM, on 30/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Windows Live\Messenger\wlcsdk.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HJTapp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptop

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 7571 bytes

I persistently get this trojan on reboot. Its redirecting google searches, other than that the computer seems to work fine. I have posted the mbamlog below. Any help is appreciated! Thanks!

Malwarebytes' Anti-Malware 1.39

Database version: 2532

Windows 5.1.2600 Service Pack 3

30/07/2009 6:38:08 PM

mbam-log-2009-07-30 (18-38-05).txt

Scan type: Quick Scan

Objects scanned: 101118

Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Hello sansari,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not sansari and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

Next, Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

and the latest MBAM scan log

There will be much more to do later.

P.S. Always use the ADDReply button when starting a reply, and not use the other buttons.

Link to post
Share on other sites

Hi there,

I have followed the instructions. While running the ComboFix I got a message saying

'ComboFix has detected the presence of rootkit activity ..... We may need it later.'

The name of files were :

c:\windows\system32\ESQULmtynecwtaqgukhdrsflgwkrdarjurbyy.dll

c:\windows\system32\drivers\ESQULfndsxhldacxktuhyfrmoejbenvttordv.sys

c:\windows\system32\ESQULivtxmqpkfyioiajnvcjtpoivwplydcdp.dll

Combofix log:

ComboFix 09-07-29.04 - Sania Ansari 31/07/2009 1:14.9.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.728 [GMT -4:00]

Running from: c:\documents and settings\Sania Ansari\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Install.txt

c:\windows\Installer\3eace.msp

c:\windows\Installer\ee1c62f.msp

c:\windows\run.log

c:\windows\system32\drivers\ESQULfndsxhldacxktuhyfrmoejbenvttordv.sys

c:\windows\system32\drivers\ESQULwqxyiqhrxumeyxwmqpqjpwdvxowbnrbc.sys

c:\windows\system32\ESQULivtxmqpkfyioiajnvcjtpoivwplydcdp.dll

c:\windows\system32\ESQULmtynecwtaqgukhdrsflgwkrdarjurbyy.dll

c:\windows\system32\geyekrgyekxlbq.dll

c:\windows\system32\geyekrisdinawr.dat

c:\windows\system32\geyekrotrkjacp.dll

c:\windows\system32\Install.txt

c:\windows\system32\UACocukqpmapfqpkqude.db

c:\windows\system32\UACqnojuoougiburevnm.dat

c:\windows\system32\uactmp.db

c:\windows\system32\grpconv.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ESQULserv.sys

-------\Service_ESQULserv.sys

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))

.

2009-07-31 05:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-07-31 05:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe

2009-07-31 05:22 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe

2009-07-31 05:22 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe

2009-07-31 04:45 . 2009-07-31 04:45 -------- d-----w- c:\program files\ERUNT

2009-07-30 21:53 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-30 21:53 . 2009-07-30 21:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-30 21:53 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-30 20:06 . 2009-07-30 20:06 -------- d-----w- c:\documents and settings\Sania Ansari\DoctorWeb

2009-07-30 19:11 . 2009-07-30 19:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-07-30 19:10 . 2009-07-30 19:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-07-23 01:04 . 2009-07-23 01:04 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes

2009-07-21 06:10 . 2009-07-21 06:10 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-07-17 04:59 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe

2009-07-17 04:59 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

2009-07-17 04:58 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys

2009-07-17 04:58 . 2009-07-17 20:19 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\16283284

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-31 05:06 . 2006-01-03 11:34 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-07-31 05:06 . 2009-01-22 16:05 -------- d-----w- c:\program files\Symantec AntiVirus

2009-07-31 05:06 . 2006-01-03 11:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec

2009-07-31 00:48 . 2009-03-19 16:04 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-30 03:43 . 2008-09-02 20:25 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP

2009-07-30 03:43 . 2009-05-05 01:27 -------- d-----w- c:\program files\SpywareBlaster

2009-07-21 06:10 . 2007-05-05 22:32 -------- d-----w- c:\program files\DivX

2009-07-17 04:58 . 2009-07-17 04:59 0 ----a-w- c:\windows\system32\drivers\OLD18E.tmp

2009-07-03 17:09 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 09:34 . 2007-07-30 03:20 -------- d-----w- c:\program files\Veoh

2009-06-20 02:10 . 2009-06-20 02:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-20 02:10 . 2007-01-15 02:13 -------- d-----w- c:\program files\iTunes

2009-06-20 02:10 . 2009-06-20 02:10 -------- d-----w- c:\program files\iPod

2009-06-20 02:10 . 2008-11-25 01:14 -------- d-----w- c:\program files\Common Files\Apple

2009-06-20 02:08 . 2009-06-20 02:07 -------- d-----w- c:\program files\QuickTime

2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-21 01:22 . 2006-04-25 02:13 59 ----a-w- c:\windows\popcinfo.dat

2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll

2009-05-06 20:32 . 2009-01-20 15:22 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-05-06 20:31 . 2009-05-06 20:31 607640 ----a-w- C:\jre-6u13-windows-i586-p-iftw.exe

2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll

2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll

2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll

2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll

2008-03-18 20:34 . 2008-03-18 20:32 6735008 ----a-w- c:\program files\Thunderbird Setup 2.0.0.12.exe

2007-07-17 22:33 . 2007-07-17 22:30 3753079 ----a-w- c:\program files\MSReaderSetup.exe

2009-07-23 21:30 . 2008-08-27 17:13 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2006-04-23 12:45 . 2006-04-23 12:45 22 --sha-w- c:\windows\SMINST\HPCD.sys

.

------- Sigcheck -------

[7] 2004-08-04 13:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-13 185784]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-06 148888]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-11-22 61952]

"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Documents and Settings\\Sania Ansari\\Desktop\\drjava-stable-20060127-2145.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Documents and Settings\\Sania Ansari\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"24303:TCP"= 24303:TCP:BitComet 24303 TCP

"24303:UDP"= 24303:UDP:BitComet 24303 UDP

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [19/03/2009 12:03 PM 55152]

R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [12/08/2007 8:02 PM 23200]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 6:08 PM 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\docume~1\SANIAA~1\APPLIC~1\Mozilla\Firefox\Profiles\m43pwysh.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll

FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

FF - plugin: c:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-31 01:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,7c,ac,d7,1c,4a,2e,4a,bb,be,61,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,7c,ac,d7,1c,4a,2e,4a,bb,be,61,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\HPZipm12.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-07-31 1:31 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-31 05:31

Pre-Run: 40,695,238,656 bytes free

Post-Run: 40,608,067,584 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

233 --- E O F --- 2009-07-31 00:00

_____________________________________

mbam log

Malwarebytes' Anti-Malware 1.39

Database version: 2534

Windows 5.1.2600 Service Pack 3

31/07/2009 1:39:56 AM

mbam-log-2009-07-31 (01-39-56).txt

Scan type: Quick Scan

Objects scanned: 98999

Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hello sansari,

Good progress at this point. The rootkits have been removed by Combofix. There is more to do.

Close any of your open programs. Do no websurfing. Do not start any other programs while these are running.

And please have infinite patience while Sysclean and the Eset online scan run. They may each take an hour or more, depending on your system & how many files it has.

=

Download the Microsoft

Link to post
Share on other sites

hello again!

The logs are posted below. The system seems to be working fine.

mrt.log

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.15, April 2006

Started On Sat Apr 22 19:12:48 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 22 19:13:00 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.16, May 2006

Started On Tue May 09 21:05:06 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue May 09 21:13:47 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.17, June 2006

Started On Fri Jun 16 21:01:12 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Jun 16 21:01:29 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.18, July 2006

Started On Thu Jul 13 10:58:03 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 13 10:58:15 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.19, August 2006

Started On Sun Aug 13 19:34:02 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sun Aug 13 19:34:23 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.20, September 2006

Started On Thu Sep 14 03:01:56 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 14 03:02:13 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.21, October 2006

Started On Thu Oct 12 21:00:20 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Oct 12 21:00:37 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.22, November 2006

Started On Wed Nov 15 21:01:22 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 15 21:01:37 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006

Started On Fri Dec 15 22:33:07 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 15 22:33:29 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006

Started On Sat Dec 23 00:33:15 2006

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Dec 23 00:33:33 2006

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.24, January 2007

Started On Sat Jan 13 03:04:39 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 13 03:05:09 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.25, February 2007

Started On Sun Feb 18 16:31:38 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sun Feb 18 16:32:17 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.27, March 2007

Started On Sat Mar 31 03:02:38 2007

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 31 03:03:05 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.28, April 2007

Started On Thu May 03 17:16:06 2007

->Sysclean WARNING: MemScanGetImagePathFromPid(2140) (Win32 Error Code: 0x00000057 (87):The parameter is incorrect.) [709]

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu May 03 17:16:38 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007

Started On Thu May 24 12:20:03 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu May 24 12:21:14 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007

Started On Wed Jun 13 17:05:51 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 13 17:07:10 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007

Started On Wed Jul 11 09:13:55 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 11 09:15:24 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.32, August 2007

Started On Wed Aug 15 17:29:20 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 15 17:30:59 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007

Started On Thu Sep 13 21:02:36 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 13 21:04:05 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007

Started On Wed Oct 10 11:59:16 2007

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 10 12:00:46 2007

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008

Started On Thu Apr 24 01:40:07 2008

->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Apr 24 01:41:42 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.1, August 2008

Started On Mon Sep 08 23:06:11 2008

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 08 23:08:16 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.2, September 2008

Started On Tue Sep 09 23:07:19 2008

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Sep 09 23:09:01 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.3, October 2008

Started On Tue Oct 14 21:06:08 2008

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Oct 14 21:08:01 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008

Started On Wed Nov 12 20:04:53 2008

->Scan ERROR: resource service://TDSSserv.sys (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 12 20:06:52 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.5, December 2008

Started On Tue Dec 09 20:01:30 2008

->Scan ERROR: resource process://pid:1288 (code 0x00000057 (87))

->Scan ERROR: resource service://TDSSserv.sys (code 0x0000054F (1359))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 09 20:03:40 2008

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009

Started On Mon Feb 16 20:04:09 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Feb 16 20:08:08 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009

Started On Fri Mar 20 20:02:34 2009

->Scan ERROR: resource process://pid:5464 (code 0x00000057 (87))

->Scan ERROR: resource process://pid:3764 (code 0x00000005 (5))

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Mar 20 20:05:12 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009

Started On Wed Apr 15 20:05:32 2009

Security policy adjusted. Engine requests reboot and try again, ignoring.

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 15 20:07:45 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.10, May 2009

Started On Wed May 13 21:27:22 2009

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed May 13 21:29:38 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.10, May 2009

Started On Mon Jun 08 13:35:23 2009

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Mon Jun 08 13:38:13 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.11, June 2009

Started On Thu Jun 11 20:02:20 2009

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 11 20:04:20 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009

Started On Wed Jul 15 20:01:38 2009

WARNING: Security policy doesn't allow for all actions MSRT may require.

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 15 20:04:27 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009

Started On Fri Jul 31 14:58:06 2009

Results Summary:

----------------

No infection found.

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Jul 31 15:01:22 2009

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009

Started On Fri Jul 31 15:01:29 2009

Return code: 0

Microsoft Windows Malicious Software Removal Tool Finished On Fri Jul 31 15:01:47 2009

__________________________________________

GooredFix

GooredFix by jpshortstuff (12.07.09)

Log created at 15:04 on 31/07/2009 (Sania Ansari)

Firefox version 3.0.12 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:43 25/04/2006]

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:33 06/05/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:32 06/05/2009]

-=E.O.F=-

___________________________________________

sysclean.log

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-07-31, 15:36:16, Auto-clean mode specified.

2009-07-31, 15:36:17, Initialized Rootkit Driver version 2.2.0.1004.

2009-07-31, 15:36:17, Running scanner "C:\DCE\TSC.BIN"...

2009-07-31, 15:36:29, Scanner "C:\DCE\TSC.BIN" has finished running.

2009-07-31, 15:36:29, TSC Log:

Link to post
Share on other sites

Hello Sania,

Sysclean scan and Eset scan mostly found items already in quarantine.

The Combofix has squashed a multi-faceted cluster of rootkits. That is very very good.

<_< BUT your MRT log (the MS Malicious Software Removal Tool) showed you had previous infections of the TDSS-rootkit in several months last year: August, September, November, & December.

You must take steps to harden this pc's defenses. :unsure:

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. Go to Control Panel and Add-or-Remove programs.

Look for it and click the line for it. Select Change/Remove to de-install it.

Also de-install Eset Online scan.

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.

By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after x and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Please double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

Link to post
Share on other sites

Hi there,

I have a few questions.

1) Why do I need to uninstall mbam?

2) I couldn't uninstall Combo-Fix by typing Combo-Fix \u in the run command. Gives me an error saying file is not found. Any other way I can manually uninstall it?

2) Whats OTL.exe? I don't believe you instructed me to download it before.

Link to post
Share on other sites

Howdy Sania,

#1. If you have not purchased MBAM, I urge you to de-install it, so for sure the quarantine items are gone as well.

IF in future you need use of MBAM, you can do a new download.

The MBAM is continuously being updated. So a new download, get's you a more current one.

On the other hand, the purchase of MBAM is only a one-time fee, good forever on a 1 license/1 pc use. And that would offer real-time Protection module.

#2. It is very, very important that Combofix is de-installed properly.

I believe you used the wrong kind of "slash" when you typed the command.

Try this, copy the following code box to your clipboard (highlight the line and COPY)

c:\documents and settings\Sania Ansari\Desktop\Combo-Fix.exe /u

Then, press Start button on taskbar, select RUN

In the text box of the Run dialog, place your cursor in the Run text box, and do a Paste (CTRL+V) into it of the codebox

and press OK or Enter to run it.

After Combofix is properly removed:

Download OTL by OldTimer to your desktop:http://oldtimer.geekstogo.com/OTL.exe

and please do all the steps I outlined, including the Cleanup! in OTL <_<

Link to post
Share on other sites

Download OTL by OldTimer to your desktop:http://oldtimer.geekstogo.com/OTL.exe

and please do all the steps I outlined, including the Cleanup! in OTL

and the other steps that followed

And after that, look at your desktop. IF Combo-fix is still there, delete it.

and

in any event, do this also

Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP

http://bertk.mvps.org/html/diskclean.html

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.