Jump to content

Still having some problems

Cleo

By Cleo
in Resolved Malware Removal Logs

 Share

Recommended Posts

Cleo

Cleo

Posted
Posted

Hi, I'm sorry about my previous post, I should have read more clearly before posting.

I'm reposting the things still happening after I ran MBAM and Hijackthis.

"Antivir keeps popping up with TR/Dropper.Gen (trojan), found at c:\windows\system32\tldwsp.dll and it can't seem to delete it or quarantine it, just deny it access. My internet SOMETIMES seems to redirect itself but not often? There's some things in the running processes I'm not sure should be and at start up there're a couple of errors, one about outlook express even though I don't use it."

"my firewall (I use the windows one) is turned off and can't turn on again when I try." I can't turn on the entire windows security entre for that matter.

MBAM log:

Malwarebytes' Anti-Malware 1.41

Database version: 3115

Windows 5.1.2600 Service Pack 3

07/11/2009 15:24:55

mbam-log-2009-11-07 (15-24-55).txt

Scan type: Quick Scan

Objects scanned: 106993

Time elapsed: 20 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe pqrs.tmo printer) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:55:35, on 07/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ACS.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\System32\aniServ.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Atheros\ACU.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe

C:\Program Files\EDIMAX\Common\RaUI.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Avira\AntiVir Desktop\update.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')

O4 - HKUS\S-1-5-21-2419218687-2945963250-3034659895-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - S-1-5-21-2419218687-2945963250-3034659895-1006 Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (User '?')

O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe

O4 - Global Startup: McAfee Security Scan.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O4 - Global Startup: Wireless Utility.lnk = C:\Program Files\EDIMAX\Common\RaUI.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe

O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\EDIMAX\Common\RalinkRegistryWriter.exe

--

End of file - 7921 bytes

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
Cleo

Cleo

Posted
  • Author
Posted

Hi, thank you for your prompt response. :(

I've updated MBAM, here is the log:

Malwarebytes' Anti-Malware 1.41

Database version: 3130

Windows 5.1.2600 Service Pack 3

08/11/2009 23:20:29

mbam-log-2009-11-08 (23-20-29).txt

Scan type: Quick Scan

Objects scanned: 107204

Time elapsed: 20 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I then ran Combofix, first turning off my virus scanners as instructed. However, partway through Combofix restarted my computer as a rootkit (?) was found and when the computer restarted Avira Antivir restarted too. Anyway, here is the log for Combofix:

ComboFix 09-11-08.03 - Cleo 09/11/2009 23:20.1.1 - NTFSx86

Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-117609710-1500820517-682003330-1003

c:\recycler\S-1-5-21-1192141612-79458676-1314586074-1003

c:\recycler\S-1-5-21-331646997-3410284032-914650695-1003

E:\resycled

e:\resycled\boot.com

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it ;)

.

((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))

.

2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe

2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro

2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes

2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan

2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET

2009-10-11 12:11 . 2009-08-25 00:30 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-08 16:28 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys

2009-11-08 16:28 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2

2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java

2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent

2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-08-29 08:08 . 2006-06-23 10:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll

.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080]

"ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784]

"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2008-07-29 619136]

S0 atiide;atiide;c:\windows\System32\DRIVERS\atiide.sys [2004-04-14 5632]

S2 ANISERVICE;Airgo Networks NIC Service;c:\windows\System32\aniServ.exe [2004-09-30 143360]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]

S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [2008-05-12 69632]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-09-02 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/

FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll

FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-TkBellExe - realsched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-09 23:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

My apologies for the delay.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FCOPY::

c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll

RegNull::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}›

Link to post
Share on other sites
Cleo

Cleo

Posted
  • Author
Posted

Hi,

No worries.

Here is the new Combofix log:

ComboFix 09-11-15.01 - Cleo 15/11/2009 1:28.2.1 - FAT32x86

Running from: c:\documents and settings\Cleo\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Cleo\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))

.

2009-11-15 01:28 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll

2009-11-15 01:28 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-11-07 17:30 . 2009-11-07 17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-07 17:19 . 2009-11-07 17:19 152576 ----a-w- c:\documents and settings\Cleo\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-11-07 17:15 . 2009-11-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-11-07 17:14 . 2009-09-23 16:37 34112 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe

2009-11-07 17:14 . 2009-09-23 16:37 32448 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

2009-11-07 17:14 . 2009-09-23 16:37 22352 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe

2009-11-07 15:52 . 2009-11-07 15:52 -------- d-----w- c:\program files\Trend Micro

2009-11-07 13:07 . 2009-11-07 13:07 -------- d-----w- c:\documents and settings\Cleo\Application Data\Malwarebytes

2009-11-07 13:06 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-07 13:06 . 2009-11-07 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-07 13:06 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-07 13:06 . 2009-11-07 13:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-07 12:58 . 2009-11-07 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-11-07 12:26 . 2009-11-07 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-11-07 12:24 . 2009-11-07 12:24 -------- d-----w- c:\program files\McAfee Security Scan

2009-10-27 18:44 . 2009-10-27 18:44 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-26 07:57 . 2009-10-26 07:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-25 21:25 . 2009-10-25 21:25 -------- d-----w- c:\program files\ESET

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-10 18:33 . 2008-10-12 14:20 1 ----a-w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys

2009-11-10 18:33 . 2008-10-12 14:18 -------- d-----w- c:\documents and settings\Cleo\Application Data\OpenOffice.org2

2009-11-07 17:26 . 2004-05-18 07:12 -------- d-----w- c:\program files\Java

2009-11-02 00:42 . 2008-10-17 14:02 -------- d-----w- c:\documents and settings\Cleo\Application Data\uTorrent

2009-09-11 14:18 . 2004-05-18 05:27 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-05-18 05:27 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 22:46 . 2009-10-27 18:42 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-09-01 22:46 . 2009-09-01 22:47 38208 ----a-w- c:\documents and settings\Cleo\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-08-29 08:08 . 2006-06-23 10:33 916480 ------w- c:\windows\system32\wininet.dll

2009-08-28 18:42 . 2009-09-20 23:37 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-28 18:42 . 2008-09-03 02:02 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-08-26 08:00 . 2004-05-18 05:27 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-25 00:30 . 2009-10-11 12:11 13312 ----a-w- c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-09_23.45.45 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-14 08:58 . 2009-11-14 08:58 16384 c:\windows\Temp\Perflib_Perfdata_84.dat

+ 2004-05-18 07:31 . 2009-11-12 23:25 166712 c:\windows\system32\FNTCACHE.DAT

- 2004-05-18 07:31 . 2009-07-14 13:29 166712 c:\windows\system32\FNTCACHE.DAT

+ 2004-05-18 05:27 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys

+ 2008-10-16 23:21 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys

+ 2008-09-02 23:42 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-09 335872]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 495616]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-04-30 430080]

"ACU"="c:\program files\Atheros\ACU.exe" [2004-04-16 282624]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-04-27 118784]

"PadTouch"="c:\program files\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 1019904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-07 149280]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2004-04-29 266240]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2004-02-20 88363]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

Wireless Utility.lnk - c:\program files\EDIMAX\Common\RaUI.exe [2009-7-20 1601536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [02/09/2008 19:50 5632]

R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 12:16 143360]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/07/2009 22:51 108289]

R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [20/07/2009 10:37 69632]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [20/07/2009 10:36 619136]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-09-02 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\System32\OOBE\oobebaln.exe [2004-05-18 00:12]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/

FF - component: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll

FF - plugin: c:\documents and settings\Cleo\Application Data\Mozilla\Firefox\Profiles\ghh1kvrd.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-15 01:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\}

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Cleo,

Just to make sure this is one of your ATI drivers, please do the following:

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\atiide.sys

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
Cleo

Cleo

Posted
  • Author
Posted

Hi Chris,

That site confused me a little but here's a link to the results when I re-ran it just now:

http://www.virustotal.com/analisis/c98adbd...58bf-1258374365

and here's the results as I ATTEMPTED to copy-paste them yesterday:

File atiide.sys received on 2009.11.15 23:54:46 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)

Loading server information...

Your file is queued in position: 2.

Estimated start time is between 52 and 75 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.11.10 -

AhnLab-V3 5.0.0.2 2009.11.06 -

AntiVir 7.9.1.61 2009.11.10 -

Antiy-AVL 2.0.3.7 2009.11.10 -

Authentium 5.2.0.5 2009.11.10 -

Avast 4.8.1351.0 2009.11.10 -

AVG 8.5.0.423 2009.11.10 -

BitDefender 7.2 2009.11.10 -

CAT-QuickHeal 10.00 2009.11.10 -

ClamAV 0.94.1 2009.11.10 -

Comodo 2905 2009.11.10 -

DrWeb 5.0.0.12182 2009.11.10 -

eSafe 7.0.17.0 2009.11.10 -

eTrust-Vet 35.1.7113 2009.11.10 -

F-Prot 4.5.1.85 2009.11.10 -

F-Secure 9.0.15370.0 2009.11.09 -

Fortinet 3.120.0.0 2009.11.10 -

GData 19 2009.11.10 -

Ikarus T3.1.1.74.0 2009.11.10 -

Jiangmin 11.0.800 2009.11.10 -

K7AntiVirus 7.10.892 2009.11.09 -

Kaspersky 7.0.0.125 2009.11.10 -

McAfee 5797 2009.11.09 -

McAfee+Artemis 5797 2009.11.09 -

McAfee-GW-Edition 6.8.5 2009.11.10 -

Microsoft 1.5202 2009.11.10 -

NOD32 4592 2009.11.10 -

Norman 6.03.02 2009.11.09 -

nProtect 2009.1.8.0 2009.11.10 -

Panda 10.0.2.2 2009.11.09 -

PCTools 7.0.3.5 2009.11.10 -

Prevx 3.0 2009.11.16 -

Rising 22.21.01.09 2009.11.10 -

Sophos 4.47.0 2009.11.10 -

Sunbelt 3.2.1858.2 2009.11.10 -

Symantec 1.4.4.12 2009.11.10 -

TheHacker 6.5.0.2.064 2009.11.09 -

TrendMicro 9.0.0.1003 2009.11.10 -

VBA32 3.12.10.11 2009.11.09 -

ViRobot 2009.11.10.2029 2009.11.10 -

VirusBuster 4.6.5.0 2009.11.09 -

Additional information

File size: 5632 bytes

MD5...: 899c9f94ed5ec5eff71aa6e17a084419

SHA1..: d0ee636952be2368e6abbf0392deadedc58bde2b

SHA256: c98adbd906afdbe541bffa05798e04efb0464c4028f8fbeac9c219ef0d0958bf

ssdeep: 96:Nbe9h9T9OxE2Gv9f+73XDWza+XABc3GouPOsqqjbkI30fVI4LRvES9Gj:he9h

9T9Hnv9+DH0smifis

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0xe58

timedatestamp.....: 0x40609e07 (Tue Mar 23 20:28:55 2004)

machinetype.......: 0x14c (I386)

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0xb84 0xc00 6.31 64a344a5283cb2eb5961a491b6cf1b26

.rdata 0xf00 0xad 0x100 4.09 a7a647fe85110f30e877a767d45b1da6

.data 0x1000 0x2 0x80 0.00 f09f35a5637839458e462e6350ecbce4

INIT 0x1080 0x80 0x80 3.73 bc6d0604d805230d661f7f06079dafac

.rsrc 0x1100 0x468 0x480 3.21 eb54e685b7f8c671a7687c4c2339b402

.reloc 0x1580 0x52 0x80 3.31 46cf3771960da20b71390417cc2cd0f2

( 1 imports )

> PCIIDEX.SYS: PciIdeXSetBusData, PciIdeXInitialize, PciIdeXGetBusData

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

sigcheck:

publisher....: ATI Technologies Inc.

copyright....: Copyright© ATI Technologies Inc. 2000-2004

product......: ATI IDE BUS Master Controller Driver

description..: ATI IDE BUS Master Controller Driver

original name: Atiide.sys

internal name: Atiide.sys

file version.: 1.00.0000.2 built by: WinDDK

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

Here is F-Secure's online scanner report:

Scanning Report

Monday, November 16, 2009 00:19:36 - 11:52:16

Computer name: FRED

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ E:\

13 malware found

TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Adtech (spyware)

* System (Disinfected)

TrackingCookie.Adform (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 176482

* System: 3332

* Not scanned: 100

Actions:

* Disinfected: 13

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\EXPSRV.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCL40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSEXCH40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOL1.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJET40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJETOLEDB40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJINT40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTER40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSJTES40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSLTUS40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD2X40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSPBDE40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSRD3X40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSREPL40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWDAT10.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSTEXT40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSWSTR10.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\MSXBDE40.DLL

* C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\GDI32.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\H323.TSP

* C:\WINDOWS\$NTUNINSTALLKB835732$\HELPCTR.EXE

* C:\WINDOWS\$NTUNINSTALLKB835732$\H323MSP.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\IPNATHLP.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\LSASRV.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\MF3216.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\MSASN1.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\MST120.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\MSGINA.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\NMCOM.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\NETAPI32.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\SCHANNEL.DLL

* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL

* C:\WINDOWS\$NTUNINSTALLKB830680$\KEYMGR.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRVUT.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATEX.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\COLBACT.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\CLBCATQ.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\COMADMIN.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\COMREPL.EXE

* C:\WINDOWS\$NTUNINSTALLKB828741$\COMSVCS.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\COMUID.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\ES.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\MIGREGDB.EXE

* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCPRX.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCTM.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXCLU.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\MSDTCUIU.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\MTXOCI.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\OLE32.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\RPCSS.DLL

* C:\WINDOWS\$NTUNINSTALLKB828741$\TXFLOG.DLL

* C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL

* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL

* C:\WINDOWS\$NTUNINSTALLKB828028$\MSASN1.DLL

* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLPA.EXE

* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRNLMP.EXE

* C:\WINDOWS\$NTUNINSTALLKB828012$\NTKRPAMP.EXE

* C:\WINDOWS\$NTUNINSTALLKB828012$\NTOSKRNL.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPT32.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\CRYPTSVC.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\HHCTRL.OCX

* C:\WINDOWS\$NTUNINSTALLKB826939$\HH.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\HHSETUP.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\ITSS.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\HTML32.CNV

* C:\WINDOWS\$NTUNINSTALLKB826939$\MAGNIFY.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\LOCATOR.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\MIGWIZ.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\MSCONV97.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\MRXSMB.SYS

* C:\WINDOWS\$NTUNINSTALLKB826939$\NARRATOR.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\NEWDEV.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\NTDLL.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\OLE32.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\OSK.EXE

* C:\WINDOWS\$NTUNINSTALLKB826939$\PCHSHELL.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\RASPPTP.SYS

* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCRT4.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\RPCSS.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\SHMEDIA.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\SRRSTR.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\SRV.SYS

* C:\WINDOWS\$NTUNINSTALLKB826939$\WINSRV.DLL

* C:\WINDOWS\$NTUNINSTALLKB826939$\ZIPFLDR.DLL

* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL

* C:\WINDOWS\$NTUNINSTALLKB824141$\WIN32K.SYS

* C:\WINDOWS\$NTUNINSTALLKB822624$\HAL.DLL

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

And here is your security check's check up thing:

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

McAfee Security Scan

Avira updated!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 15

Java 6 Update 3

Java 6 Update 7

Java 2 Runtime Environment, SE v1.4.2_04

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 6.0.1

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

As for what issues remain:

It's pretty much all cleared up, thank you! Sort of in dribs and drabs. The second error message on start-up cleared after the first round, I was able to open my windows security centre and firewall after the most recent round except this. It's still slow but it was before so that's nothing new. I think combofix managed to get rid of what was really worrying me, the tr/dropper.gen one because antivir hasn't detected it for ages now.

The only thing still outsstanding is on re-start I get a message from outlook express saying it can compact files to save disc space, which fair enough but I don't use outlook express at all so still find that weird.

Thank you again for all your help,

Cleo

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Cleo,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 15

Java™ 6 Update 3

Java™ 6 Update 7

Java 2 Runtime Environment, SE v1.4.2_04

Adobe Reader 6.0.1

Restart your computer.

Get the latest version of Java and Adobe Reader.

Restart your computer and let me know what issues remain.

Regarding the Outlook issue, take a look at this topic:

http://www.microsoft.com/windows/ie/commun...uption.mspx#top

-screen317

Link to post
Share on other sites
Cleo

Cleo

Posted
  • Author
Posted

Hi Chris,

Sorry for the delay in response. I typed in 'Combofix /u' as asked and I think it removed itself, it seemed to run again. I've still got the .exe on my desktop, I'm assuming I'm ok to delete that also.

I've deleted checkup and updated Java and Adobe, replacing those old versions you mentioned.

There are no more erors left, except this outlook one.

I've also taken a look at that link you sent me, re outlook. I'm not sure that's my problem because what's confusing me about the outlook error is the fact I don't use outlook on this computer at all? So I'm a little concerned to be receiving error messages from a program I've never used.

This is the exact error, it only pops up on start-up:

"to free up disk space, outlook express can compact messages. This may take up to a few minutes.

OK/Cancel"

Why would this happen if I do not use the program?

Thanks again,

Cleo

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Cleo,

My apologies for the delay.

Instead of ComboFix /u, type in ComboFix /uninstall into the box.

Next, download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter MSOE.DLL as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

-screen317

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept