Jump to content

Pop Up After Fake Anti Virus


Recommended Posts

  • Replies 89
  • Created
  • Last Reply

Top Posters In This Topic

ComboFix 09-11-24.02 - Compaq_Owner 11/24/2009 21:38.7.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.243 [GMT -5:00]

Running from: c:\documents and settings\Compaq_Owner.HOMEPC\Desktop\clean.exe

AV: avast! antivirus 4.8.1356 [VPS 091124-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\AOLDial.dll . . . . failed to delete

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\atapi.sys

.

((((((((((((((((((((((((( Files Created from 2009-10-25 to 2009-11-25 )))))))))))))))))))))))))))))))

.

2009-11-24 23:06 . 2009-11-24 23:29 -------- d-----w- C:\clean26585c

2009-11-24 18:46 . 2009-11-24 18:46 -------- d-----w- c:\program files\Sophos

2009-11-24 14:27 . 2009-11-24 14:27 117760 ----a-w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-11-24 14:26 . 2009-11-24 14:26 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\SUPERAntiSpyware.com

2009-11-23 19:58 . 2009-11-03 14:08 220520 ----a-w- c:\windows\system32\sigcheck.exe

2009-11-23 19:57 . 2009-11-23 19:57 116918 ----a-w- c:\windows\system32\Sigcheck.exe.zip

2009-11-23 17:52 . 2009-11-23 17:52 -------- d-----w- c:\program files\7-Zip

2009-11-23 13:04 . 2009-11-23 17:53 -------- d-----w- c:\windows\system32\Sigcheck

2009-11-20 16:21 . 2009-11-20 17:17 -------- d-----w- C:\clean

2009-11-18 14:57 . 2009-11-18 14:57 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-11-18 14:57 . 2009-11-18 14:57 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\log

2009-11-18 14:55 . 2009-11-18 14:55 -------- d-sh--w- c:\documents and settings\Compaq_Owner.HOMEPC\PrivacIE

2009-11-16 14:03 . 2009-11-16 14:03 -------- d-----w- c:\documents and settings\Administrator.HOMEPC\Application Data\Malwarebytes

2009-11-16 13:57 . 2009-11-16 13:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-11-16 13:53 . 2009-11-16 16:18 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Local Settings\Application Data\qytpue

2009-11-10 20:25 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-10 20:25 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-10 20:25 . 2009-11-10 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-10 17:35 . 2009-11-10 17:35 -------- d-----w- c:\program files\Common Files\McAfee

2009-11-10 17:35 . 2009-11-10 23:06 -------- d-----w- c:\program files\McAfee

2009-11-10 16:11 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-11-10 16:11 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-11-10 16:11 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-11-10 16:11 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-11-10 16:11 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-11-10 16:11 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-11-10 16:11 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-11-10 16:11 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-11-10 16:11 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe

2009-11-06 09:36 . 2009-11-06 09:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-06 01:12 . 2009-11-06 01:12 -------- d-sh--w- c:\documents and settings\Compaq_Owner.HOMEPC\IETldCache

2009-11-06 01:04 . 2009-11-06 01:04 -------- d-----w- c:\program files\LSI SoftModem

2009-11-06 01:04 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-11-06 01:03 . 2009-11-06 13:49 -------- d-----w- c:\windows\ie8updates

2009-11-06 01:01 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-11-06 01:01 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-11-06 01:01 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-11-06 01:01 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-11-06 01:01 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-11-06 01:01 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll

2009-11-06 00:59 . 2009-11-06 01:01 -------- dc-h--w- c:\windows\ie8

2009-11-06 00:44 . 2009-11-06 00:44 -------- d-----w- c:\windows\system32\XPSViewer

2009-11-06 00:43 . 2009-11-06 00:43 -------- d-----w- c:\program files\Reference Assemblies

2009-11-06 00:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-11-06 00:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-11-06 00:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-11-06 00:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-11-06 00:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-11-06 00:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-11-06 00:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-11-06 00:43 . 2009-11-06 00:43 -------- d-----w- C:\b8c5031fb3359c0f2b

2009-11-06 00:23 . 2009-11-06 00:21 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-11-06 00:21 . 2009-11-06 00:21 152576 ----a-w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-05 22:54 . 2005-06-06 15:29 110592 ----a-w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\U3\temp\cleanup.exe

2009-11-05 22:42 . 2009-11-05 22:54 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\U3

2009-11-02 20:18 . 2009-11-02 20:18 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Local Settings\Application Data\Fisher-Price

2009-11-02 00:00 . 2009-11-02 00:00 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\InstallShield

2009-11-01 23:56 . 2009-11-01 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2009-10-29 20:30 . 2009-10-29 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-10-29 20:19 . 2009-10-29 20:19 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Local Settings\Application Data\Apple

2009-10-29 20:17 . 2009-11-06 20:05 -------- dc----w- c:\windows\system32\DRVSTORE

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-24 19:54 . 2007-10-17 20:14 -------- d-----w- c:\program files\HOTALBUMMyBOX

2009-11-24 19:21 . 2009-09-04 22:58 158 ----a-w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\wklnhst.dat

2009-11-24 14:26 . 2009-04-11 20:08 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-11-24 14:19 . 2009-04-11 18:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-11-10 17:35 . 2009-09-02 12:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-11-07 01:46 . 2009-08-25 22:55 34008 ----a-w- c:\documents and settings\Compaq_Owner.HOMEPC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-06 20:06 . 2004-10-20 14:46 -------- d-----w- c:\program files\iTunes

2009-11-06 20:05 . 2004-10-20 14:46 -------- d-----w- c:\program files\iPod

2009-11-06 00:44 . 2009-04-11 21:54 -------- d-----w- c:\program files\MSBuild

2009-11-06 00:21 . 2004-10-20 13:39 -------- d-----w- c:\program files\Java

2009-11-02 00:00 . 2009-07-16 20:36 -------- d-----w- c:\program files\Fisher-Price

2009-10-30 00:29 . 2007-06-29 17:47 -------- d-----w- c:\program files\Common Files\Apple

2009-10-30 00:17 . 2009-08-25 22:17 -------- d-----w- c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\Apple Computer

2009-10-29 20:26 . 2008-04-04 19:47 -------- d-----w- c:\program files\Bonjour

2009-10-29 20:26 . 2004-10-20 14:46 -------- d-----w- c:\program files\QuickTime

2009-10-29 20:18 . 2007-05-19 18:41 -------- d-----w- c:\program files\Apple Software Update

2009-10-08 19:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2009-10-08 19:57 . 2004-12-02 17:19 220160 ----a-w- c:\windows\system32\oleacc.dll

2009-10-08 19:56 . 2004-12-02 17:19 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2009-09-16 14:22 . 2009-09-02 13:59 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-16 14:22 . 2009-09-02 13:59 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-16 14:22 . 2009-09-02 13:59 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-16 14:22 . 2009-07-08 17:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-16 14:22 . 2009-09-02 13:57 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-11 14:18 . 2004-12-02 17:18 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-12-02 17:18 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 17:36 . 2004-10-20 13:12 82435 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-09-01 17:34 . 2009-09-01 17:34 69632 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\msxmlwrapper.dll

2009-08-29 08:08 . 2004-12-02 17:20 916480 ------w- c:\windows\system32\wininet.dll

2009-08-27 12:07 . 2009-08-27 12:07 15172 ----a-w- c:\windows\system32\drivers\PzWDM.sys

2008-03-08 20:47 . 2008-03-08 20:47 0 ----a-w- c:\program files\temp01

2005-05-19 18:51 . 2005-05-19 18:51 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-20_17.05.03 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-24 15:51 . 2009-11-24 15:51 16384 c:\windows\Temp\Perflib_Perfdata_640.dat

+ 2009-11-25 03:16 . 2009-11-25 03:16 16384 c:\windows\Temp\Perflib_Perfdata_60c.dat

- 2004-10-20 13:15 . 2009-11-20 16:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2004-10-20 13:15 . 2009-11-21 13:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2004-10-20 13:15 . 2009-11-21 13:10 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-10-20 13:15 . 2009-11-20 16:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-11 20:09 . 2009-11-24 14:26 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2009-04-11 20:09 . 2009-04-11 20:09 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe

- 2009-04-11 20:09 . 2009-04-11 20:09 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2009-04-11 20:09 . 2009-11-24 14:26 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe

+ 2009-11-24 14:26 . 2009-11-24 14:26 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe

+ 2009-11-03 14:08 . 2009-11-03 14:08 220520 c:\windows\system32\Sigcheck\sigcheck.exe

+ 2009-11-06 09:36 . 2009-11-21 13:10 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2009-11-06 09:36 . 2009-11-20 16:59 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-11-24 14:26 . 2009-11-24 14:26 1583616 c:\windows\Installer\494e2b.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"eligmini"="c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe 0" [X]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-10-20 180269]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]

"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]

"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2006-12-15 787096]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-18 196608]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-24 49152]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

Compaq Organize.lnk - c:\program files\Hewlett-Packard\Compaq Organize\bin\displayAgent.exe [2004-10-21 36864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-27 809488]

MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2006-12-15 913560]

ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [8/27/2009 7:07 AM 15172]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/10/2009 11:11 AM 114768]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/10/2009 11:11 AM 20560]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [11/10/2009 12:35 PM 92296]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 3:17 PM 7408]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\159.tmp --> c:\windows\system32\159.tmp [?]

.

Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:50]

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Compaq_Owner.HOMEPC\Application Data\Mozilla\Firefox\Profiles\a2xiqs09.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-24 22:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\159.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(232)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\LSI SoftModem\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wdfmgr.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\program files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

.

**************************************************************************

.

Completion time: 2009-11-24 22:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-25 03:30

ComboFix2.txt 2009-11-25 00:11

ComboFix3.txt 2009-11-20 17:17

Pre-Run: 135,827,824,640 bytes free

Post-Run: 135,786,672,128 bytes free

- - End Of File - - B17429FBE5F9C8DD5C1426A690F84090

Link to post
Share on other sites

It looks like the infection is gone now.

Let's confirm that by performing an antirootkit quick scan, as well.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here.

Link to post
Share on other sites

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Sorry about that last post.. Here is the GMER.. And it just did the quick scan and didnt alert me to do a full scan..

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit quick scan 2009-11-25 09:28:18

Windows 5.1.2600 Service Pack 3

Running: ark.exe; Driver: C:\DOCUME~1\COMPAQ~1.HOM\LOCALS~1\Temp\kxldipow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.41

Database version: 3234

Windows 5.1.2600 Service Pack 3

11/25/2009 6:24:59 PM

mbam-log-2009-11-25 (18-24-59).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|I:\|J:\|)

Objects scanned: 326325

Time elapsed: 1 hour(s), 46 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP96\A0034607.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{55AD45FB-8993-4F27-867B-0B74F04FFF84}\RP96\A0034795.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites

The Combofix log and the ARK scan report confirm your infection is gone.

Upload the following file to the Virus Total Scanner by browsing to its folder. Virus Total Scanner will employ several scanners to test the file for its threat potential. Please post the url to the scan report in your next reply:

c:\windows\system32\AOLDial.dll

Link to post
Share on other sites

Thank you! I hope you had a very nice Thanksgiving!

Just try to right-click and rename that 0 byte file:

c:\windows\system32\AOLDial.dll

Your computer appears to be clean now. :(

We have a few steps to finish up.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 17, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 17, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 17

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 17 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\Clean.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are acquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply

Re: AOL IM, sometimes programs come preinstalled on your computer from the vendor and those can be the hardest types of programs to remove. You can see if you have a program folder in C:\Program Files for those programs that Secunia says you still have but you removed. Sometimes a program remnant remains in Application Data or as a browser extension or plugin from an older version may still exist.

Link to post
Share on other sites

7-Zip 4.65

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.1

Agere Systems PCI Soft Modem

Apple Application Support

Apple Mobile Device Support

Apple Software Update

avast! Antivirus

Bonjour

Canon Camera Support Core Library

Canon Camera Window DS for ZoomBrowser EX

Canon Camera Window DVC for ZoomBrowser EX

Canon Camera Window for ZoomBrowser EX

Canon MovieEdit Task for ZoomBrowser EX

Canon PhotoRecord

Canon RAW Image Task for ZoomBrowser EX

Canon RemoteCapture Task for ZoomBrowser EX

Canon Utilities PhotoStitch 3.1

Canon ZoomBrowser EX

Compaq Organize

Easy-Link internet launch pad

Help and Support Additions

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

HOT ALBUM MYBOX

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

InterVideo DiscLabel

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 17

LiveReg (Symantec Corporation)

Malwarebytes' Anti-Malware

McAfee SiteAdvisor

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 3.5 SP1

Microsoft Office Standard Edition 2003

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Works

Mozilla Firefox (3.5.5)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Norton Personal Firewall

PC-Doctor for Windows

Python 2.2 combined Win32 extensions

Python 2.2.1

QuickTime

RealPlayer

S3 S3Display

S3 S3Gamma2

S3 S3Info2

S3 S3Overlay

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974455)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Sonic RecordNow!

Sonic Update Manager

SpywareBlaster 4.2

SUPERAntiSpyware Free Edition

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB975364)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows XP (KB951978)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB976749)

VIA Rhine-Family Fast-Ethernet Adapter

VIA/S3G Display Driver

Windows Internet Explorer 8

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

Link to post
Share on other sites

Both of these are up to date so I dont know why they keep coming up.. I deleted the AIM tho

This installation of Adobe Reader 8.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 8.1.0.137, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 8.1.7.

Update Instructions:

Download

Installed on Your System in:

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

Sun Java JRE 1.5.x / 5.x Sun Java JRE 1.5.x / 5.x 5.0.30.7 Sun Java JRE 1.5.x / 5.x

This installation of Sun Java JRE 1.5.x / 5.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 5.0.30.7, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 5.0.220.2.

Update Instructions:

Download

Link to post
Share on other sites

Uninstall this Java older version from Add/Remove programs listed in the HJT uninstall list:

Java 2 Runtime Environment, SE v1.4.2_03

You need to go here and update to Adobe Reader 8.1.3 for XP SP3 using the second 0.8 MB option:

http://get.adobe.com/reader/otherversions/

Uncheck the Free McAfee Security scan option.

See what Adobe program versions are present in this folder:

C:\Program Files\Adobe

Remove everything but the current version of Adobe Reader from Add/Remove Programs in the Control Panel, and from C:\Program Files\Adobe folder. Your HJT uninstall list says you have Adobe Reader 8.1.1 installed so you need to remove that version.

Go into Firefox -> Tools -> Add-ons -> Plugins and disable all outdated browser plugins (as determined by the displayed version numbers)

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.