Jump to content

Trojan.BHO.H


Recommended Posts

Need some help, here is the info you asked for, except for the GMER Log, my computer reboots before it is done.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Brent at 6:11:14.85 on Thu 03/18/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.991 [GMT -6:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Symantec\pcAnywhere\awhost32.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL$PROCLAIM\Binn\sqlservr.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\MAKTray.exe

C:\Program Files\PDF Complete\pdfsty.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\PDF Complete\pdfsaver.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\MAKHKEY.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Brent\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.msn.com

uInternet Settings,ProxyServer = server:8080

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {06a15d79-082b-471c-a13d-da92203ae071} - c:\windows\system32\appmg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

TB: &Ingenix Tools: {51819320-5b57-49fe-beb5-b498cbba1097} - c:\program files\ingenix\toolbar\IngenixBand.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0

uRun: [PPScheduler] c:\program files\scansoft\paperport\PPScheduler.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [MAKTray] MAKTray.exe

mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firewa~1.lnk - c:\program files\microsoft firewall client\ISATRAY.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

mPolicies-system: EnableLUA = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableRegistryTools = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266959724677

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266959844867

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: igfxcui - igfxdev.dll

Notify: PCANotify - PCANotify.dll

AppInit_DLLs: ,

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brent\applic~1\mozilla\firefox\profiles\qy44kxaq.default\

FF - prefs.js: network.proxy.ftp - SERVER

FF - prefs.js: network.proxy.ftp_port - 8080

FF - prefs.js: network.proxy.gopher - SERVER

FF - prefs.js: network.proxy.gopher_port - 8080

FF - prefs.js: network.proxy.http - SERVER

FF - prefs.js: network.proxy.http_port - 8080

FF - prefs.js: network.proxy.socks - SERVER

FF - prefs.js: network.proxy.socks_port - 8080

FF - prefs.js: network.proxy.ssl - SERVER

FF - prefs.js: network.proxy.ssl_port - 8080

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\brent\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll

FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mchvpiqy;mchvpiqy;c:\windows\system32\drivers\mchvpiqy.sys [2004-8-4 23424]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-23 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-23 29512]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-23 242696]

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-18 308064]

R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]

R2 MSSQL$PROCLAIM;MSSQL$PROCLAIM;c:\program files\microsoft sql server\mssql$proclaim\binn\sqlservr.exe -sproclaim --> c:\program files\microsoft sql server\mssql$proclaim\binn\sqlservr.exe -sPROCLAIM [?]

S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jimtml.sys --> c:\windows\system32\drivers\jimtml.sys [?]

S3 SQLAgent$PROCLAIM;SQLAgent$PROCLAIM;c:\program files\microsoft sql server\mssql$proclaim\binn\sqlagent.exe -i proclaim --> c:\program files\microsoft sql server\mssql$proclaim\binn\sqlagent.EXE -i PROCLAIM [?]

=============== Created Last 30 ================

==================== Find3M ====================

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll

2009-12-21 19:14:05 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll

2009-12-21 19:14:04 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll

2009-12-21 19:14:04 206848 ----a-w- c:\windows\system32\dllcache\occache.dll

2009-12-21 19:14:03 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll

2009-12-21 19:14:03 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll

2009-12-21 19:14:01 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll

2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 6:12:08.48 ===============

mbam_log_2010_03_18__05_27_03_.txt

Attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\mchvpiqy.sys

Post the results in your reply.

Next, update MBAM, run a Quick Scan, and post its log (don't attach it).

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\drivers\mchvpiqy.sys

Post the results in your reply.

Next, update MBAM, run a Quick Scan, and post its log (don't attach it).

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

File mchvpiqy.sys received on 2010.03.20 15:20:47 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 3/42 (7.15%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 42 and 60 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.20 -

AhnLab-V3 5.0.0.2 2010.03.20 -

AntiVir 8.2.1.196 2010.03.19 TR/Patched.Gen

Antiy-AVL 2.0.3.7 2010.03.19 -

Authentium 5.2.0.5 2010.03.19 -

Avast 4.8.1351.0 2010.03.20 -

Avast5 5.0.332.0 2010.03.20 -

AVG 9.0.0.787 2010.03.20 -

BitDefender 7.2 2010.03.20 -

CAT-QuickHeal 10.00 2010.03.19 -

ClamAV 0.96.0.0-git 2010.03.20 -

Comodo 4330 2010.03.20 -

DrWeb 5.0.1.12222 2010.03.20 -

eSafe 7.0.17.0 2010.03.18 -

eTrust-Vet 35.2.7376 2010.03.19 -

F-Prot 4.5.1.85 2010.03.19 -

F-Secure 9.0.15370.0 2010.03.20 -

Fortinet 4.0.14.0 2010.03.20 -

GData 19 2010.03.20 -

Ikarus T3.1.1.80.0 2010.03.20 -

Jiangmin 13.0.900 2010.03.20 -

K7AntiVirus 7.10.1002 2010.03.19 -

Kaspersky 7.0.0.125 2010.03.20 -

McAfee 5926 2010.03.20 -

McAfee+Artemis 5925 2010.03.19 -

McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Patched.Gen

Microsoft 1.5605 2010.03.20 -

NOD32 4960 2010.03.20 -

Norman 6.04.09 2010.03.20 -

nProtect 2009.1.8.0 2010.03.20 -

Panda 10.0.2.2 2010.03.20 -

PCTools 7.0.3.5 2010.03.20 -

Prevx 3.0 2010.03.20 -

Rising 22.39.05.02 2010.03.20 -

Sophos 4.51.0 2010.03.20 -

Sunbelt 5989 2010.03.20 -

Symantec 20091.2.0.41 2010.03.20 Suspicious.Insight

TheHacker 6.5.2.0.241 2010.03.20 -

TrendMicro 9.120.0.1004 2010.03.20 -

VBA32 3.12.12.2 2010.03.19 -

ViRobot 2010.3.19.2236 2010.03.20 -

VirusBuster 5.0.27.0 2010.03.20 -

Additional information

File size: 23424 bytes

MD5...: 0232c89b2f7fa2ff4794251d32ee2f32

SHA1..: deb633845b4340045c76ed2d5dfe7d16c962332e

SHA256: 4a4c46b31ab9c11ba93e8a46a43fd7fbfdd8991043164ffa68a42c6c6ff7fdbf

ssdeep: 384:Gs9E2b0IlybvP0DWoKWyGdv6nOXV/kJ6fDII42ZL//ET0IMe9PU/WoKW:Gs9

revsnvl6nOXVcyDIIdZL/fEPUT

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x15e4

timedatestamp.....: 0x3b7d8361 (Fri Aug 17 20:49:37 2001)

machinetype.......: 0x14c (I386)

( 8 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0xc 0x80 0.59 a72df68117242c3847b3ca1e15acd483

.rdata 0x380 0xff 0x100 4.04 47ef26b4bba0549947907b8a7e807b52

.data 0x480 0x5c 0x80 1.96 580dd1703833d3b9d3d184d05ac35e7b

PAGE 0x500 0xda8 0xe00 6.27 7be004b2728223723324ced7ad705c6d

INIT 0x1300 0x6b6 0x700 5.38 456d13b3d6ddb006d209ddc8ebdbc7fd

.vuzs 0x1a00 0x3c80 0x3c80 7.87 2cd300685fcfbd56dfad76c0d200b1a7

.rsrc 0x5680 0x3f0 0x400 3.34 af73661277d47f233ab3b8a27827df5c

.reloc 0x5a80 0xf2 0x100 4.80 2f75d6c4c4cac4a925016033e2e4e56b

( 1 imports )

> ntoskrnl.exe: IofCompleteRequest, IoRegisterFileSystem, IoDeleteDevice, IoRegisterShutdownNotification, IoCreateDevice, ZwClose, ZwCreateFile, RtlInitUnicodeString, IoUnregisterFileSystem, ExFreePoolWithTag, KeLeaveCriticalRegion, KeSetEvent, ZwLoadDriver, KeEnterCriticalRegion, KeWaitForSingleObject, RtlExtendedLargeIntegerDivide, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoBuildSynchronousFsdRequest, ExAllocatePoolWithTag, MmPageEntireDriver, _allmul, _allshr

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: File System Recognizer Driver

original name: fs_rec.sys

internal name: fs_rec.sys

file version.: 5.1.2600.0 (xpclient.010817-1148)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigne

Link to post
Share on other sites

File mchvpiqy.sys received on 2010.03.20 15:20:47 (UTC)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 3/42 (7.15%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 42 and 60 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.03.20 -

AhnLab-V3 5.0.0.2 2010.03.20 -

AntiVir 8.2.1.196 2010.03.19 TR/Patched.Gen

Antiy-AVL 2.0.3.7 2010.03.19 -

Authentium 5.2.0.5 2010.03.19 -

Avast 4.8.1351.0 2010.03.20 -

Avast5 5.0.332.0 2010.03.20 -

AVG 9.0.0.787 2010.03.20 -

BitDefender 7.2 2010.03.20 -

CAT-QuickHeal 10.00 2010.03.19 -

ClamAV 0.96.0.0-git 2010.03.20 -

Comodo 4330 2010.03.20 -

DrWeb 5.0.1.12222 2010.03.20 -

eSafe 7.0.17.0 2010.03.18 -

eTrust-Vet 35.2.7376 2010.03.19 -

F-Prot 4.5.1.85 2010.03.19 -

F-Secure 9.0.15370.0 2010.03.20 -

Fortinet 4.0.14.0 2010.03.20 -

GData 19 2010.03.20 -

Ikarus T3.1.1.80.0 2010.03.20 -

Jiangmin 13.0.900 2010.03.20 -

K7AntiVirus 7.10.1002 2010.03.19 -

Kaspersky 7.0.0.125 2010.03.20 -

McAfee 5926 2010.03.20 -

McAfee+Artemis 5925 2010.03.19 -

McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Patched.Gen

Microsoft 1.5605 2010.03.20 -

NOD32 4960 2010.03.20 -

Norman 6.04.09 2010.03.20 -

nProtect 2009.1.8.0 2010.03.20 -

Panda 10.0.2.2 2010.03.20 -

PCTools 7.0.3.5 2010.03.20 -

Prevx 3.0 2010.03.20 -

Rising 22.39.05.02 2010.03.20 -

Sophos 4.51.0 2010.03.20 -

Sunbelt 5989 2010.03.20 -

Symantec 20091.2.0.41 2010.03.20 Suspicious.Insight

TheHacker 6.5.2.0.241 2010.03.20 -

TrendMicro 9.120.0.1004 2010.03.20 -

VBA32 3.12.12.2 2010.03.19 -

ViRobot 2010.3.19.2236 2010.03.20 -

VirusBuster 5.0.27.0 2010.03.20 -

Additional information

File size: 23424 bytes

MD5...: 0232c89b2f7fa2ff4794251d32ee2f32

SHA1..: deb633845b4340045c76ed2d5dfe7d16c962332e

SHA256: 4a4c46b31ab9c11ba93e8a46a43fd7fbfdd8991043164ffa68a42c6c6ff7fdbf

ssdeep: 384:Gs9E2b0IlybvP0DWoKWyGdv6nOXV/kJ6fDII42ZL//ET0IMe9PU/WoKW:Gs9

revsnvl6nOXVcyDIIdZL/fEPUT

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x15e4

timedatestamp.....: 0x3b7d8361 (Fri Aug 17 20:49:37 2001)

machinetype.......: 0x14c (I386)

( 8 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x300 0xc 0x80 0.59 a72df68117242c3847b3ca1e15acd483

.rdata 0x380 0xff 0x100 4.04 47ef26b4bba0549947907b8a7e807b52

.data 0x480 0x5c 0x80 1.96 580dd1703833d3b9d3d184d05ac35e7b

PAGE 0x500 0xda8 0xe00 6.27 7be004b2728223723324ced7ad705c6d

INIT 0x1300 0x6b6 0x700 5.38 456d13b3d6ddb006d209ddc8ebdbc7fd

.vuzs 0x1a00 0x3c80 0x3c80 7.87 2cd300685fcfbd56dfad76c0d200b1a7

.rsrc 0x5680 0x3f0 0x400 3.34 af73661277d47f233ab3b8a27827df5c

.reloc 0x5a80 0xf2 0x100 4.80 2f75d6c4c4cac4a925016033e2e4e56b

( 1 imports )

> ntoskrnl.exe: IofCompleteRequest, IoRegisterFileSystem, IoDeleteDevice, IoRegisterShutdownNotification, IoCreateDevice, ZwClose, ZwCreateFile, RtlInitUnicodeString, IoUnregisterFileSystem, ExFreePoolWithTag, KeLeaveCriticalRegion, KeSetEvent, ZwLoadDriver, KeEnterCriticalRegion, KeWaitForSingleObject, RtlExtendedLargeIntegerDivide, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoBuildSynchronousFsdRequest, ExAllocatePoolWithTag, MmPageEntireDriver, _allmul, _allshr

( 0 exports )

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win64 Executable Generic (95.5%)

Generic Win/DOS Executable (2.2%)

DOS Executable Generic (2.2%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....:

Link to post
Share on other sites

  • Staff

Hi,

Your MBAM log shows that you didn't remove anything. Please update MBAM, run a Quick Scan, remove everything found, then post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Your MBAM log shows that you didn't remove anything. Please update MBAM, run a Quick Scan, remove everything found, then post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Here they are.

Malwarebytes' Anti-Malware 1.44

Database version: 3899

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/21/2010 8:48:51 AM

mbam-log-2010-03-21 (08-48-51).txt

Scan type: Quick Scan

Objects scanned: 130007

Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Scanning Report

Sunday, March 21, 2010 09:02:57 - 09:52:29

Computer name: HP79322942442

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

27 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.Adinterax (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Specificclick (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Webtrends (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMODD\CONNTEST.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMODD\SERVERUPDATER.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMODD\SERVERUPDATER\SERVERUPDATER.EXE\249~SERVERUPDATER.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMEVEN\CONNTEST.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMEVEN\SERVERUPDATER.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

C:\RPMEVEN\SERVERUPDATER\SERVERUPDATER.EXE\249~SERVERUPDATER.EXE (Not cleaned & Submitted)

Trojan.Spy.BZub.NIP (virus)

C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-045742-581.DLL (Renamed & Submitted)

Trojan.Spy.BZub.NIP (virus)

C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-052542-384.DLL (Renamed & Submitted)

Trojan.Spy.BZub.NIP (virus)

C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-053338-419.DLL (Renamed & Submitted)

Gen:Trojan.Heur.dm0@sbMRHDoie (virus)

C:\PROGRAM FILES\APEXWIN\ECP.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 187268

System: 3330

Not scanned: 8

Actions:

Disinfected: 17

Renamed: 4

Deleted: 0

Not cleaned: 6

Submitted: 10

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\BRENT\LOCAL SETTINGS\TEMP\HSPERFDATA_BRENT\1580

C:\DOCUMENTS AND SETTINGS\BRENT\LOCAL SETTINGS\TEMP\HSPERFDATA_BRENT\3712

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Results of screen317's Security Check version 0.99.2

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

AVG Free 9.0

Microsoft Firewall Client

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 18

Java 2 Runtime Environment, SE v1.4.2_03

Adobe Flash Player 10

Adobe Reader 9.3.1

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

Brent LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe

Brent LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe

Brent LOCALS~1 Temp fsonlinescanner.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java 2 Runtime Environment, SE v1.4.2_03

Restart your computer.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.