Dougg Posted March 18, 2010 ID:216992 Share Posted March 18, 2010 Need some help, here is the info you asked for, except for the GMER Log, my computer reboots before it is done.DDS (Ver_10-03-17.01) - NTFSx86 Run by Brent at 6:11:14.85 on Thu 03/18/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.991 [GMT -6:00]AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Symantec\pcAnywhere\awhost32.exeC:\Program Files\Executive Software\Diskeeper\DkService.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Microsoft SQL Server\MSSQL$PROCLAIM\Binn\sqlservr.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\MAKTray.exeC:\Program Files\PDF Complete\pdfsty.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\AVG\AVG9\avgtray.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\Program Files\PDF Complete\pdfsaver.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ScanSoft\PaperPort\PPScheduler.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeC:\WINDOWS\MAKHKEY.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Brent\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuDefault_Page_URL = hxxp://www.msn.comuInternet Settings,ProxyServer = server:8080uInternet Settings,ProxyOverride = <local>uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: {06a15d79-082b-471c-a13d-da92203ae071} - c:\windows\system32\appmg.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllTB: &Ingenix Tools: {51819320-5b57-49fe-beb5-b498cbba1097} - c:\program files\ingenix\toolbar\IngenixBand.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0uRun: [PPScheduler] c:\program files\scansoft\paperport\PPScheduler.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exemRun: [MAKTray] MAKTray.exemRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exemRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -bootmRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firewa~1.lnk - c:\program files\microsoft firewall client\ISATRAY.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exemPolicies-system: EnableLUA = 0 (0x0)dPolicies-system: DisableTaskMgr = 1 (0x1)dPolicies-system: DisableRegistryTools = 1 (0x1)IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266959724677DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266959844867DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: igfxcui - igfxdev.dllNotify: PCANotify - PCANotify.dllAppInit_DLLs: , SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\brent\applic~1\mozilla\firefox\profiles\qy44kxaq.default\FF - prefs.js: network.proxy.ftp - SERVERFF - prefs.js: network.proxy.ftp_port - 8080FF - prefs.js: network.proxy.gopher - SERVERFF - prefs.js: network.proxy.gopher_port - 8080FF - prefs.js: network.proxy.http - SERVERFF - prefs.js: network.proxy.http_port - 8080FF - prefs.js: network.proxy.socks - SERVERFF - prefs.js: network.proxy.socks_port - 8080FF - prefs.js: network.proxy.ssl - SERVERFF - prefs.js: network.proxy.ssl_port - 8080FF - prefs.js: network.proxy.type - 1FF - plugin: c:\documents and settings\brent\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dllFF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dllFF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R0 mchvpiqy;mchvpiqy;c:\windows\system32\drivers\mchvpiqy.sys [2004-8-4 23424]R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-23 216200]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-23 29512]R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-23 242696]R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-18 308064]R2 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]R2 MSSQL$PROCLAIM;MSSQL$PROCLAIM;c:\program files\microsoft sql server\mssql$proclaim\binn\sqlservr.exe -sproclaim --> c:\program files\microsoft sql server\mssql$proclaim\binn\sqlservr.exe -sPROCLAIM [?]S3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jimtml.sys --> c:\windows\system32\drivers\jimtml.sys [?]S3 SQLAgent$PROCLAIM;SQLAgent$PROCLAIM;c:\program files\microsoft sql server\mssql$proclaim\binn\sqlagent.exe -i proclaim --> c:\program files\microsoft sql server\mssql$proclaim\binn\sqlagent.EXE -i PROCLAIM [?]=============== Created Last 30 ==================================== Find3M ====================2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll2009-12-21 19:14:05 1208832 ----a-w- c:\windows\system32\dllcache\urlmon.dll2009-12-21 19:14:04 5942784 ----a-w- c:\windows\system32\dllcache\mshtml.dll2009-12-21 19:14:04 206848 ----a-w- c:\windows\system32\dllcache\occache.dll2009-12-21 19:14:03 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll2009-12-21 19:14:03 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll2009-12-21 19:14:01 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe============= FINISH: 6:12:08.48 ===============mbam_log_2010_03_18__05_27_03_.txtAttach.zip Link to post Share on other sites More sharing options...
Staff screen317 Posted March 20, 2010 Staff ID:217630 Share Posted March 20, 2010 Hi and welcome to Malwarebytes.Please go to VirusTotal, and upload the following file for analysis:c:\windows\system32\drivers\mchvpiqy.sysPost the results in your reply.Next, update MBAM, run a Quick Scan, and post its log (don't attach it).Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
Dougg Posted March 20, 2010 Author ID:218021 Share Posted March 20, 2010 Hi and welcome to Malwarebytes.Please go to VirusTotal, and upload the following file for analysis:c:\windows\system32\drivers\mchvpiqy.sysPost the results in your reply.Next, update MBAM, run a Quick Scan, and post its log (don't attach it).Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.-screen317File mchvpiqy.sys received on 2010.03.20 15:20:47 (UTC)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 3/42 (7.15%)Loading server information... Your file is queued in position: 1.Estimated start time is between 42 and 60 seconds.Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment,results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.20 - AhnLab-V3 5.0.0.2 2010.03.20 - AntiVir 8.2.1.196 2010.03.19 TR/Patched.Gen Antiy-AVL 2.0.3.7 2010.03.19 - Authentium 5.2.0.5 2010.03.19 - Avast 4.8.1351.0 2010.03.20 - Avast5 5.0.332.0 2010.03.20 - AVG 9.0.0.787 2010.03.20 - BitDefender 7.2 2010.03.20 - CAT-QuickHeal 10.00 2010.03.19 - ClamAV 0.96.0.0-git 2010.03.20 - Comodo 4330 2010.03.20 - DrWeb 5.0.1.12222 2010.03.20 - eSafe 7.0.17.0 2010.03.18 - eTrust-Vet 35.2.7376 2010.03.19 - F-Prot 4.5.1.85 2010.03.19 - F-Secure 9.0.15370.0 2010.03.20 - Fortinet 4.0.14.0 2010.03.20 - GData 19 2010.03.20 - Ikarus T3.1.1.80.0 2010.03.20 - Jiangmin 13.0.900 2010.03.20 - K7AntiVirus 7.10.1002 2010.03.19 - Kaspersky 7.0.0.125 2010.03.20 - McAfee 5926 2010.03.20 - McAfee+Artemis 5925 2010.03.19 - McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Patched.Gen Microsoft 1.5605 2010.03.20 - NOD32 4960 2010.03.20 - Norman 6.04.09 2010.03.20 - nProtect 2009.1.8.0 2010.03.20 - Panda 10.0.2.2 2010.03.20 - PCTools 7.0.3.5 2010.03.20 - Prevx 3.0 2010.03.20 - Rising 22.39.05.02 2010.03.20 - Sophos 4.51.0 2010.03.20 - Sunbelt 5989 2010.03.20 - Symantec 20091.2.0.41 2010.03.20 Suspicious.Insight TheHacker 6.5.2.0.241 2010.03.20 - TrendMicro 9.120.0.1004 2010.03.20 - VBA32 3.12.12.2 2010.03.19 - ViRobot 2010.3.19.2236 2010.03.20 - VirusBuster 5.0.27.0 2010.03.20 - Additional information File size: 23424 bytes MD5...: 0232c89b2f7fa2ff4794251d32ee2f32 SHA1..: deb633845b4340045c76ed2d5dfe7d16c962332e SHA256: 4a4c46b31ab9c11ba93e8a46a43fd7fbfdd8991043164ffa68a42c6c6ff7fdbf ssdeep: 384:Gs9E2b0IlybvP0DWoKWyGdv6nOXV/kJ6fDII42ZL//ET0IMe9PU/WoKW:Gs9revsnvl6nOXVcyDIIdZL/fEPUTPEiD..: - PEInfo: PE Structure information( base data )entrypointaddress.: 0x15e4timedatestamp.....: 0x3b7d8361 (Fri Aug 17 20:49:37 2001)machinetype.......: 0x14c (I386)( 8 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x300 0xc 0x80 0.59 a72df68117242c3847b3ca1e15acd483.rdata 0x380 0xff 0x100 4.04 47ef26b4bba0549947907b8a7e807b52.data 0x480 0x5c 0x80 1.96 580dd1703833d3b9d3d184d05ac35e7bPAGE 0x500 0xda8 0xe00 6.27 7be004b2728223723324ced7ad705c6dINIT 0x1300 0x6b6 0x700 5.38 456d13b3d6ddb006d209ddc8ebdbc7fd.vuzs 0x1a00 0x3c80 0x3c80 7.87 2cd300685fcfbd56dfad76c0d200b1a7.rsrc 0x5680 0x3f0 0x400 3.34 af73661277d47f233ab3b8a27827df5c.reloc 0x5a80 0xf2 0x100 4.80 2f75d6c4c4cac4a925016033e2e4e56b( 1 imports ) > ntoskrnl.exe: IofCompleteRequest, IoRegisterFileSystem, IoDeleteDevice, IoRegisterShutdownNotification, IoCreateDevice, ZwClose, ZwCreateFile, RtlInitUnicodeString, IoUnregisterFileSystem, ExFreePoolWithTag, KeLeaveCriticalRegion, KeSetEvent, ZwLoadDriver, KeEnterCriticalRegion, KeWaitForSingleObject, RtlExtendedLargeIntegerDivide, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoBuildSynchronousFsdRequest, ExAllocatePoolWithTag, MmPageEntireDriver, _allmul, _allshr( 0 exports ) RDS...: NSRL Reference Data Set- pdfid.: - trid..: Win64 Executable Generic (95.5%)Generic Win/DOS Executable (2.2%)DOS Executable Generic (2.2%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:publisher....: Microsoft Corporationcopyright....: © Microsoft Corporation. All rights reserved.product......: Microsoft_ Windows_ Operating Systemdescription..: File System Recognizer Driveroriginal name: fs_rec.sysinternal name: fs_rec.sysfile version.: 5.1.2600.0 (xpclient.010817-1148)comments.....: n/asigners......: -signing date.: -verified.....: Unsigne Link to post Share on other sites More sharing options...
Dougg Posted March 20, 2010 Author ID:218250 Share Posted March 20, 2010 File mchvpiqy.sys received on 2010.03.20 15:20:47 (UTC)Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 3/42 (7.15%)Loading server information... Your file is queued in position: 1.Estimated start time is between 42 and 60 seconds.Do not close the window until scan is complete. The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.If you are waiting for more than five minutes you have to resend your file. Your file is being scanned by VirusTotal in this moment,results will be shown as they're generated. Compact Print results Your file has expired or does not exists. Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email: Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.20 - AhnLab-V3 5.0.0.2 2010.03.20 - AntiVir 8.2.1.196 2010.03.19 TR/Patched.Gen Antiy-AVL 2.0.3.7 2010.03.19 - Authentium 5.2.0.5 2010.03.19 - Avast 4.8.1351.0 2010.03.20 - Avast5 5.0.332.0 2010.03.20 - AVG 9.0.0.787 2010.03.20 - BitDefender 7.2 2010.03.20 - CAT-QuickHeal 10.00 2010.03.19 - ClamAV 0.96.0.0-git 2010.03.20 - Comodo 4330 2010.03.20 - DrWeb 5.0.1.12222 2010.03.20 - eSafe 7.0.17.0 2010.03.18 - eTrust-Vet 35.2.7376 2010.03.19 - F-Prot 4.5.1.85 2010.03.19 - F-Secure 9.0.15370.0 2010.03.20 - Fortinet 4.0.14.0 2010.03.20 - GData 19 2010.03.20 - Ikarus T3.1.1.80.0 2010.03.20 - Jiangmin 13.0.900 2010.03.20 - K7AntiVirus 7.10.1002 2010.03.19 - Kaspersky 7.0.0.125 2010.03.20 - McAfee 5926 2010.03.20 - McAfee+Artemis 5925 2010.03.19 - McAfee-GW-Edition 6.8.5 2010.03.20 Trojan.Patched.Gen Microsoft 1.5605 2010.03.20 - NOD32 4960 2010.03.20 - Norman 6.04.09 2010.03.20 - nProtect 2009.1.8.0 2010.03.20 - Panda 10.0.2.2 2010.03.20 - PCTools 7.0.3.5 2010.03.20 - Prevx 3.0 2010.03.20 - Rising 22.39.05.02 2010.03.20 - Sophos 4.51.0 2010.03.20 - Sunbelt 5989 2010.03.20 - Symantec 20091.2.0.41 2010.03.20 Suspicious.Insight TheHacker 6.5.2.0.241 2010.03.20 - TrendMicro 9.120.0.1004 2010.03.20 - VBA32 3.12.12.2 2010.03.19 - ViRobot 2010.3.19.2236 2010.03.20 - VirusBuster 5.0.27.0 2010.03.20 - Additional information File size: 23424 bytes MD5...: 0232c89b2f7fa2ff4794251d32ee2f32 SHA1..: deb633845b4340045c76ed2d5dfe7d16c962332e SHA256: 4a4c46b31ab9c11ba93e8a46a43fd7fbfdd8991043164ffa68a42c6c6ff7fdbf ssdeep: 384:Gs9E2b0IlybvP0DWoKWyGdv6nOXV/kJ6fDII42ZL//ET0IMe9PU/WoKW:Gs9revsnvl6nOXVcyDIIdZL/fEPUTPEiD..: - PEInfo: PE Structure information( base data )entrypointaddress.: 0x15e4timedatestamp.....: 0x3b7d8361 (Fri Aug 17 20:49:37 2001)machinetype.......: 0x14c (I386)( 8 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x300 0xc 0x80 0.59 a72df68117242c3847b3ca1e15acd483.rdata 0x380 0xff 0x100 4.04 47ef26b4bba0549947907b8a7e807b52.data 0x480 0x5c 0x80 1.96 580dd1703833d3b9d3d184d05ac35e7bPAGE 0x500 0xda8 0xe00 6.27 7be004b2728223723324ced7ad705c6dINIT 0x1300 0x6b6 0x700 5.38 456d13b3d6ddb006d209ddc8ebdbc7fd.vuzs 0x1a00 0x3c80 0x3c80 7.87 2cd300685fcfbd56dfad76c0d200b1a7.rsrc 0x5680 0x3f0 0x400 3.34 af73661277d47f233ab3b8a27827df5c.reloc 0x5a80 0xf2 0x100 4.80 2f75d6c4c4cac4a925016033e2e4e56b( 1 imports ) > ntoskrnl.exe: IofCompleteRequest, IoRegisterFileSystem, IoDeleteDevice, IoRegisterShutdownNotification, IoCreateDevice, ZwClose, ZwCreateFile, RtlInitUnicodeString, IoUnregisterFileSystem, ExFreePoolWithTag, KeLeaveCriticalRegion, KeSetEvent, ZwLoadDriver, KeEnterCriticalRegion, KeWaitForSingleObject, RtlExtendedLargeIntegerDivide, IofCallDriver, IoBuildDeviceIoControlRequest, KeInitializeEvent, IoBuildSynchronousFsdRequest, ExAllocatePoolWithTag, MmPageEntireDriver, _allmul, _allshr( 0 exports ) RDS...: NSRL Reference Data Set- pdfid.: - trid..: Win64 Executable Generic (95.5%)Generic Win/DOS Executable (2.2%)DOS Executable Generic (2.2%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:publisher....: Microsoft Corporationcopyright....: Link to post Share on other sites More sharing options...
Staff screen317 Posted March 22, 2010 Staff ID:218924 Share Posted March 22, 2010 Hi,Your MBAM log shows that you didn't remove anything. Please update MBAM, run a Quick Scan, remove everything found, then post its log.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
Dougg Posted March 22, 2010 Author ID:219374 Share Posted March 22, 2010 Hi,Your MBAM log shows that you didn't remove anything. Please update MBAM, run a Quick Scan, remove everything found, then post its log.Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.Click Start Scanning.You should get a notification bar (on top) to install the ActiveX control. Click on it and select to install the ActiveX.Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.In case you are having problems with installing the ActiveX/starting the scan, please read here.Click the Full System Scan button.It will start to download scanner components and databases. This can take a while.The main scan will start.Once the scan has finished scanning, click the Automatic cleaning (recommended) buttonIt could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.The cleaning can take a while, so please be patient.Then click the Show report button and Copy/Paste what is present under results in your next reply.Next, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317Here they are.Malwarebytes' Anti-Malware 1.44Database version: 3899Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187023/21/2010 8:48:51 AMmbam-log-2010-03-21 (08-48-51).txtScan type: Quick ScanObjects scanned: 130007Time elapsed: 4 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Scanning ReportSunday, March 21, 2010 09:02:57 - 09:52:29Computer name: HP79322942442Scanning type: Scan system for malware, spyware and rootkitsTarget: C:\ --------------------------------------------------------------------------------27 malware foundTrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.Adinterax (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Specificclick (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Webtrends (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Tradedoubler (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) TrackingCookie.Imrworldwide (spyware) System (Disinfected) Suspicious:W32/Malware!Gemini (virus) C:\RPMODD\CONNTEST.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\RPMODD\SERVERUPDATER.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\RPMODD\SERVERUPDATER\SERVERUPDATER.EXE\249~SERVERUPDATER.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\RPMEVEN\CONNTEST.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\RPMEVEN\SERVERUPDATER.EXE (Not cleaned & Submitted) Suspicious:W32/Malware!Gemini (virus) C:\RPMEVEN\SERVERUPDATER\SERVERUPDATER.EXE\249~SERVERUPDATER.EXE (Not cleaned & Submitted) Trojan.Spy.BZub.NIP (virus) C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-045742-581.DLL (Renamed & Submitted) Trojan.Spy.BZub.NIP (virus) C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-052542-384.DLL (Renamed & Submitted) Trojan.Spy.BZub.NIP (virus) C:\PROGRAM FILES\TRENDMICRO\HIJACKTHIS\BACKUPS\BACKUP-20100318-053338-419.DLL (Renamed & Submitted) Gen:Trojan.Heur.dm0@sbMRHDoie (virus) C:\PROGRAM FILES\APEXWIN\ECP.EXE (Renamed & Submitted) --------------------------------------------------------------------------------StatisticsScanned: Files: 187268 System: 3330 Not scanned: 8 Actions: Disinfected: 17 Renamed: 4 Deleted: 0 Not cleaned: 6 Submitted: 10 Files not scanned:C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\DOCUMENTS AND SETTINGS\BRENT\LOCAL SETTINGS\TEMP\HSPERFDATA_BRENT\1580 C:\DOCUMENTS AND SETTINGS\BRENT\LOCAL SETTINGS\TEMP\HSPERFDATA_BRENT\3712 --------------------------------------------------------------------------------OptionsScanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics Results of screen317's Security Check version 0.99.2 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! AVG Free 9.0 Microsoft Firewall Client WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 18 Java 2 Runtime Environment, SE v1.4.2_03 Adobe Flash Player 10 Adobe Reader 9.3.1 ```````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe Brent LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe Brent LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe Brent LOCALS~1 Temp fsonlinescanner.exe ````````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) ``````````End of Log```````````` Link to post Share on other sites More sharing options...
Staff screen317 Posted March 23, 2010 Staff ID:219793 Share Posted March 23, 2010 Hi,Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):Java 2 Runtime Environment, SE v1.4.2_03 Restart your computer.Let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
Recommended Posts