Jump to content

Fake AV software preventing Malwarebytes install


Recommended Posts

My parents have managed to get a virus on their computer, and I am having a terrible time trying to remove it. Initial symptoms were trojan alerts from Avast and browser redirects in IE. This later progressed to the the installation of a fake antivirus software called "XP Security".

Initial scans with Avast found a few trojans, but I am no longer able to run the program. I am not able to install Malwarebytes in safe mode, even after changing the name of the install file. Following the guide here produced no results. The only thing I have been able to run is Hijack This.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:45 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=3f323b08e3530152678a2a39c9bfbf66/aff=t_03cm_wg/p/release/popcap/wg_bejeweled2/popcaploader_v6.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6794 bytes

Thanks for the help.

Link to post
Share on other sites

Hello Wooster! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest

updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick

the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a Quick scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log.

Link to post
Share on other sites

Hey Borislav, thanks for the help. I think I've already got it fixed, but I'll follow along just to make sure. Prior to your post, I ran Spybot on the advice of a friend and it knocked back the malware enough for me to run Malwarebytes. Here's the log it generated:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/11/2010 7:09:51 PM
mbam-log-2010-04-11 (19-09-51).txt

Scan type: Quick scan
Objects scanned: 120254
Time elapsed: 20 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I can also post the Spybot logs if you want.

Link to post
Share on other sites

Your database verison is 3930 , but the current is 3979 , so please update it. Let's get started:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

* MalwareBytes' Anti-Malware log

* SpyBot - S&D log

* a new fresh HJT log

Link to post
Share on other sites

Malwarebytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3979

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/11/2010 11:26:05 PM
mbam-log-2010-04-11 (23-26-05).txt

Scan type: Quick scan
Objects scanned: 113647
Time elapsed: 14 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\asd8.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\davclnt.exe (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

I'm not sure which Spybot log to post, but these two should be the most relevant:

11.04.2010 17:11:36 - ##### check started #####
11.04.2010 17:11:36 - ### Version: 1.6.2
11.04.2010 17:11:36 - ### Date: 4/11/2010 5:11:36 PM
11.04.2010 17:11:39 - ##### checking bots #####
11.04.2010 17:20:43 - found: Microsoft.Windows.FileExe Settings
11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.FirewallOverride Settings
11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings
11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter.TaskManager Settings
11.04.2010 17:20:52 - found: Microsoft.WindowsSecurityCenter_disabled Settings
11.04.2010 17:20:57 - found: Microsoft.Windows.System Settings
11.04.2010 17:52:43 - found: DoubleClick Tracking cookie (Firefox: User (default))
11.04.2010 17:52:44 - found: Zedo Tracking cookie (Firefox: User (default))
11.04.2010 17:52:46 - ##### check finished #####

--- Report generated: 2010-04-11 17:54 ---

Microsoft.Windows.FileExe: [SBI $D204F52E] Settings (Registry change, fixed)
HKEY_CLASSES_ROOT\.exe\

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Microsoft.Windows.System: [SBI $CA894808] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr

DoubleClick: Tracking cookie (Firefox: User (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: User (default)) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-04-11 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi (*)
2010-04-06 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-04-06 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-04-06 Includes\HijackersC.sbi (*)
2010-01-19 Includes\Keyloggers.sbi (*)
2010-04-06 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-03-02 Includes\Malware.sbi (*)
2010-04-07 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-03-30 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-04-06 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-04-07 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi (*)
2010-04-06 Includes\TrojansC-02.sbi (*)
2010-04-06 Includes\TrojansC-03.sbi (*)
2010-04-06 Includes\TrojansC-04.sbi (*)
2010-04-07 Includes\TrojansC-05.sbi (*)
2010-04-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:51 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
C:\MSCAN\Msoffice\panel.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user')
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://webgames.d.tmsrv.com/c=3f323b08e3530152678a2a39c9bfbf66/aff=t_03cm_wg/p/release/popcap/wg_bejeweled2/popcaploader_v6.cab
O18 - Filter hijack: text/html - {274c4f91-ecfc-4224-8e67-4cd65b4f9c87} - C:\WINDOWS\system32\msiebbar.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8078 bytes

Link to post
Share on other sites

Step 1:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Step 2:

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* ComboFix log

* HijackThis Uninstall List

* HijackThis log (new)

Link to post
Share on other sites

ComboFix log:

ComboFix 10-04-11.03 - User 04/12/2010   0:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.204 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100411-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator
2010-04-11 06:28 . 2010-04-11 06:29 -------- d-----w- c:\windows\PRAGMAyycvksevpe
2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner
2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast
2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut
2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-13 16:03 . 2010-01-13 16:03 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-13 16:03 . 2009-11-09 21:31 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269]
"avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\User\Start Menu\Programs\Startup\
Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 00:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82696AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf866af28
\Driver\ACPI -> ACPI.sys @ 0xf85adcb8
\Driver\atapi -> atapi.sys @ 0xf8565852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0
PacketIndicateHandler -> NDIS.sys @ 0xf847ea21
SendHandler -> NDIS.sys @ 0xf845c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-12 00:41:13
ComboFix-quarantined-files.txt 2010-04-12 07:41

Pre-Run: 12,144,599,040 bytes free
Post-Run: 12,334,379,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9D50494A7541A864E75FEA58781F96F4

Uninstall list:

AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.1.0
Amazon MP3 Downloader 1.0.2
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Azureus
Bonjour
Civilization III
Civilization III: Conquests
Compatibility Pack for the 2007 Office system
CoreVorbis Audio Decoder (remove only)
Critical Update for Windows Media Player 11 (KB959772)
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DScaler 5 Mpeg Decoders
ffdshow (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
H&R Block Deluxe + Efile + State 2009
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Huffyuv AVI lossless video codec (Remove Only)
iPod for Windows 2006-03-23
IrfanView (remove only)
iTunes
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
JEOPARDY! (remove only)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Standard for Students and Teachers
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Web Publishing Wizard 1.52
Morgan Stream Switcher
Mozilla Firefox (3.0)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Netflix Movie Viewer
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
NvMixer
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Picture Package Music Transfer
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SimCity 3000
Sony Picture Utility
Spybot - Search & Destroy
TaxCut Premium + Efile 2008
TaxCut Premium 2007
The Print Shop 21
The Sims 2
The Sims 2 Nightlife
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
XviD MPEG-4 Video Codec

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:34 AM, on 4/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
C:\MSCAN\Msoffice\panel.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user')
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7598 bytes

Link to post
Share on other sites

Step 1:

Please uninstall the following applications:

Adobe Reader 7.0.5 Language Support

Adobe Reader 7.1.0

After finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

Please go to http://virustotal.com

Next to the "Browse" button, in to the blank field, please paste the following:

C:\WINDOWS\system32\msiebbar.dll

Hit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here) :)

In your last HJT log, msiebbar.dll is missing, but in your previous log is still there. Have you made any changes?

Step 4:

Please locate to:

c:\windows\PRAGMAyycvksevpe

Tell me if there is anything in it, and if there is, what is it.

Link to post
Share on other sites

JavaRa log:

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Apr 12 01:25:44 2010

Found and removed: C:\Program Files\Java\jre1.5.0_04

Found and removed: C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\User\Application Data\Sun\Java\jre1.6.0_15

Found and removed: Software\JavaSoft\Java2D\1.5.0_04

Found and removed: Software\JavaSoft\Java2D\1.5.0_08

Found and removed: SOFTWARE\Classes\JavaPlugin.150_08

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_04\

------------------------------------

Finished reporting.

msiebbar.dll is no longer in the system32 folder. I am not sure why it disappeared, as I don't recall doing anything other than what was posted here.

C:\windows\PRAGMAyycvksevpe is empty.

Link to post
Share on other sites

I am still occasionally getting unsolicited popups (i.e. not triggered by clicking anything), and Avast just gave me another trojan warning (see below). I am also unable to start the Windows Firewall.

Avast warning:

Sign of "JS:FakeAV-J [Trj]" has been found in "http://goolexxro.com/hh/\{gzip}" file.

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Malwarebytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2010 10:53:57 PM
mbam-log-2010-04-12 (22-53-57).txt

Scan type: Quick scan
Objects scanned: 112096
Time elapsed: 12 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Still having issues though. A randomly named process seemed to be keeping Malwarebytes from scaning until I ended it in the task manager.

Link to post
Share on other sites

Delete your copy of ComboFix. Now:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

ComboFix log:

ComboFix 10-04-12.04 - User 04/12/2010 23:24:01.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -7:00]

Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))

.

2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator

2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 05:30 . 2010-04-12 21:58 112 ----a-w- c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat

2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe

2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe

2010-04-13 05:16 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime

2010-04-12 21:55 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes

2010-04-12 21:55 . 2010-04-12 21:55 41472 ----a-w- c:\windows\Fonts\On6WEm.com

2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot

2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes

2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner

2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast

2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus

2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe

2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut

2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut

2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll

.

<pre>
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2010-04-12 41476]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 41476]

"avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476]

c:\documents and settings\User\Start Menu\Programs\Startup\

Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560]

.

Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\At1.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At10.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At11.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At12.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At13.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At14.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At15.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At16.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At17.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At18.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At19.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At2.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At20.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At21.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At22.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At23.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-13 c:\windows\Tasks\At24.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At3.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At4.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At5.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At6.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At7.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At8.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

2010-04-12 c:\windows\Tasks\At9.job

- c:\windows\Fonts\On6WEm.com [2010-04-12 21:55]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-12 23:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\flaB.tmp 11873910 bytes

scan completed successfully

hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826D8AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf865af28

\Driver\ACPI -> ACPI.sys @ 0xf85adcb8

\Driver\atapi -> atapi.sys @ 0xf8565852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0

PacketIndicateHandler -> NDIS.sys @ 0xf847ea21

SendHandler -> NDIS.sys @ 0xf845c87b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(716)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(856)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-12 23:53:52

ComboFix-quarantined-files.txt 2010-04-13 06:53

ComboFix2.txt 2010-04-12 07:41

Pre-Run: 12,227,772,416 bytes free

Post-Run: 12,685,619,200 bytes free

- - End Of File - - F78102C23AD23CD2FA86BB53103C8E15

Link to post
Share on other sites

This allows more light to the problem. Before I write a script for ComboFix, please do the following:

Please go to http://virustotal.com

Next to the "Browse" button, in to the blank field, please paste the following:

c:\windows\Fonts\On6WEm.com

Hit SEND FILE. Please be patient, it will take a while to get it scanned. Once all the scanners are done, post back with the results (copy & paste them here)

Link to post
Share on other sites

File has already been analysed:

MD5: 1cc9fd3ba73aaa6020eb1a23640a49c6

First received: 2010.04.12 22:36:48 UTC

Date: 2010.04.13 01:37:17 UTC [<1D]

Results: 5/40

Permalink: analisis/609e408839986a721d5039d1a8f5d35954c67bcea16bd171a1ed7f59038dd99a-1271122637

Link to post
Share on other sites

That was fast! I like this way of working. Thanks!

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=46618

KillAll::

Collect::[8]
c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat
c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe
c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe
c:\windows\Fonts\On6WEm.com

RenV::
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe

AtJob::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

ComboFix log:

ComboFix 10-04-12.04 - User 04/13/2010   0:34.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.314 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat
file zipped: c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe
file zipped: c:\windows\Fonts\On6WEm.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat
c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe
c:\windows\Fonts\On6WEm.com
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator
2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime
2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes
2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes
2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner
2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast
2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus
2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut
2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269]
"avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

c:\documents and settings\User\Start Menu\Programs\Startup\
Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 00:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826DEAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf865af28
\Driver\ACPI -> ACPI.sys @ 0xf85adcb8
\Driver\atapi -> atapi.sys @ 0xf8565852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0
PacketIndicateHandler -> NDIS.sys @ 0xf847ea21
SendHandler -> NDIS.sys @ 0xf845c87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(732)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avast\aswUpdSv.exe
c:\program files\Avast\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\mscan\Msoffice\panel.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-13 01:07:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 08:07
ComboFix2.txt 2010-04-13 06:53
ComboFix3.txt 2010-04-12 07:41

Pre-Run: 12,701,638,656 bytes free
Post-Run: 12,670,218,240 bytes free

- - End Of File - - C1013AC9FC1045731FAB51DCA312454A

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:08 AM, on 4/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Avast\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
C:\MSCAN\Msoffice\panel.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user')
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6990 bytes

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Let me know how are things now.

Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

TDSSKiller log:

12:03:14:187 2508	TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:03:14:187 2508 ===========================================================================
=====
12:03:14:187 2508 SystemInfo:

12:03:14:187 2508 OS Version: 5.1.2600 ServicePack: 3.0
12:03:14:187 2508 Product type: Workstation
12:03:14:187 2508 ComputerName: FAMILYCOMPUTER
12:03:14:187 2508 UserName: User
12:03:14:187 2508 Windows directory: C:\WINDOWS
12:03:14:187 2508 Processor architecture: Intel x86
12:03:14:187 2508 Number of processors: 1
12:03:14:187 2508 Page size: 0x1000
12:03:14:234 2508 Boot type: Normal boot
12:03:14:234 2508 ===========================================================================
=====
12:03:14:250 2508 UnloadDriverW: NtUnloadDriver error 2
12:03:14:250 2508 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:03:14:359 2508 wfopen_ex: Trying to KLMD file open
12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2)
12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:03:14:359 2508 wfopen_ex: Trying to KLMD file open
12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2)
12:03:14:359 2508 Initialize success
12:03:14:359 2508
12:03:14:359 2508 Scanning Services ...
12:03:16:000 2508 Raw services enum returned 314 services
12:03:16:015 2508
12:03:16:015 2508 Scanning Kernel memory ...
12:03:16:015 2508 Devices to scan: 3
12:03:16:015 2508
12:03:16:015 2508 Driver Name: Disk
12:03:16:015 2508 IRP_MJ_CREATE : F865CBB0
12:03:16:015 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:03:16:015 2508 IRP_MJ_CLOSE : F865CBB0
12:03:16:015 2508 IRP_MJ_READ : F8656D1F
12:03:16:015 2508 IRP_MJ_WRITE : F8656D1F
12:03:16:015 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:03:16:015 2508 IRP_MJ_SET_INFORMATION : 804FA88E
12:03:16:015 2508 IRP_MJ_QUERY_EA : 804FA88E
12:03:16:015 2508 IRP_MJ_SET_EA : 804FA88E
12:03:16:015 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2
12:03:16:015 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:03:16:015 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:03:16:015 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:03:16:015 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:03:16:015 2508 IRP_MJ_DEVICE_CONTROL : F86573BB
12:03:16:015 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28
12:03:16:015 2508 IRP_MJ_SHUTDOWN : F86572E2
12:03:16:015 2508 IRP_MJ_LOCK_CONTROL : 804FA88E
12:03:16:015 2508 IRP_MJ_CLEANUP : 804FA88E
12:03:16:015 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:03:16:015 2508 IRP_MJ_QUERY_SECURITY : 804FA88E
12:03:16:015 2508 IRP_MJ_SET_SECURITY : 804FA88E
12:03:16:015 2508 IRP_MJ_POWER : F8658C82
12:03:16:015 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E
12:03:16:015 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:03:16:015 2508 IRP_MJ_QUERY_QUOTA : 804FA88E
12:03:16:015 2508 IRP_MJ_SET_QUOTA : 804FA88E
12:03:16:046 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:03:16:046 2508
12:03:16:046 2508 Driver Name: Disk
12:03:16:046 2508 IRP_MJ_CREATE : F865CBB0
12:03:16:046 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:03:16:046 2508 IRP_MJ_CLOSE : F865CBB0
12:03:16:046 2508 IRP_MJ_READ : F8656D1F
12:03:16:046 2508 IRP_MJ_WRITE : F8656D1F
12:03:16:046 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:03:16:046 2508 IRP_MJ_SET_INFORMATION : 804FA88E
12:03:16:046 2508 IRP_MJ_QUERY_EA : 804FA88E
12:03:16:046 2508 IRP_MJ_SET_EA : 804FA88E
12:03:16:046 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2
12:03:16:046 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:03:16:046 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:03:16:046 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:03:16:046 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:03:16:046 2508 IRP_MJ_DEVICE_CONTROL : F86573BB
12:03:16:046 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28
12:03:16:046 2508 IRP_MJ_SHUTDOWN : F86572E2
12:03:16:046 2508 IRP_MJ_LOCK_CONTROL : 804FA88E
12:03:16:046 2508 IRP_MJ_CLEANUP : 804FA88E
12:03:16:046 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:03:16:046 2508 IRP_MJ_QUERY_SECURITY : 804FA88E
12:03:16:046 2508 IRP_MJ_SET_SECURITY : 804FA88E
12:03:16:046 2508 IRP_MJ_POWER : F8658C82
12:03:16:046 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E
12:03:16:046 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:03:16:046 2508 IRP_MJ_QUERY_QUOTA : 804FA88E
12:03:16:046 2508 IRP_MJ_SET_QUOTA : 804FA88E
12:03:16:078 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:03:16:078 2508
12:03:16:078 2508 Driver Name: atapi
12:03:16:078 2508 IRP_MJ_CREATE : 826DEAC8
12:03:16:078 2508 IRP_MJ_CREATE_NAMED_PIPE : 826DEAC8
12:03:16:078 2508 IRP_MJ_CLOSE : 826DEAC8
12:03:16:078 2508 IRP_MJ_READ : 826DEAC8
12:03:16:078 2508 IRP_MJ_WRITE : 826DEAC8
12:03:16:078 2508 IRP_MJ_QUERY_INFORMATION : 826DEAC8
12:03:16:078 2508 IRP_MJ_SET_INFORMATION : 826DEAC8
12:03:16:078 2508 IRP_MJ_QUERY_EA : 826DEAC8
12:03:16:078 2508 IRP_MJ_SET_EA : 826DEAC8
12:03:16:078 2508 IRP_MJ_FLUSH_BUFFERS : 826DEAC8
12:03:16:078 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 826DEAC8
12:03:16:078 2508 IRP_MJ_SET_VOLUME_INFORMATION : 826DEAC8
12:03:16:078 2508 IRP_MJ_DIRECTORY_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_DEVICE_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_SHUTDOWN : 826DEAC8
12:03:16:078 2508 IRP_MJ_LOCK_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_CLEANUP : 826DEAC8
12:03:16:078 2508 IRP_MJ_CREATE_MAILSLOT : 826DEAC8
12:03:16:078 2508 IRP_MJ_QUERY_SECURITY : 826DEAC8
12:03:16:078 2508 IRP_MJ_SET_SECURITY : 826DEAC8
12:03:16:078 2508 IRP_MJ_POWER : 826DEAC8
12:03:16:078 2508 IRP_MJ_SYSTEM_CONTROL : 826DEAC8
12:03:16:078 2508 IRP_MJ_DEVICE_CHANGE : 826DEAC8
12:03:16:078 2508 IRP_MJ_QUERY_QUOTA : 826DEAC8
12:03:16:078 2508 IRP_MJ_SET_QUOTA : 826DEAC8
12:03:16:078 2508 Driver "atapi" infected by TDSS rootkit!
12:03:16:140 2508 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
12:03:16:140 2508 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:03:16:140 2508 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
12:03:16:140 2508 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:03:17:109 2508 vfvi6
12:03:17:890 2508 !dsvbh1
12:03:27:203 2508 dsvbh2
12:03:27:203 2508 fdfb2
12:03:27:203 2508 Backup copy found, using it..
12:03:27:250 2508 will be cured on next reboot
12:03:27:250 2508 Reboot required for cure complete..
12:03:27:250 2508 Cure on reboot scheduled successfully
12:03:27:250 2508
12:03:27:250 2508 Completed
12:03:27:250 2508
12:03:27:250 2508 Results:
12:03:27:250 2508 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:03:27:250 2508 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:03:27:250 2508 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:03:27:250 2508
12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:03:27:250 2508 UnloadDriverW: NtUnloadDriver error 1
12:03:27:250 2508 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.