Jump to content

Rootkit infection, Need Assistance


TD5
 Share

Recommended Posts

About 10 days ago I started to get constantly redirected on Google search entries. I updated and ran Malwarebytes and several problems were discovered, which I then cleared. The logfile is shown below. That seemed to fix the problem, almost. Now, on occasion, I'll get redirected for the initial page of a Google search result for which all entries on that first page get redirected. I change the Google search item which creates another page of results and its okay, even going back to my original search results page and everything works okay. Then a day or so later I enter a new search and it hits again. I've attached short list of a few addresses that I'm directed to redirect_info.txt, and a couple of "Unable to Connect" to servers that I encountered.

Today I updated Malwarebytes and ran a quickscan. that came up with nothing. I also installed updated and ran Avira. and it came up one item related to my bank which I quarantined. both of these files are shown below.

I would appreciate help to work through getting rid of the rootkit.

--------------------------------------------------

Initial MWAM scan

-------------------------------------------------

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/19/2010 7:42:45 PM

mbam-log-2010-04-19 (19-42-45).txt

Scan type: Full scan (C:\|G:\|)

Objects scanned: 208257

Time elapsed: 1 hour(s), 16 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

----------------------------------------------

2nd MWBM Scan

----------------------------------------------

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4029

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/23/2010 11:15:23 PM

mbam-log-2010-04-23 (23-15-23).txt

Scan type: Quick scan

Objects scanned: 114112

Time elapsed: 8 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

_________________________

Avira log

----------------------------------

Avira AntiVir Personal

Report file date: Friday, April 23, 2010 20:48

Scanning for 2035268 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : ACER_PENT

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 17:37:38

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 17:57:04

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 23:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 15:14:42

VBASE006.VDF : 7.10.6.83 2048 Bytes 4/15/2010 15:14:42

VBASE007.VDF : 7.10.6.84 2048 Bytes 4/15/2010 15:14:42

VBASE008.VDF : 7.10.6.85 2048 Bytes 4/15/2010 15:14:42

VBASE009.VDF : 7.10.6.86 2048 Bytes 4/15/2010 15:14:42

VBASE010.VDF : 7.10.6.87 2048 Bytes 4/15/2010 15:14:44

VBASE011.VDF : 7.10.6.88 2048 Bytes 4/15/2010 15:14:44

VBASE012.VDF : 7.10.6.89 2048 Bytes 4/15/2010 15:14:44

VBASE013.VDF : 7.10.6.90 2048 Bytes 4/15/2010 15:14:44

VBASE014.VDF : 7.10.6.123 126464 Bytes 4/19/2010 15:14:45

VBASE015.VDF : 7.10.6.152 123392 Bytes 4/21/2010 15:14:45

VBASE016.VDF : 7.10.6.178 122880 Bytes 4/22/2010 15:14:46

VBASE017.VDF : 7.10.6.179 2048 Bytes 4/22/2010 15:14:46

VBASE018.VDF : 7.10.6.180 2048 Bytes 4/22/2010 15:14:46

VBASE019.VDF : 7.10.6.181 2048 Bytes 4/22/2010 15:14:46

VBASE020.VDF : 7.10.6.182 2048 Bytes 4/22/2010 15:14:46

VBASE021.VDF : 7.10.6.183 2048 Bytes 4/22/2010 15:14:47

VBASE022.VDF : 7.10.6.184 2048 Bytes 4/22/2010 15:14:47

VBASE023.VDF : 7.10.6.185 2048 Bytes 4/22/2010 15:14:47

VBASE024.VDF : 7.10.6.186 2048 Bytes 4/22/2010 15:14:47

VBASE025.VDF : 7.10.6.187 2048 Bytes 4/22/2010 15:14:47

VBASE026.VDF : 7.10.6.188 2048 Bytes 4/22/2010 15:14:47

VBASE027.VDF : 7.10.6.189 2048 Bytes 4/22/2010 15:14:48

VBASE028.VDF : 7.10.6.190 2048 Bytes 4/22/2010 15:14:48

VBASE029.VDF : 7.10.6.191 2048 Bytes 4/22/2010 15:14:48

VBASE030.VDF : 7.10.6.192 2048 Bytes 4/22/2010 15:14:48

VBASE031.VDF : 7.10.6.196 40960 Bytes 4/23/2010 15:14:48

Engineversion : 8.2.1.224

AEVDF.DLL : 8.1.2.0 106868 Bytes 4/23/2010 15:14:56

AESCRIPT.DLL : 8.1.3.27 1294714 Bytes 4/23/2010 15:14:55

AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 23:38:41

AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 15:14:56

AERDL.DLL : 8.1.4.6 541043 Bytes 4/23/2010 15:14:54

AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 17:34:51

AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 16:09:46

AEHEUR.DLL : 8.1.1.24 2613623 Bytes 4/23/2010 15:14:53

AEHELP.DLL : 8.1.11.3 242039 Bytes 4/1/2010 21:05:25

AEGEN.DLL : 8.1.3.7 373106 Bytes 4/23/2010 15:14:50

AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 15:14:50

AECORE.DLL : 8.1.13.1 188790 Bytes 4/1/2010 21:05:25

AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 15:14:49

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 17:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 21:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 17:35:46

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 17:39:51

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 17:22:13

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 14:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 18:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 19:14:29

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:, G:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Friday, April 23, 2010 20:48

Starting search for hidden objects.

c:\program files\mozilla firefox\firefox.exe

c:\Program Files\Mozilla Firefox\firefox.exe

[NOTE] The process is not visible.

c:\program files\mozilla firefox\firefox.exe

c:\program files\mozilla firefox\firefox.exe

c:\program files\mozilla firefox\firefox.exe

c:\program files\mozilla firefox\firefox.exe

c:\windows\system32\verclsid.exe

c:\WINDOWS\system32\verclsid.exe

[NOTE] The process is not visible.

c:\program files\spybot - search & destroy\spybotsd.exe

c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

[NOTE] The process is not visible.

c:\program files\spybot - search & destroy\spybotsd.exe

c:\program files\spybot - search & destroy\teatimer.exe

c:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[NOTE] The process is not visible.

c:\program files\spybot - search & destroy\sdupdate.exe

c:\Program Files\Spybot - Search & Destroy\SDUpdate.exe

[NOTE] The process is not visible.

c:\program files\spybot - search & destroy\sdupdate.exe

c:\program files\spybot - search & destroy\sdupdate.exe

c:\program files\spybot - search & destroy\sdupdate.exe

c:\program files\windows defender\mpcmdrun.exe

c:\Program Files\Windows Defender\MpCmdRun.exe

[NOTE] The process is not visible.

c:\program files\windows defender\mpcmdrun.exe

g:\program files\ca\etrust internet security suite\ccupdate\ccupdate.exe

g:\Program Files\CA\eTrust Internet Security Suite\ccupdate\ccupdate.exe

[NOTE] The process is not visible.

c:\program files\acronis\trueimagehome\trueimagemonitor.exe

c:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[NOTE] The process is not visible.

c:\windows\system32\imapi.exe

c:\WINDOWS\system32\imapi.exe

[NOTE] The process is not visible.

c:\program files\outlook express\msimn.exe

c:\Program Files\Outlook Express\msimn.exe

[NOTE] The process is not visible.

c:\program files\hostsman\hm.exe

c:\Program Files\HostsMan\hm.exe

[NOTE] The process is not visible.

c:\program files\hostsman\hm.exe

c:\program files\hostsman\hm.exe

c:\program files\hostsman\hm.exe

c:\program files\hostsman\hm.exe

c:\program files\hostsman\hm.exe

c:\windows\hh.exe

c:\WINDOWS\hh.exe

[NOTE] The process is not visible.

c:\windows\hh.exe

c:\windows\hh.exe

c:\windows\system32\wbem\wmiprvse.exe

c:\WINDOWS\system32\wbem\wmiprvse.exe

[NOTE] The process is not visible.

c:\program files\google\common\google updater\googleupdaterservice.exe

c:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

[NOTE] The process is not visible.

c:\program files\google\update\googleupdate.exe

c:\Program Files\Google\Update\GoogleUpdate.exe

[NOTE] The process is not visible.

c:\program files\google\update\googleupdate.exe

c:\program files\google\update\googleupdate.exe

c:\windows\system32\notepad.exe

c:\WINDOWS\system32\notepad.exe

[NOTE] The process is not visible.

c:\program files\avira\antivir desktop\avwsc.exe

c:\Program Files\Avira\AntiVir Desktop\avwsc.exe

[NOTE] The process is not visible.

c:\program files\avira\antivir desktop\avwsc.exe

c:\docume~1\tdupre~1\locals~1\temp\7zs15.tmp\hostsman_setup.tmp

c:\Documents and Settings\T Duprex\Local Settings\Temp

[NOTE] The process is not visible.

c:\windows\system32\userinit.exe

c:\WINDOWS\system32\userinit.exe

[NOTE] The process is not visible.

c:\windows\system32\dumprep.exe

c:\WINDOWS\system32\dumprep.exe

[NOTE] The process is not visible.

c:\windows\system32\wgatray.exe

c:\WINDOWS\system32\WgaTray.exe

[NOTE] The process is not visible.

c:\program files\compact wireless-g usb adapter wireless network monitor\wusb54gc.exe

c:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

[NOTE] The process is not visible.

g:\program files\winkey\winkey.exe

g:\Program Files\Winkey\WinKey.exe

[NOTE] The process is not visible.

c:\program files\compact wireless-g usb adapter wireless network monitor\pcarmdrv.exe

c:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\PCARmDrv.exe

[NOTE] The process is not visible.

c:\windows\system32\taskmgr.exe

c:\WINDOWS\system32\taskmgr.exe

[NOTE] The process is not visible.

c:\windows\system32\taskmgr.exe

g:\program files\ca\etrust internet security suite\cawsc.exe

g:\Program Files\CA\eTrust Internet Security Suite\cawsc.exe

[NOTE] The process is not visible.

c:\windows\system32\dwwin.exe

c:\WINDOWS\system32\dwwin.exe

[NOTE] The process is not visible.

c:\program files\java\jre6\bin\jqsnotify.exe

c:\Program Files\Java\jre6\bin\jqsnotify.exe

[NOTE] The process is not visible.

c:\docume~1\tdupre~1\locals~1\temp\temporary directory 1 for hm_3.2.73_installer.zip\hostsman_setup.exe

c:\Documents and Settings\T Duprex\Local Settings\Temp

[NOTE] The process is not visible.

c:\program files\hostsman\uninstall.exe

c:\Program Files\HostsMan\uninstall.exe

[NOTE] The process is not visible.

c:\program files\microsoft intellipoint\dpupdchk.exe

c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

[NOTE] The process is not visible.

c:\program files\microsoft intellipoint\ipoint.exe

c:\Program Files\Microsoft IntelliPoint\ipoint.exe

[NOTE] The process is not visible.

c:\progra~1\common~1\micros~1\dw\dwtrig20.exe

c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE

[NOTE] The process is not visible.

c:\windows\system32\nwiz.exe

c:\WINDOWS\system32\nwiz.exe

[NOTE] The process is not visible.

c:\windows\system32\rundll32.exe

c:\WINDOWS\system32\rundll32.exe

[NOTE] The process is not visible.

c:\program files\avira\antivir desktop\avgnt.exe

c:\Program Files\Avira\AntiVir Desktop\avgnt.exe

[NOTE] The process is not visible.

c:\program files\avira\antivir desktop\avconfig.exe

c:\Program Files\Avira\AntiVir Desktop\avconfig.exe

[NOTE] The process is not visible.

The scan of running processes will be started

Scan process 'rsmsink.exe' - '31' Module(s) have been scanned

Scan process 'msdtc.exe' - '42' Module(s) have been scanned

Scan process 'dllhost.exe' - '63' Module(s) have been scanned

Scan process 'dllhost.exe' - '47' Module(s) have been scanned

Scan process 'vssvc.exe' - '50' Module(s) have been scanned

Scan process 'avscan.exe' - '69' Module(s) have been scanned

Scan process 'avcenter.exe' - '111' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '42' Module(s) have been scanned

Scan process 'WUSB54GC.exe' - '63' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '32' Module(s) have been scanned

Scan process 'ccprovsp.exe' - '24' Module(s) have been scanned

Scan process 'Explorer.EXE' - '137' Module(s) have been scanned

Scan process 'svchost.exe' - '36' Module(s) have been scanned

Scan process 'alg.exe' - '37' Module(s) have been scanned

Scan process 'PDEngine.exe' - '44' Module(s) have been scanned

Scan process 'WLService.exe' - '15' Module(s) have been scanned

Scan process 'TrueImageTryStartService.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '41' Module(s) have been scanned

Scan process 'PDAgent.exe' - '46' Module(s) have been scanned

Scan process 'mdm.exe' - '24' Module(s) have been scanned

Scan process 'LockServ.exe' - '47' Module(s) have been scanned

Scan process 'LSSrvc.exe' - '19' Module(s) have been scanned

Scan process 'GoogleUpdate.exe' - '37' Module(s) have been scanned

Scan process 'jqs.exe' - '37' Module(s) have been scanned

Scan process 'ccschedulersvc.exe' - '36' Module(s) have been scanned

Scan process 'isafe.exe' - '42' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '37' Module(s) have been scanned

Scan process 'avshadow.exe' - '28' Module(s) have been scanned

Scan process 'awServ.exe' - '105' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '37' Module(s) have been scanned

Scan process 'avguard.exe' - '57' Module(s) have been scanned

Scan process 'schedul2.exe' - '23' Module(s) have been scanned

Scan process 'MemCheck.exe' - '45' Module(s) have been scanned

Scan process 'a2service.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '36' Module(s) have been scanned

Scan process 'sched.exe' - '48' Module(s) have been scanned

Scan process 'UmxAgent.exe' - '45' Module(s) have been scanned

Scan process 'UmxPol.exe' - '25' Module(s) have been scanned

Scan process 'UmxCfg.exe' - '38' Module(s) have been scanned

Scan process 'rundll32.exe' - '50' Module(s) have been scanned

Scan process 'spoolsv.exe' - '72' Module(s) have been scanned

Scan process 'svchost.exe' - '48' Module(s) have been scanned

Scan process 'svchost.exe' - '168' Module(s) have been scanned

Scan process 'MsMpEng.exe' - '44' Module(s) have been scanned

Scan process 'svchost.exe' - '44' Module(s) have been scanned

Scan process 'svchost.exe' - '56' Module(s) have been scanned

Scan process 'lsass.exe' - '61' Module(s) have been scanned

Scan process 'services.exe' - '39' Module(s) have been scanned

Scan process 'winlogon.exe' - '87' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Boot sector 'G:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '474' files ).

Starting the file scan:

Begin scan in 'C:\' <Operatiing System>

C:\Documents and Settings\T Duprex\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Bank of America.dbx

[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus

Begin scan in 'D:\' <SCRATCH>

Begin scan in 'G:\' <APPLICATIONS>

Beginning disinfection:

C:\Documents and Settings\T Duprex\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Bank of America.dbx

[DETECTION] Contains recognition pattern of the HTML/Spoofing.Gen HTML script virus

[NOTE] The file was moved to the quarantine directory under the name '4f44fc00.qua'.

End of the scan: Friday, April 23, 2010 22:32

Used time: 1:00:43 Hour(s)

The scan has been done completely.

9015 Scanned directories

362777 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

362776 Files not concerned

7776 Archives were scanned

0 Warnings

1 Notes

466793 Objects were scanned with rootkit scan

57 Hidden objects were found

initial_mbam_log_2010_04_19__19_42_45_.txt

Link to post
Share on other sites

  • Staff

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • 1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.

DeFogger:

  • Please download
DeFogger to your desktop.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:
    dds_scr.gif
    Download DDS and save it to your desktop
Link1
Link2
Link3
Please disable any anti-malware program that will block scripts from running before running DDS.
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]A window will open instructing you save & post the logs

    [*]Save the logs to a convenient place such as your desktop

    [*]Copy the contents of both logs & post in your next reply

Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
    GMER_2.png
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

    [*]Then click the Scan button & wait for it to finish

    [*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file

    [*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

information and logs:

  • In your next post I need the following
    • 1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo

Link to post
Share on other sites

Gringo:

As instructed I have obtained the DDS.txt, Attach.txt, and Gmer,txt files.

Problem encountered:

I had a problem with Gmer, in that when it finished the first time, when I clicked on SAVE and then typed Gmer.txt, then save the system locked up. I manually powered the system down to recover and consequently lost the Gmer log. This was almost four hours of scan I had to redo (I have over 200,000 files on my C drive). The second time through when Gmer finished, the address line went blank and the Save, and Copy buttons never came on, only the Scan button was indicating that it was selectable. I went ahead and clicked on copy based on what happened the first time and was successful in getting it on the clipboard and a file.

Thanks for helping me.

Tom D.

DDS.TXT file:

DDS (Ver_10-03-17.01) - NTFSx86

Run by T Duprex at 6:09:53.04 on Sat 04/24/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -4:00]

AV: CA Anti-Virus Plus *On-access scanning disabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Acer\LANScope Agent\awServ.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Bonjour\mDNSResponder.exe

G:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus Plus\isafe.exe

G:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Empowering Technology\eLock\LockServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\rundll32.exe

G:\Program Files\Winkey\WinKey.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\T Duprex\Desktop\Defogger.exe

C:\Program Files\Brownie\brstswnd.exe

C:\Program Files\Brownie\Brnipmon.exe

G:\Program Files\CA\eTrust Internet Security Suite\casc.exe

G:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\T Duprex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

BHO: AutorunsDisabled - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - No File

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [nwiz] nwiz.exe /install

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - g:\program files\winkey\WinKey.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

uPolicies-explorer: NoActiveDesktop = 00000000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - g:\progra~1\micros~1\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222599322578

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

Notify: !SASWinLogon - g:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxdev.dll

Notify: PFW - UmxWnp.Dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

LSA: Authentication Packages = msv1_0 relog_ap

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tdupre~1\applic~1\mozilla\firefox\profiles\38bduv9u.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1739.5352\npCIDetect13.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2009-12-23 132088]

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-6-8 108024]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-23 11608]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2009-12-23 78840]

R1 SASDIFSV;SASDIFSV;g:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]

R1 SASKUTIL;SASKUTIL;g:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-4-21 1872320]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-23 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-23 267432]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-23 60936]

R2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2006-4-21 67072]

R2 CAISafe;CAISafe;g:\program files\ca\etrust internet security suite\ca anti-virus plus\isafe.exe [2010-4-19 212992]

R2 ccSchedulerSVC;CA Common Scheduler Service;g:\program files\ca\etrust internet security suite\ccschedulersvc.exe [2010-4-19 206160]

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-12-7 17536]

R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-12-7 90112]

R2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]

R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2009-7-13 760664]

R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2009-7-27 227832]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2009-9-30 239608]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]

S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\empowering technology\eacoustics\oddspeedctl\speedcontrol.exe [2006-12-7 81920]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-8-6 39048]

S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]

S3 SASENUM;SASENUM;g:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2009-9-20 11520]

============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2010-04-24 10:01:36 0 ----a-w- c:\documents and settings\t duprex\defogger_reenable

2010-04-24 00:48:13 0 d-----w- c:\docume~1\tdupre~1\applic~1\Avira

2010-04-23 23:51:48 0 d-----w- c:\program files\HostsMan

2010-04-23 15:13:32 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-04-23 15:13:30 0 d-----w- c:\program files\Avira

2010-04-23 15:13:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

2010-04-22 10:47:04 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2010-04-21 14:23:19 0 d-----w- c:\program files\a-squared Free

2010-04-21 11:03:42 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-04-21 11:03:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-04-20 02:22:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PCPitstop

2010-04-20 02:19:03 0 d-----w- c:\program files\CA

2010-04-20 02:18:56 95472 ----a-w- c:\windows\system32\Vetredir.dll

2010-04-20 02:18:56 201968 ----a-w- c:\windows\system32\Isafprod.dll

2010-04-20 02:18:56 128240 ----a-w- c:\windows\system32\Isafeif.dll

2010-04-20 00:02:17 4194372 ----a-w- c:\windows\pfirewall.log.old

2010-04-19 11:26:20 0 d-----w- c:\program files\Bonjour Print Services

2010-04-19 11:26:04 0 d-----w- c:\program files\Bonjour

2010-04-19 11:12:17 3584 ----a-w- c:\windows\VIEWS.DAT

2010-04-15 23:55:27 75776 --sha-r- c:\windows\system32\ir41_32O.dll

2010-04-02 09:53:24 0 d-----w- C:\7d8f10c5cf454becdd1afedc6a37

==================== Find3M ====================

2010-04-19 10:21:31 67960 ----a-w- c:\docume~1\tdupre~1\applic~1\GDIPFONTCACHEV1.DAT

2010-04-15 23:56:43 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-04-04 21:12:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 00:14:00 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-03-25 00:14:00 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-03-25 00:14:00 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11:07 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2006-12-25 04:34:36 5 --sha-w- c:\windows\system32\dedea9_g.dll

2008-08-05 06:02:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat

============= FINISH: 6:10:24.95 ===============

ATTACH.TXT file:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 12/7/2006 10:31:30 AM

System Uptime: 4/24/2010 5:26:49 AM (1 hours ago)

Motherboard: Acer | | E946GZ

Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 2400/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 137 GiB total, 112.901 GiB free.

D: is FIXED (NTFS) - 12 GiB total, 11.59 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is FIXED (NTFS) - 112 GiB total, 93.66 GiB free.

H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2: 4/16/2010 8:26:28 AM - Software Distribution Service 3.0

RP3: 4/18/2010 8:27:29 PM - System Checkpoint

RP4: 4/18/2010 10:14:48 PM - Removed QuickTime

RP5: 4/18/2010 10:33:06 PM - ZJH.exe renamed

RP6: 4/19/2010 7:26:15 AM - Installed Bonjour Print Services

RP7: 4/19/2010 10:40:56 AM - Software Distribution Service 3.0

RP8: 4/19/2010 12:09:04 PM - Windows Defender Checkpoint

RP9: 4/19/2010 7:31:32 PM - Removed PayPal Plug-In

RP10: 4/19/2010 10:17:45 PM - CA Internet Security Suite

RP11: 4/19/2010 10:36:47 PM - CA Internet Security Suite

RP12: 4/20/2010 12:08:30 AM - malware cleaned up

RP13: 4/20/2010 8:26:32 AM - Software Distribution Service 3.0

RP14: 4/20/2010 12:00:23 PM - 4-20-10 after all clean ups and individual images for C and G drives

RP15: 4/21/2010 6:39:06 AM - Malware aborting after 44000 entries

RP16: 4/22/2010 6:46:59 AM - Installed Ainsworth Keypad Trainer (Evaluation Copy)

RP17: 4/22/2010 6:53:27 AM - Removed Ainsworth Keypad Trainer (Evaluation Copy)

RP18: 4/22/2010 7:10:56 AM - Routine looks like redirects are gone

RP19: 4/23/2010 3:38:25 AM - Software Distribution Service 3.0

==== Installed Programs ======================

a-squared Free 4.5

ABC Amber Audio Converter

Acer eAcoustics Management

Acer eDataSecurity Management

Acer eDataSecurity Management 2.0.3077

Acer eLock Management

Acer Empowering Technology

Acer ePerformance Management

Acer eSettings Management

Acer LANScope Agent

Acer WLAN 11g USB Dongle

Acronis

Link to post
Share on other sites

  • Staff

Greetings TD5

:multiple Anti Virus programs:

  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
    AV: CA Anti-Virus Plus
    AV: AntiVir Desktop

    Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
    Please remove one of them.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

  • Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt

"information and logs"

  • In your next post I need the following
  1. Log from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now?

Gringo

Link to post
Share on other sites

Gringo:

As requested: Combofix Log.

Problem? When I ran combofix the first time. The program ran all 50 stages and was preparing log file, got the the "Almost Done" and the system rebooted. I ran Combofix again it went off uneventfully.

=================================================

ComboFix 10-04-21.01 - T Duprex 04/26/2010 7:16.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1530 [GMT -4:00]

Running from: c:\documents and settings\T Duprex\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\_000007_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000011_.tmp.dll

c:\windows\system32\_000012_.tmp.dll

c:\windows\system32\drivers\snetcfg.exe

.

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))

.

2010-04-24 00:48 . 2010-04-24 00:48 -------- d-----w- c:\documents and settings\T Duprex\Application Data\Avira

2010-04-23 23:51 . 2010-04-23 23:51 -------- d-----w- c:\program files\HostsMan

2010-04-23 15:13 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-04-23 15:13 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-04-23 15:13 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-04-23 15:13 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-04-23 15:13 . 2010-04-23 15:13 -------- d-----w- c:\program files\Avira

2010-04-23 15:13 . 2010-04-23 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-04-22 10:47 . 2004-11-28 12:44 89360 ----a-w- c:\windows\system32\VB5DB.DLL

2010-04-21 14:23 . 2010-04-21 15:55 -------- d-----w- c:\program files\a-squared Free

2010-04-21 11:03 . 2010-04-25 12:19 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-21 11:03 . 2010-04-25 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-04-20 02:22 . 2010-04-20 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop

2010-04-20 02:19 . 2010-04-20 11:32 -------- d-----w- c:\program files\CA

2010-04-20 02:18 . 2009-11-20 21:19 201968 ----a-w- c:\windows\system32\Isafprod.dll

2010-04-20 02:18 . 2009-11-20 21:18 95472 ----a-w- c:\windows\system32\Vetredir.dll

2010-04-20 02:18 . 2009-11-20 21:18 128240 ----a-w- c:\windows\system32\Isafeif.dll

2010-04-19 22:24 . 2010-04-19 22:24 5918775 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-19 22:23 . 2010-04-20 00:01 52224 ----a-w- c:\documents and settings\T Duprex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-04-19 22:22 . 2010-04-20 00:01 117760 ----a-w- c:\documents and settings\T Duprex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-04-19 11:26 . 2010-04-19 11:26 -------- d-----w- c:\program files\Bonjour Print Services

2010-04-19 11:26 . 2010-04-19 11:26 -------- d-----w- c:\program files\Bonjour

2010-04-19 11:12 . 2010-04-19 11:12 3584 ----a-w- c:\windows\VIEWS.DAT

2010-04-18 16:21 . 2010-04-18 16:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-04-15 23:55 . 2010-04-15 23:55 75776 --sha-r- c:\windows\system32\ir41_32O.dll

2010-04-02 09:53 . 2010-04-02 09:53 -------- d-----w- C:\7d8f10c5cf454becdd1afedc6a37

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-25 12:19 . 2006-12-25 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\CA

2010-04-24 01:02 . 2006-12-26 04:59 766 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_227e16df.exe

2010-04-24 01:02 . 2006-12-26 04:59 1094 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_73fa73b0.exe

2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_46153a90.exe

2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_39c351af.exe

2010-04-24 01:02 . 2006-12-26 04:59 1078 ----a-r- c:\documents and settings\T Duprex\Application Data\Microsoft\Installer\{A85D8CC4-4DB9-11D6-B038-0000B49CEE91}\_227a6ce3.exe

2010-04-22 10:53 . 2006-07-20 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-21 14:46 . 2009-07-16 01:41 -------- d-----w- c:\program files\AVS4YOU

2010-04-19 18:53 . 2008-09-05 11:02 -------- d-----w- c:\program files\Quicken

2010-04-15 23:56 . 2009-10-18 16:52 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-04-04 21:13 . 2006-12-07 15:32 -------- d-----w- c:\program files\Common Files\Java

2010-04-04 21:12 . 2008-12-26 21:20 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-04-02 19:25 . 2009-10-19 18:42 -------- d-----w- c:\documents and settings\T Duprex\Application Data\Corel

2010-03-30 04:46 . 2008-08-08 12:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2008-08-08 12:38 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-25 00:14 . 2010-03-25 00:14 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-03-25 00:14 . 2010-03-25 00:14 197920 ----a-w- c:\windows\system32\dnssdX.dll

2010-03-25 00:14 . 2010-03-25 00:14 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-10 06:15 . 2004-08-04 05:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 14:16 . 2009-10-02 22:31 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 13:11 . 2005-01-19 04:26 455680 ------w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-16 14:08 . 2005-09-29 00:02 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2005-09-28 23:35 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2004-08-04 05:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-12-09 15:47 226880 ------w- c:\windows\system32\drivers\tcpip6.sys

2010-01-28 04:35 . 2010-01-28 04:35 503808 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\msvcp71.dll

2010-01-28 04:35 . 2010-01-28 04:35 499712 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\jmc.dll

2010-01-28 04:35 . 2010-01-28 04:35 348160 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-296b9594-n\msvcr71.dll

2010-01-28 04:35 . 2010-01-28 04:35 61440 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2315cb24-n\decora-sse.dll

2010-01-28 04:35 . 2010-01-28 04:35 12800 ----a-w- c:\documents and settings\T Duprex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2315cb24-n\decora-d3d.dll

2009-09-03 23:37 . 2009-09-03 23:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll

2009-09-03 23:58 . 2009-09-03 23:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2006-12-25 04:34 . 2006-12-25 04:34 5 --sha-w- c:\windows\system32\dedea9_g.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-28 7573504]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"nwiz"="nwiz.exe" [2006-04-28 1519616]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

WinKey.lnk - g:\program files\Winkey\WinKey.exe [2007-1-26 99840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 16:05 356352 ----a-w- g:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck pdboot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"PhotoShow Deluxe Media Manager"=c:\progra~1\Nero\data\Xtras\mssysmgr.exe

"SUPERAntiSpyware"=g:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"eDataSecurity Loader"=c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe 0

"eLockMonitor"=c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe

"eRecoveryService"=c:\acer\Empowering Technology\eRecovery\eRAgent.exe

"Acer Empowering Technology Monitor"=c:\windows\system32\SysMonitor.exe

"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

"Persistence"=c:\windows\system32\igfxpers.exe

"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE

"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC

"LaunchApp"=Alaunch

"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe"

"pdfFactory Pro Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM

"EPSON Stylus Photo 820 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"

"Adobe Photo Downloader"="g:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"AcronisTimounterMonitor"=c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

"TrueImageMonitor.exe"=c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

"cctray"="g:\program files\ca\etrust internet security suite\casc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9999:UDP"= 9999:UDP:AdminWorks UDP Port

"2804:TCP"= 2804:TCP:AdminWorks TCP Port

R1 SASDIFSV;SASDIFSV;g:\program files\SUPERAntiSpyware\sasdifsv.sys [12/22/2008 12:06 PM 8944]

R1 SASKUTIL;SASKUTIL;g:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [4/21/2010 10:23 AM 1872320]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2010 11:13 AM 135336]

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [12/7/2006 11:38 AM 17536]

R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [12/7/2006 11:38 AM 90112]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 10:19 PM 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:56 PM 135664]

S2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]

S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [12/7/2006 11:39 AM 81920]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [8/6/2007 7:24 PM 39048]

S3 SASENUM;SASENUM;g:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [9/20/2009 7:05 PM 11520]

.

Contents of the 'Scheduled Tasks' folder

2010-04-26 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2006-12-22 11:15]

2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - g:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000

DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab

DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab

FF - ProfilePath - c:\documents and settings\T Duprex\Application Data\Mozilla\Firefox\Profiles\38bduv9u.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-133351039-1622961813-2181170887-1005\Software\Local AppWizard-Generated Applications\Launch Tool]

@DACL=(02 0000)

@SACL=

[HKEY_USERS\S-1-5-21-133351039-1622961813-2181170887-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\OpenWithProgids]

@DACL=(02 0000)

@SACL=

"Paint.Picture"=hex(0):

"Photoshop.BMPFile"=hex(0):

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2A9FC36D-364D-4234-8C61-89B815492E9C}\TypeLib]

@DACL=(02 0000)

@SACL=

@="{5084C91D-B702-4EA0-967D-727DF7007782}"

"Version"="7.0.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6EE4DCBB-CE99-4994-A12A-242CEBDD691C}\TypeLib]

@DACL=(02 0000)

@SACL=

@="{DB877FF4-E68D-4A4F-8004-9F806CBE755B}"

"Version"="3.0.1"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{877883EB-56B2-4736-815E-1BA97B44D3E5}\TypeLib]

@DACL=(02 0000)

@SACL=

@="{3822BDA0-196A-4728-8C33-9263D243FD96}"

"Version"="4.0.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{8C822816-06E7-4b2d-967B-7611B2AC9CC7}\TypeLib]

@DACL=(02 0000)

@SACL=

@="{6ABA073A-5EEF-4CE0-8B42-E4815C4D4F05}"

"Version"="1.0.0"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{A698C8BC-E677-4030-8676-18FF0095C239}\TypeLib]

@DACL=(02 0000)

@SACL=

@="{7F4DC91B-C08D-41E1-9FF3-DBEDE2EF1455}"

"Version"="3.0.8"

[HKEY_LOCAL_MACHINE\software\muvee Technologies\030625]

@DACL=(02 0000)

@SACL=

[HKEY_LOCAL_MACHINE\software\muvee Technologies\muvee SDK - NTI_5]

@DACL=(02 0000)

@SACL=

[HKEY_LOCAL_MACHINE\software\NewTech Infosystems\NTI CD-MakerV7\OEMUrl]

@DACL=(02 0000)

@SACL=

"Home"="http://global.acer.com"

[HKEY_LOCAL_MACHINE\software\Realtek Semiconductor Corp.\Realtek High Definition Audio Driver]

@DACL=(02 0000)

@SACL=

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)

c:\windows\system32\GTGina.dll

g:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1040)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3556)

c:\windows\system32\WININET.dll

c:\windows\system32\nview.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\nvwddi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-26 07:22:26

ComboFix-quarantined-files.txt 2010-04-26 11:22

Pre-Run: 122,672,848,896 bytes free

Post-Run: 122,633,785,344 bytes free

- - End Of File - - 6328C1FE7B14B4E70D3306A5D6AC7E22

Link to post
Share on other sites

  • Staff

Greetings

I would like to know how the computer is doing now??

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

extra combofix report

I need to see one of the extra reports combofix makes

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box

C:\Qoobox\ComboFix-quarantined-files.txt

  • click ok
  • copy and paste the report into this topic for me to review

uninstall some programs

  • 1. click on start

2. then go to settings

3. after that you need control panel

4. look for the icon add/remove programs

click on the following programs

J2SE Runtime Environment 5.0 Update 6

Java Auto Updater

Java

Link to post
Share on other sites

Gringo:

I have provided the files you've asked for below but first let me update you on the problem. It has gone away since I purged my HOSTS file.

Today I looked through my HOSTS file page by page. I found ten entries that had been commented out with the # sign which means they were not being screened out and sent to 170.0.0.1 I didn't comment out these entries.

here are the entries. comments

uninstall. bestoofersnetworks.com (disabled to allow unistall)

www.bestoffernetworks.com [TROJ_NAIL.A]{disabled to allow uninstall]

www.mypctuneup.com [disabled to allow uninstall]

ads.viaarena.com

i.i.com

rcm.images.amazon.com

images.viacomlocalnetworks.com

ia.imdb.com

images.chron.com

lads.myspace.com

I deleted all HOSTS entries after the 38.25.63.10 example entry in the beginning and reloaded/updated the HOSTS file from mvps hosts. I have tried over 20 times to reproduce the problem since I cleared the HOSTS file. It had not reappeared and I have not been able to make it happen.

Is it a fair assumption to say that my computer is infected and that is still trying to do something but the HOSTS file is blocking it?

====================================================

COMBOFIX REPORT:

2010-04-26 11:21:32 . 2010-04-26 11:21:32 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat

2010-04-26 11:21:24 . 2010-04-26 11:21:24 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat

2010-04-26 11:21:24 . 2010-04-26 11:21:24 200 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat

2010-04-26 11:21:23 . 2010-04-26 11:21:23 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat

2010-04-26 11:11:05 . 2010-04-26 11:19:47 7,534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-04-26 11:06:25 . 2010-04-26 11:16:06 102 ----a-w- C:\Qoobox\Quarantine\catchme.log

2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir

2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir

2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.vir

=========================================================

I uninstalled J2SE Runtime Environment, Java 6 Update 7, and did not remove Jave 6 Update 19

I updated Java, I had to go to the Java webside. The coffee cup route would not let me update because it complained about not getting to the internet. I spent some time looking into,

disabled the firewall and all options in Firefox and still had the problem so I went directly to the side downloaded installed and everything went okay.

I then Deleted the files via the coffee cup/control panel route and it went okay.

===========================================================

TFC

Ran TFC, no problem

=============================================================

Ran Malwarebytes.

the log is below. However, two of your instructions didn't make sense, or I'm missing something.

In the 5th line down you say, " When the program is complete, click OK (no problem), Then Show Results to view the results (there was no "show results") the results poppep up

automatically.

then in the 6th line you say "Be sure everything is Checked (ticked) except items in the C:|System Volume information folder and click on Removed Selected. ???

could not relate this to anything that malwarebytes was showing.

MALBYTESWARE LOG

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4041

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/26/2010 8:04:07 PM

mbam-log-2010-04-26 (20-04-07).txt

Scan type: Quick scan

Objects scanned: 113371

Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=================================================================

KASPERSKY SCAN

The Kaspersy website is currently not offering a online scan while they are apparently updating it. So I went ahead and downloaded the trial version, installed, updated and ran it.

It showed 0 for virus, trojan, malicious tools, adware, and riskware. I did a quick scan, and and objects scan.

================================================================

Link to post
Share on other sites

  • Staff

Hello TD5

In the 5th line down you say, " When the program is complete, click OK (no problem), Then Show Results to view the results (there was no "show results") the results poppep up
sometimes it don't popup so I have that in my instructions just in case
then in the 6th line you say "Be sure everything is Checked (ticked) except items in the C:|System Volume information folder and click on Removed Selected. ???
that means it did not find anything in system restore - which is good
The Kaspersy website is currently not offering a online scan while they are apparently updating it. So I went ahead and downloaded the trial version, installed, updated and ran it.
thanks for letting me know and also uninstall the trial as we don.t want two antiviruses running
Is it a fair assumption to say that my computer is infected and that is still trying to do something but the HOSTS file is blocking it?
the malware changed the host file that is what was causing the redirects - we removed the malware so it could not rechange the host file back after you fixed it

The logs look good right now so I am going to give you my all clean - I will leave this open for a few days so if the redirects come back just come back here and let me know or if you have anymore problems let me know.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:Uninstall ComboFix:

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

:Make your Internet Explorer more secure:

  • please visit this page that gives instructions to do this
http://surfthenetsafely.com/ieseczone8.htm

:Turn On Automatic Updates:

  • Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them
    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.
    or visit
http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

  • you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also
    I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
    • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
      totally free but for real-time protection you will have to pay a small one-time fee.
    • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.

please read this great article by miekiemoes How to prevent Malware:

and

this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints

If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:btn_donate_SM.gif

Gringo

Link to post
Share on other sites

Gringo:

The problem appears to have been resolved. In addition, my computer is booting faster and appears to be fasted on the internet.

I'm still at a loss to understand what malware was found. You say, "we removed the malware so it could not rechange the host file back after you fixed it".

Other than my initial scan with MalwareBytes that found several problems before I went for help on the malware removal forum, did any of the logs, tests, etc show that other problems were identified and corrected? Or did the original MalwareBytes scan/repair I did remove the problem malware but left the HOSTS file corrupted?

In any event, I have followed your instructions and uninstalled Combofix, re-enabled Emulation drivers, Installed WinPatrol and Spyware Blaster. In order to install Kaspersy, I had to remove Windows Firewall, and Avira Anti-virus.

I have no problem with closing the thread. Thank you for you assistance.

Link to post
Share on other sites

  • Staff

Hello TD5

I'm still at a loss to understand what malware was found - in addition to what malwarebyts found before you came here there is also the below from the combofix log. the main one being in bold

2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir

2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir

2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.vir

and

Or did the original MalwareBytes scan/repair I did remove the problem malware but left the HOSTS file corrupted? and this is possible also

gringo

Link to post
Share on other sites

Gringo:

One last set of questions. These files from the ComboFix.log that you noticed, are they still in my computer? Should I do anything with them? I see that they are in a quarantine folder somewhare. I tried to find them but couldn't, I looked at hidden and system files, they are not to be found. Have they been deleted by ComboFix?

2006-12-07 15:34:01 . 2004-08-04 05:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir

2005-09-14 01:56:00 . 2005-09-14 01:56:00 14,336 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\snetcfg.exe.vir

2004-10-28 01:21:02 . 2004-10-28 01:21:02 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir

2004-08-04 05:00:00 . 2004-08-04 05:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.vir

Tom D.

Link to post
Share on other sites

Hello TD5

when I had you uninstall combofix it removed these backups so they are no longer on your computer. That is why you could not find them. :)

gringo

Gringo:

Just so I'm clear on this - What is the status of these threats:

1 Have they been removed?

2 Are quarantined somewhere in my system? If so how do I get rid of them?

TD5

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.