Jump to content

Recommended Posts

Hi everyone, I'm here so please forgive me if I'm not in the correct forum.

I got infected with Security Essential 2010, using Malwarebytes I was able to remove it. Two day's later I start getting redirected when any search engine. The following are reports for your review.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4084

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/10/2010 11:33:10 AM

mbam-log-2010-05-10 (11-33-10).txt

Scan type: Quick scan

Objects scanned: 144010

Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 10-05-10.04 - Julio 05/11/2010 12:30:12.4.2 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.770 [GMT -4:00]

Running from: c:\documents and settings\Julio\Desktop\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\ialmuARA.dll

c:\windows\system32\ialmuARB.dll

c:\windows\system32\ialmuCHS.dll

c:\windows\system32\ialmuCHT.dll

c:\windows\system32\ialmuCSY.dll

c:\windows\system32\ialmuDAN.dll

c:\windows\system32\ialmuDEU.dll

c:\windows\system32\ialmudlg.exe

c:\windows\system32\ialmuELL.dll

c:\windows\system32\ialmuENG.dll

c:\windows\system32\ialmuESP.dll

c:\windows\system32\ialmuFIN.dll

c:\windows\system32\ialmuFRA.dll

c:\windows\system32\ialmuFRC.dll

c:\windows\system32\ialmuHEB.dll

c:\windows\system32\ialmuHUN.dll

c:\windows\system32\ialmuITA.dll

c:\windows\system32\ialmuJPN.dll

c:\windows\system32\ialmuKOR.dll

c:\windows\system32\ialmuNLD.dll

c:\windows\system32\ialmuNOR.dll

c:\windows\system32\ialmuPLK.dll

c:\windows\system32\ialmuPTB.dll

c:\windows\system32\ialmuPTG.dll

c:\windows\system32\ialmuRUS.dll

c:\windows\system32\ialmuSVE.dll

c:\windows\system32\ialmuTHA.dll

c:\windows\system32\ialmuTRK.dll

c:\windows\system32\igfxrara.lrc

c:\windows\system32\igfxrchs.lrc

c:\windows\system32\igfxrcht.lrc

c:\windows\system32\igfxrcsy.lrc

c:\windows\system32\igfxrdan.lrc

c:\windows\system32\igfxrdeu.lrc

c:\windows\system32\igfxrell.lrc

c:\windows\system32\igfxrenu.lrc

c:\windows\system32\igfxresp.lrc

c:\windows\system32\igfxrfin.lrc

c:\windows\system32\igfxrfra.lrc

c:\windows\system32\igfxrheb.lrc

c:\windows\system32\igfxrhun.lrc

c:\windows\system32\igfxrita.lrc

c:\windows\system32\igfxrjpn.lrc

c:\windows\system32\igfxrkor.lrc

c:\windows\system32\igfxrnld.lrc

c:\windows\system32\igfxrnor.lrc

c:\windows\system32\igfxrplk.lrc

c:\windows\system32\igfxrptb.lrc

c:\windows\system32\igfxrptg.lrc

c:\windows\system32\igfxrrus.lrc

c:\windows\system32\igfxrsve.lrc

c:\windows\system32\igfxrtha.lrc

c:\windows\system32\igfxrtrk.lrc

c:\windows\system32\tmp.reg

.

((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))

.

2010-05-09 15:06 . 2010-05-10 03:09 32544 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-05-09 15:06 . 2010-05-10 03:09 1741856 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-05-09 15:01 . 2010-05-10 02:56 -------- d-----w- c:\program files\Common Files\ParetoLogic

2010-05-09 14:59 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Downloaded Installations

2010-05-08 20:42 . 2010-05-11 13:55 -------- d-----w- c:\program files\SpywareBlaster

2010-05-08 16:06 . 2008-04-13 18:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-05-07 16:43 . 2010-05-07 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vjxikqrwi

2010-05-07 16:43 . 2010-05-07 16:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 16:43 . 2010-05-07 16:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-07 15:03 . 2010-05-08 15:01 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Deployment

2010-05-07 13:52 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-07 13:52 . 2010-05-07 13:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-07 13:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-06 15:39 . 2009-04-05 03:36 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix

2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-06 10:25 . 2010-05-06 15:02 -------- d-----w- c:\program files\scdata

2010-05-06 08:21 . 2010-05-06 08:21 74752 ------w- c:\windows\system32\daec.sys

2010-05-05 15:11 . 2010-05-05 15:11 -------- d-----w- c:\windows\system32\vmm32

2010-05-03 21:35 . 2010-05-03 21:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-23 22:11 . 2010-04-23 22:11 -------- d-----w- c:\program files\FREEWI~1

2010-04-23 22:04 . 2010-04-23 22:05 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\V-Safe 100

2010-04-17 11:43 . 2010-04-17 11:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-04-16 23:56 . 2010-04-16 23:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-16 23:49 . 2010-04-18 20:23 120 ----a-w- c:\windows\Kgesigo.dat

2010-04-16 23:49 . 2010-04-18 17:54 0 ----a-w- c:\windows\Dtemililahaca.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-11 16:21 . 2008-11-16 18:39 -------- d-----w- c:\program files\Microsoft Press Readiness Review Suite

2010-05-11 16:21 . 2010-04-07 16:08 -------- d-----w- c:\documents and settings\Julio\Application Data\FreshDiagnose

2010-05-11 16:17 . 2009-12-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-11 14:39 . 2007-01-13 23:25 80968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-05-11 14:18 . 2008-10-14 01:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-05-11 13:26 . 2006-11-18 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-10 03:09 . 2010-05-09 15:06 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-05-10 03:09 . 2010-05-09 15:06 24380 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-05-10 03:06 . 2006-05-20 15:32 -------- d-----w- c:\program files\Java

2010-05-08 07:10 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-05-05 15:11 . 2006-05-20 15:35 -------- d-----w- c:\program files\Dell

2010-04-18 17:56 . 2007-03-30 23:04 -------- d-----w- c:\program files\CCleaner

2010-04-07 16:08 . 2010-04-07 16:08 -------- d-----w- c:\program files\FreshDevices

2010-04-05 19:48 . 2010-04-05 19:48 -------- d-----w- c:\program files\IrfanView

2010-03-18 22:24 . 2010-03-18 22:24 -------- d-----w- c:\documents and settings\Julio\Application Data\GetRightToGo

2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-10 17:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-10 17:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2004-08-10 17:50 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2004-08-10 17:51 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2007-08-14 22:18 . 2007-08-14 22:18 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll

2007-03-11 06:12 . 2006-11-16 02:45 56 --sh--r- c:\windows\system32\40502413E4.sys

2006-07-07 06:19 . 2006-05-25 00:00 88 --sh--r- c:\windows\system32\E413245040.sys

2007-03-11 06:12 . 2006-05-25 00:00 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

2008-09-26 16:02 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

2009-03-19 15:55 460216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 daec;daec;c:\windows\system32\daec.sys [5/6/2010 04:21 AM 74752]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

.

------- Supplementary Scan -------

.

TCP: {69D22147-4723-41B2-8A83-A734942BDD6F} = 8.8.8.8,8.8.8.4

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

Completion time: 2010-05-11 12:35:38

ComboFix-quarantined-files.txt 2010-05-11 16:35

ComboFix2.txt 2010-05-10 13:58

Pre-Run: 54,860,779,520 bytes free

Post-Run: 54,847,680,512 bytes free

- - End Of File - - C182503CE14FD42585852159DD70A1AB

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Julio at 13:26:41.45 on Tue 05/11/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.681 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Julio\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/3/d/83d1fe15-fe0f-4bdf-b09c-4e3c49808ec7/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: {69D22147-4723-41B2-8A83-A734942BDD6F} = 8.8.8.8,8.8.8.4

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 daec;daec;c:\windows\system32\daec.sys [2010-5-6 74752]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-1-30 12672]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-05-11 17:26:10 0 ----a-w- c:\documents and settings\julio\defogger_reenable

2010-05-11 16:28:53 0 d-----w- C:\ComboFix

2010-05-10 13:50:35 98816 ----a-w- c:\windows\sed.exe

2010-05-10 13:50:35 77312 ----a-w- c:\windows\MBR.exe

2010-05-10 13:50:35 256512 ----a-w- c:\windows\PEV.exe

2010-05-10 13:50:35 161792 ----a-w- c:\windows\SWREG.exe

2010-05-09 15:06:39 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-05-09 15:06:39 32544 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-05-09 15:06:39 24380 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-05-09 15:06:39 1741856 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-05-09 15:06:28 409 ----a-w- C:\rollback.ini

2010-05-09 15:01:17 0 d-----w- c:\program files\common files\ParetoLogic

2010-05-08 20:42:11 0 d-----w- c:\program files\SpywareBlaster

2010-05-08 16:06:36 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-05-08 16:04:32 0 d-sha-r- C:\cmdcons

2010-05-07 16:43:05 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 16:43:05 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-07 13:52:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-07 13:52:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-07 13:52:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-06 10:25:20 0 d-----w- c:\program files\scdata

2010-05-06 08:21:40 74752 ------w- c:\windows\system32\daec.sys

2010-05-05 15:11:07 0 d-----w- c:\windows\system32\vmm32

2010-05-03 21:35:36 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-23 22:11:30 0 d-----w- c:\program files\FREEWI~1

2010-04-16 23:49:50 120 ----a-w- c:\windows\Kgesigo.dat

2010-04-16 23:49:50 0 ----a-w- c:\windows\Dtemililahaca.bin

==================== Find3M ====================

2010-05-11 14:39:08 80968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-05-08 07:10:50 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-05-08 07:10:50 24576 ----a-w- c:\windows\system32\dllcache\kbdclass.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

2010-02-25 15:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll

2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

2007-08-14 22:18:44 774144 ----a-w- c:\program files\RngInterstitial.dll

2007-03-11 06:12:57 56 --sh--r- c:\windows\system32\40502413E4.sys

2006-07-07 06:19:26 88 --sh--r- c:\windows\system32\E413245040.sys

2007-03-11 06:12:57 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

2008-08-09 01:13:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080820080809\index.dat

============= FINISH: 13:27:00.82 ===============

Link to post
Share on other sites

Hello juliom365

Welcome to Malwarebytes.

=====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

Sorry for taking so long.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-15 10:52:05

Windows 5.1.2600 Service Pack 3

Running: jchf44u1.exe; Driver: C:\DOCUME~1\Julio\LOCALS~1\Temp\axloapob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA3B6C7A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA3B6B36]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAA3B70EA]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA3B7014]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA3B670C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA3B6C10]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA3B664C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA3B66B0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA3B6D30]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAA3B71B8]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA3B6CF0]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA3B6E70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAA3C3AC6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAA3C38EA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAA3C3A24]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CCC 80504568 4 Bytes JMP 54AA3B70

PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP AA3C3A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP AA3C38EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP AA3BF536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP AA3C0EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP AA3C3ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

? C:\WINDOWS\system32\daec.sys The process cannot access the file because it is being used by another process.

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

PLease delete your current copy of Combofix and redownload it from here:

Please visit this webpage for download links, and instructions for running Combofixl:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

ComboFix 10-05-16.06 - Julio 05/16/2010 09:49:14.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.569 [GMT -4:00]

Running from: c:\documents and settings\Julio\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\scdata

c:\program files\scdata\images\i1.gif

c:\program files\scdata\images\i2.gif

c:\program files\scdata\images\i3.gif

c:\program files\scdata\images\j1.gif

c:\program files\scdata\images\j2.gif

c:\program files\scdata\images\j3.gif

c:\program files\scdata\images\jj1.gif

c:\program files\scdata\images\jj2.gif

c:\program files\scdata\images\jj3.gif

c:\program files\scdata\images\l1.gif

c:\program files\scdata\images\l2.gif

c:\program files\scdata\images\l3.gif

c:\program files\scdata\images\pix.gif

c:\program files\scdata\images\t1.gif

c:\program files\scdata\images\t2.gif

c:\program files\scdata\images\up1.gif

c:\program files\scdata\images\up2.gif

c:\program files\scdata\images\w1.gif

c:\program files\scdata\images\w11.gif

c:\program files\scdata\images\w2.gif

c:\program files\scdata\images\w3.jpg

c:\program files\scdata\images\word.doc

c:\program files\scdata\images\wt1.gif

c:\program files\scdata\images\wt2.gif

c:\program files\scdata\images\wt3.gif

c:\program files\scdata\wispex.html

.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-14 19:53 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-14 19:52 . 2010-05-14 19:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-14 19:52 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-12 22:24 . 2010-05-12 22:58 -------- d-----w- c:\documents and settings\Julio\DoctorWeb

2010-05-12 16:54 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-12 16:54 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-12 16:54 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-12 16:54 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-12 16:54 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-12 16:54 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-12 16:54 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-12 16:54 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-05-12 16:54 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-12 16:53 . 2010-05-12 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-11 18:13 . 2010-05-11 18:13 -------- d-----w- c:\program files\Belarc

2010-05-11 18:13 . 2008-02-27 16:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2010-05-09 15:06 . 2010-05-10 03:09 32544 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-05-09 15:06 . 2010-05-10 03:09 1741856 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-05-09 15:01 . 2010-05-10 02:56 -------- d-----w- c:\program files\Common Files\ParetoLogic

2010-05-09 14:59 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Downloaded Installations

2010-05-08 16:06 . 2008-04-13 18:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-05-07 16:43 . 2010-05-07 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vjxikqrwi

2010-05-07 16:43 . 2010-05-07 16:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 16:43 . 2010-05-07 16:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-07 15:03 . 2010-05-08 15:01 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Deployment

2010-05-06 15:39 . 2010-05-12 23:09 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix

2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-06 08:21 . 2010-05-06 08:21 74752 ------w- c:\windows\system32\daec.sys

2010-05-05 15:11 . 2010-05-05 15:11 -------- d-----w- c:\windows\system32\vmm32

2010-05-03 21:35 . 2010-05-03 21:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-23 22:11 . 2010-04-23 22:11 -------- d-----w- c:\program files\FREEWI~1

2010-04-23 22:04 . 2010-04-23 22:05 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\V-Safe 100

2010-04-17 11:43 . 2010-04-17 11:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-04-16 23:56 . 2010-04-16 23:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-16 23:49 . 2010-04-18 20:23 120 ----a-w- c:\windows\Kgesigo.dat

2010-04-16 23:49 . 2010-04-18 17:54 0 ----a-w- c:\windows\Dtemililahaca.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-15 15:25 . 2006-06-12 23:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-13 13:30 . 2006-05-20 15:32 -------- d-----w- c:\program files\Java

2010-05-13 13:28 . 2010-05-13 13:28 0 ----a-w- c:\windows\system32\REN4A.tmp

2010-05-13 13:28 . 2010-05-13 13:28 0 ----a-w- c:\windows\system32\REN49.tmp

2010-05-13 13:28 . 2010-05-13 13:28 0 ----a-w- c:\windows\system32\REN48.tmp

2010-05-12 16:53 . 2009-08-01 01:26 -------- d-----w- c:\program files\Alwil Software

2010-05-11 16:21 . 2008-11-16 18:39 -------- d-----w- c:\program files\Microsoft Press Readiness Review Suite

2010-05-11 16:21 . 2010-04-07 16:08 -------- d-----w- c:\documents and settings\Julio\Application Data\FreshDiagnose

2010-05-11 16:17 . 2009-12-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-11 14:39 . 2007-01-13 23:25 80968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-05-11 14:18 . 2008-10-14 01:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-05-11 13:26 . 2006-11-18 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-10 03:09 . 2010-05-09 15:06 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-05-10 03:09 . 2010-05-09 15:06 24380 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-05-08 07:10 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-05-05 15:11 . 2006-05-20 15:35 -------- d-----w- c:\program files\Dell

2010-04-18 17:56 . 2007-03-30 23:04 -------- d-----w- c:\program files\CCleaner

2010-04-05 19:48 . 2010-04-05 19:48 -------- d-----w- c:\program files\IrfanView

2010-03-18 22:24 . 2010-03-18 22:24 -------- d-----w- c:\documents and settings\Julio\Application Data\GetRightToGo

2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-10 17:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-10 17:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2007-08-14 22:18 . 2007-08-14 22:18 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll

2007-03-11 06:12 . 2006-11-16 02:45 56 --sh--r- c:\windows\system32\40502413E4.sys

2006-07-07 06:19 . 2006-05-25 00:00 88 --sh--r- c:\windows\system32\E413245040.sys

2007-03-11 06:12 . 2006-05-25 00:00 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

2009-03-19 15:55 460216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/12/2010 12:54 PM 164048]

R1 daec;daec;c:\windows\system32\daec.sys [5/6/2010 04:21 AM 74752]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/12/2010 12:54 PM 19024]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: {69D22147-4723-41B2-8A83-A734942BDD6F} = 8.8.8.8,8.8.8.4

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

MSConfigStartUp-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-15 12:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

Link to post
Share on other sites

You are welcome :)

Combofix will automatically try to submit some malware files for further review if this does not happen please manually upload them with the instructions below:

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://forums.malwarebytes.org/index.php?showtopic=50144&st=0entry250905

KILLALL::

Driver::
daec

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\vjxikqrwi

Collect::
c:\windows\Dtemililahaca.bin
c:\windows\Kgesigo.dat
c:\windows\system32\daec.sys

File::
c:\windows\system32\REN4A.tmp
c:\windows\system32\REN49.tmp
c:\windows\system32\REN48.tmp

Save this as CFScript.txt

Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

4. During this run Combofix will collect and automatically upload some sample files.

You will see it say Combofix needs to upload some samples.

If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

===========

Note::

If Combofix fails to upload anything please do the following:

Go to Start > My Computer > C:\

Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Link to post
Share on other sites

ComboFix Script

ComboFix 10-05-15.03 - Julio 05/16/2010 12:54:33.7.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.592 [GMT -4:00]

Running from: c:\documents and settings\Julio\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Julio\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\windows\system32\REN48.tmp"

"c:\windows\system32\REN49.tmp"

"c:\windows\system32\REN4A.tmp"

file zipped: c:\windows\Dtemililahaca.bin

file zipped: c:\windows\Kgesigo.dat

file zipped: c:\windows\system32\daec.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\NetworkService\Local Settings\Application Data\vjxikqrwi

c:\windows\Dtemililahaca.bin

c:\windows\Kgesigo.dat

c:\windows\system32\daec.sys

c:\windows\system32\REN48.tmp

c:\windows\system32\REN49.tmp

c:\windows\system32\REN4A.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_DAEC

-------\Service_daec

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))

.

2010-05-16 16:20 . 2010-05-16 16:20 -------- d-----w- c:\documents and settings\Julio\Application Data\Software602

2010-05-16 16:07 . 2004-05-04 14:53 1645320 ----a-w- c:\windows\system32\gdiplus.dll

2010-05-16 16:07 . 2010-05-16 16:07 -------- d-----w- c:\program files\Software602

2010-05-15 21:41 . 2010-05-15 21:41 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Temp

2010-05-15 17:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-15 17:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-15 17:48 . 2010-05-15 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 22:24 . 2010-05-12 22:58 -------- d-----w- c:\documents and settings\Julio\DoctorWeb

2010-05-12 16:54 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-12 16:54 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-12 16:54 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-12 16:54 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-12 16:54 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-12 16:54 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-12 16:54 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-12 16:54 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-05-12 16:54 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-12 16:53 . 2010-05-12 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-11 18:13 . 2010-05-11 18:13 -------- d-----w- c:\program files\Belarc

2010-05-11 18:13 . 2008-02-27 16:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2010-05-09 15:06 . 2010-05-10 03:09 32544 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-05-09 15:06 . 2010-05-10 03:09 1741856 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-05-09 15:01 . 2010-05-10 02:56 -------- d-----w- c:\program files\Common Files\ParetoLogic

2010-05-09 14:59 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Downloaded Installations

2010-05-08 16:06 . 2008-04-13 18:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-05-07 16:43 . 2010-05-07 16:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 16:43 . 2010-05-07 16:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-07 15:03 . 2010-05-08 15:01 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Deployment

2010-05-06 15:39 . 2010-05-12 23:09 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix

2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-05 15:11 . 2010-05-05 15:11 -------- d-----w- c:\windows\system32\vmm32

2010-05-03 21:35 . 2010-05-03 21:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-04-23 22:11 . 2010-04-23 22:11 -------- d-----w- c:\program files\FREEWI~1

2010-04-23 22:04 . 2010-04-23 22:05 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\V-Safe 100

2010-04-17 11:43 . 2010-04-17 11:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-04-16 23:56 . 2010-04-16 23:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-16 16:21 . 2006-05-20 15:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-15 15:25 . 2006-06-12 23:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-13 13:30 . 2006-05-20 15:32 -------- d-----w- c:\program files\Java

2010-05-12 16:53 . 2009-08-01 01:26 -------- d-----w- c:\program files\Alwil Software

2010-05-11 16:21 . 2008-11-16 18:39 -------- d-----w- c:\program files\Microsoft Press Readiness Review Suite

2010-05-11 16:21 . 2010-04-07 16:08 -------- d-----w- c:\documents and settings\Julio\Application Data\FreshDiagnose

2010-05-11 16:17 . 2009-12-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-11 14:39 . 2007-01-13 23:25 80968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-05-11 14:18 . 2008-10-14 01:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-05-11 13:26 . 2006-11-18 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-10 03:09 . 2010-05-09 15:06 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-05-10 03:09 . 2010-05-09 15:06 24380 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-05-08 07:10 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-05-05 15:11 . 2006-05-20 15:35 -------- d-----w- c:\program files\Dell

2010-04-18 17:56 . 2007-03-30 23:04 -------- d-----w- c:\program files\CCleaner

2010-04-05 19:48 . 2010-04-05 19:48 -------- d-----w- c:\program files\IrfanView

2010-03-18 22:24 . 2010-03-18 22:24 -------- d-----w- c:\documents and settings\Julio\Application Data\GetRightToGo

2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2004-08-10 17:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-16 14:08 . 2004-08-10 17:51 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2007-08-14 22:18 . 2007-08-14 22:18 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll

2007-03-11 06:12 . 2006-11-16 02:45 56 --sh--r- c:\windows\system32\40502413E4.sys

2006-07-07 06:19 . 2006-05-25 00:00 88 --sh--r- c:\windows\system32\E413245040.sys

2007-03-11 06:12 . 2006-05-25 00:00 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

2009-03-19 15:55 460216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/12/2010 12:54 PM 164048]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/12/2010 12:54 PM 19024]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: {69D22147-4723-41B2-8A83-A734942BDD6F} = 8.8.8.8,8.8.8.4

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-16 13:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2856)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-05-16 13:06:41 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-16 17:06

ComboFix2.txt 2010-05-15 17:39

ComboFix3.txt 2010-05-15 16:56

Pre-Run: 53,570,293,760 bytes free

Post-Run: 53,510,369,280 bytes free

- - End Of File - - 1A0873FB3F3E86B8BB4D9B27B14D728C

Link to post
Share on other sites

Excellent thank you for your help this will add detection to remove that malware automatically.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

No restarts, should I run the online scan?

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4107

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/16/2010 7:22:59 PM

mbam-log-2010-05-16 (19-22-59).txt

Scan type: Quick scan

Objects scanned: 145485

Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:34:51 PM, on 5/17/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (file missing)

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{69D22147-4723-41B2-8A83-A734942BDD6F}: NameServer = 8.8.8.8,8.8.8.4

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

--

End of file - 2034 bytes

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4109

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/17/2010 12:01:33 PM

mbam-log-2010-05-17 (12-01-33).txt

Scan type: Quick scan

Objects scanned: 147212

Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Dequarantine::
C:\Qoobox\Quarantine\c\windows\system32\ialmuARA.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuARB.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuCHS.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuCHT.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuCSY.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuDAN.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuDEU.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmudlg.exe.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuELL.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuENG.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuESP.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuFIN.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuFRA.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuFRC.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuHEB.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuHUN.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuITA.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuJPN.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuKOR.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuNLD.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuNOR.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuPLK.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuPTB.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuPTG.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuRUS.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuSVE.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuTHA.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\ialmuTRK.dll.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrara.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrara.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrcht.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrcsy.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrdan.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrdeu.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrell.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrenu.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxresp.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrfin.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrfra.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrheb.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrhun.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrita.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrjpn.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrkor.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrnld.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrnor.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrplk.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrptb.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrptg.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrrus.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrsve.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrtha.lrc.vir
C:\Qoobox\Quarantine\c\windows\system32\igfxrtrk.lrc.vir

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

Link to post
Share on other sites

  • 2 weeks later...

Sorry I haven't back, but I've been out of town. Everything working fine, here's the log from combofix.

ComboFix 10-05-29.05 - Julio 05/30/2010 16:48:42.9.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.603 [GMT -4:00]

Running from: c:\documents and settings\Julio\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Julio\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\40502413E4.dll

.

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))

.

2010-05-26 02:00 . 2010-05-26 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Protexis

2010-05-26 01:18 . 2010-05-26 01:18 84028 ----a-w- c:\windows\system32\drivers\AFS2K.SYS

2010-05-26 01:18 . 2010-05-26 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Broderbund Software

2010-05-26 01:18 . 2003-06-25 14:18 200704 ----a-w- c:\documents and settings\All Users\Application Data\Broderbund Software\Print\PretzlDn.dll

2010-05-26 01:18 . 2002-06-17 22:14 266240 ----a-w- c:\documents and settings\All Users\Application Data\Broderbund Software\Print\PretzlUp.dll

2010-05-26 01:18 . 2010-05-27 15:39 -------- d-----w- c:\program files\Web Publish

2010-05-22 02:41 . 2010-05-22 02:41 503808 ----a-w- c:\documents and settings\Julio\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d02840f-n\msvcp71.dll

2010-05-22 02:41 . 2010-05-22 02:41 499712 ----a-w- c:\documents and settings\Julio\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d02840f-n\jmc.dll

2010-05-22 02:41 . 2010-05-22 02:41 348160 ----a-w- c:\documents and settings\Julio\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d02840f-n\msvcr71.dll

2010-05-22 02:41 . 2010-05-22 02:41 61440 ----a-w- c:\documents and settings\Julio\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ec3e994-n\decora-sse.dll

2010-05-22 02:41 . 2010-05-22 02:41 12800 ----a-w- c:\documents and settings\Julio\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5ec3e994-n\decora-d3d.dll

2010-05-22 02:41 . 2010-05-22 02:41 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-21 22:43 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Julio\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-05-21 22:43 . 2010-05-21 22:43 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-05-21 22:43 . 2010-05-21 22:43 -------- d-----w- c:\windows\system32\Macromedia

2010-05-21 22:42 . 2010-05-21 22:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-05-18 22:24 . 2010-05-18 22:24 -------- d-----w- c:\documents and settings\Julio\Application Data\Softland

2010-05-16 16:20 . 2010-05-16 16:20 -------- d-----w- c:\documents and settings\Julio\Application Data\Software602

2010-05-16 16:07 . 2004-05-04 14:53 1645320 ----a-w- c:\windows\system32\gdiplus.dll

2010-05-16 16:07 . 2010-05-16 16:07 -------- d-----w- c:\program files\Software602

2010-05-15 21:41 . 2010-05-15 21:41 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Temp

2010-05-15 17:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-15 17:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-15 17:48 . 2010-05-15 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-12 22:24 . 2010-05-12 22:58 -------- d-----w- c:\documents and settings\Julio\DoctorWeb

2010-05-12 16:54 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-12 16:54 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-12 16:54 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-12 16:54 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-12 16:54 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-12 16:54 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-12 16:54 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-12 16:54 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-05-12 16:54 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-12 16:53 . 2010-05-12 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-11 18:13 . 2010-05-11 18:13 -------- d-----w- c:\program files\Belarc

2010-05-11 18:13 . 2008-02-27 16:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys

2010-05-09 15:06 . 2010-05-10 03:09 32544 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2010-05-09 15:06 . 2010-05-10 03:09 1741856 --sha-w- c:\windows\system32\drivers\fidbox.dat

2010-05-09 15:01 . 2010-05-10 02:56 -------- d-----w- c:\program files\Common Files\ParetoLogic

2010-05-09 14:59 . 2010-05-09 14:59 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Downloaded Installations

2010-05-08 16:06 . 2008-04-13 18:39 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys

2010-05-07 16:43 . 2010-05-07 16:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-05-07 16:43 . 2010-05-07 16:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-05-07 15:03 . 2010-05-08 15:01 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\Deployment

2010-05-06 15:39 . 2010-05-12 23:09 -------- d-----w- c:\documents and settings\Administrator\SmitfraudFix

2010-05-06 14:02 . 2010-05-06 14:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-05-05 15:11 . 2010-05-05 15:11 -------- d-----w- c:\windows\system32\vmm32

2010-05-03 21:35 . 2010-05-03 21:35 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-23 05:20 . 2004-08-10 18:03 77859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-05-22 02:42 . 2006-05-20 15:32 -------- d-----w- c:\program files\Common Files\Java

2010-05-22 02:41 . 2006-05-20 15:32 -------- d-----w- c:\program files\Java

2010-05-22 00:32 . 2006-11-18 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-21 23:00 . 2007-01-13 23:25 80968 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-05-21 22:59 . 2010-02-06 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-21 22:48 . 2006-06-12 23:08 -------- d-----w- c:\program files\Common Files\Adobe

2010-05-16 16:21 . 2006-05-20 15:41 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-12 16:53 . 2009-08-01 01:26 -------- d-----w- c:\program files\Alwil Software

2010-05-11 16:21 . 2008-11-16 18:39 -------- d-----w- c:\program files\Microsoft Press Readiness Review Suite

2010-05-11 16:21 . 2010-04-07 16:08 -------- d-----w- c:\documents and settings\Julio\Application Data\FreshDiagnose

2010-05-11 16:17 . 2009-12-10 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-05-11 14:18 . 2008-10-14 01:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp

2010-05-10 03:09 . 2010-05-09 15:06 4124 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2010-05-10 03:09 . 2010-05-09 15:06 24380 --sha-w- c:\windows\system32\drivers\fidbox.idx

2010-05-08 07:10 . 2004-08-04 03:58 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2010-05-05 15:11 . 2006-05-20 15:35 -------- d-----w- c:\program files\Dell

2010-04-23 22:11 . 2010-04-23 22:11 -------- d-----w- c:\program files\FREEWI~1

2010-04-18 17:56 . 2007-03-30 23:04 -------- d-----w- c:\program files\CCleaner

2010-03-10 06:15 . 2004-08-10 17:51 420352 ----a-w- c:\windows\system32\vbscript.dll

2007-03-11 06:12 . 2006-11-16 02:45 56 --sh--r- c:\windows\system32\40502413E4.sys

2006-07-07 06:19 . 2006-05-25 00:00 88 --sh--r- c:\windows\system32\E413245040.sys

2007-03-11 06:12 . 2006-05-25 00:00 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-05-23_15.16.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-05-29 00:03 . 2010-05-29 00:03 16384 c:\windows\temp\Perflib_Perfdata_4d4.dat

+ 1997-10-23 16:15 . 1997-10-23 16:15 97968 c:\windows\system32\POSTWPP.DLL

+ 1997-10-23 16:15 . 1997-10-23 16:15 50288 c:\windows\system32\PIPARSE.DLL

+ 1997-10-23 16:15 . 1997-10-23 16:15 98432 c:\windows\system32\FTPWPP.DLL

+ 1997-10-22 20:33 . 1997-10-22 20:33 95744 c:\windows\system32\FPWPP.DLL

+ 1997-10-23 16:15 . 1997-10-23 16:15 108976 c:\windows\system32\WPWIZDLL.DLL

+ 1997-10-23 16:15 . 1997-10-23 16:15 143312 c:\windows\system32\WEBPOST.DLL

+ 2010-05-26 01:18 . 2003-07-08 15:45 188072 c:\windows\system32\spool\drivers\w32x86\2\acpdfui210.dll

+ 2010-05-26 01:18 . 2003-07-08 15:45 156477 c:\windows\system32\spool\drivers\w32x86\2\acpdf210.dll

+ 2004-08-10 17:57 . 2010-05-27 15:37 298848 c:\windows\system32\FNTCACHE.DAT

- 2004-08-10 17:57 . 2010-05-12 19:12 298848 c:\windows\system32\FNTCACHE.DAT

+ 1997-10-23 16:15 . 1997-10-23 16:15 120432 c:\windows\system32\CRSWPP.DLL

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]

2009-03-19 15:55 460216 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/12/2010 12:54 PM 164048]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/12/2010 12:54 PM 19024]

S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]

S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]

S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: {69D22147-4723-41B2-8A83-A734942BDD6F} = 8.8.8.8,8.8.4.4

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-30 16:53

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-05-30 16:56:20

ComboFix-quarantined-files.txt 2010-05-30 20:56

ComboFix2.txt 2010-05-23 15:18

ComboFix3.txt 2010-05-15 17:39

ComboFix4.txt 2010-05-15 16:56

Pre-Run: 54,176,313,344 bytes free

Post-Run: 54,198,358,016 bytes free

- - End Of File - - C5431F9CF86EF30E2398041C5D246D83

Link to post
Share on other sites

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Glad we could help. ;)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.