Jump to content

IE redirects, computer slow, computer reboots at startup


Recommended Posts

Some malware has managed to get past my antivirus (Avast) and firewall (Online Armor). I keep them updated every day (also keep Windows security updates current) but did visit a 'song lyrics' site which is where I think I got the infection. I use Firefox or Opera but seem to have acquired an IE problem: adware redirects popping up and multiple instances of iexplore.exe until I blocked it with the firewall (I don't use IE so no loss there). I still have problems with a periodic slowdown or freezing. It takes many attempts to get my broadband connection running whereas I rarely had a problem before. I can't open Help & Support from the Start menu. The computer sometimes boots itself up a few times before it settles down. I have XP Pro OE version so reformatting would be a problem.

I found my way here and discovered it's a known problem. I did a full scan with MBAM and found Adware.KeenValue which it dealt with but my computer is by no means cured. Full scan with Avast found nothing. Running MBAM again just now I found some registry items infected. I would greatly appreciate any help and advice you might give.

I've run DeFogger, DDS and GMER. Without more ado, here are my logs (I've attached attach.txt and ark.txt as a zip files as per instructions):

Malwarebytes' Anti-Malware 1.44

Database version: 3832

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

07/03/2010 18:21:07

mbam-log-2010-03-07 (18-21-07).txt

Scan type: Full Scan (C:\|)

Objects scanned: 238360

Time elapsed: 1 hour(s), 29 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\User\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by User at 23:41:41.90 on 25/06/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.959.634 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Online Armor\OAcat.exe

C:\Program Files\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Avast5\AvastSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?ei=ISO-8859-1&fr=vmn&type=vmn&q={searchTerms}

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mWinlogon: UIHost=c:\windows\system32\logonui.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [<NO NAME>]

mRun: [avast5] "c:\program files\avast5\avastUI.exe" /nogui

mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe

uPolicies-explorer: HideClock = 0 (0x0)

mPolicies-explorer: NoResolveTrack = 1 (0x1)

mPolicies-explorer: NoFileAssociate = 0 (0x0)

mPolicies-system: NoDispSettingsPage = 0 (0x0)

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online armor\oaevent.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\h63q6oq3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\h63q6oq3.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\opera\program\plugins\NPMetaStream3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: nglayout.initialpaint.delay - 250

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.urlbar.autoFill - false

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

FF - user.js: browser.urlbar.hideGoButton - false

FF - user.js: yahoo.homepage.dontask - truec:\program files\firefox 363\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\firefox 363\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\firefox 363\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\firefox 363\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\firefox 363\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\firefox 363\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\firefox 363\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\firefox 363\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\firefox 363\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\firefox 363\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\firefox 363\greprefs\all.js - pref("html5.enable", false);

c:\program files\firefox 363\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\firefox 363\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\firefox 363\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\firefox 363\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\firefox 363\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\firefox 363\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\firefox 363\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\firefox 363\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\firefox 363\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\firefox 363\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\firefox 363\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\firefox 363\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\firefox 363\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\firefox 363\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-21 164048]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-6-19 228216]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-6-19 24440]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2010-6-19 29560]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-21 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\avast5\AvastSvc.exe [2010-3-21 40384]

R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2010-6-19 1284600]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast5\AvastSvc.exe [2010-3-21 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast5\AvastSvc.exe [2010-3-21 40384]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2008-6-6 31424]

R3 SampleScanner;USB Flatbed Scanner Driver;c:\windows\system32\drivers\ArtecGT.sys [2008-6-22 18120]

S?2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2010-6-19 3364856]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-24 135664]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2010-06-25 21:29:13 0 ----a-w- c:\documents and settings\user\defogger_reenable

2010-06-24 19:32:58 0 d-----w- c:\docume~1\user\applic~1\Facebook

2010-06-19 13:18:56 0 d-----w- c:\docume~1\user\applic~1\OnlineArmor

2010-06-19 13:18:56 0 d-----w- c:\docume~1\alluse~1\applic~1\OnlineArmor

2010-06-19 13:17:57 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-06-19 13:17:56 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-06-19 13:17:56 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-06-19 13:17:54 0 d-----w- c:\program files\Online Armor

2010-06-19 12:32:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-19 12:32:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 4

2010-06-19 12:27:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-19 08:22:01 0 d-----w- c:\program files\Trend Micro

2010-06-19 08:16:29 0 d-----w- c:\program files\Revo Uninstaller

2010-06-18 19:04:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 3

2010-06-15 18:32:18 0 d-----w- c:\windows\network diagnostic

2010-06-15 18:31:17 63488 -c----w- c:\windows\system32\dllcache\icardie.dll

2010-06-15 18:31:17 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll

2010-06-15 18:31:17 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe

2010-06-15 18:31:16 991232 -c----w- c:\windows\system32\dllcache\ieframe.dll.mui

2010-06-15 18:31:16 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat

2010-06-13 11:40:23 0 d-----w- c:\windows\system32\wbem\Repository

2010-06-13 11:39:44 0 d-----w- c:\program files\Sharpe

2010-06-13 11:38:08 0 d-----w- c:\program files\Firefox

2010-06-13 01:59:40 0 d-----w- C:\9ec8395bee5edd2f7bc2ddac458b90

2010-06-12 12:39:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2

2010-06-09 18:32:40 0 d-----w- c:\windows\system32\%USERPROFILE%

2010-06-09 18:02:47 35134 ----a-w- c:\windows\system32\log1.dmp

2010-06-06 14:15:17 0 d-----w- c:\program files\Firefox 363

2010-06-06 12:59:46 0 d-----w- c:\program files\Firefox 3011

2010-06-06 10:47:58 0 d-----w- c:\program files\LimeWire

2010-06-06 10:46:16 0 d-----w- C:\stained glass images

==================== Find3M ====================

2094-01-27 19:15:14 42512 -c--a-r- c:\windows\fonts\AnkeCalligraph.TTF

2010-06-19 14:25:24 90112 ----a-w- c:\windows\DUMP24be.tmp

2010-05-16 12:59:42 109536 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-09 07:36:59 480 ----a-w- c:\program files\keys.dat

2010-05-09 07:36:57 813939 ----a-w- c:\program files\normal.vs

2010-05-09 07:36:57 61495 ----a-w- c:\program files\ssimages.vs

2010-05-09 07:36:51 102400 ----a-w- c:\program files\HXAudioDeviceHook.dll

2010-05-09 07:36:50 86016 ----a-w- c:\program files\rpplugprot.dll

2010-05-09 07:36:50 63016 ----a-w- c:\program files\rpshell.dll

2010-05-09 07:36:50 112168 ----a-w- c:\program files\rdsf3260.dll

2010-05-09 07:36:49 50 ----a-w- c:\program files\strs23.dat

2010-05-09 07:36:49 13 ----a-w- c:\program files\strs26.dat

2010-05-09 07:36:49 1030 ----a-w- c:\program files\autoplaylist.dat

2010-05-09 07:36:48 7168 ----a-w- c:\program files\realjbox.exe

2010-05-09 07:36:48 14888 ----a-w- c:\program files\rphelperapp.exe

2010-05-09 07:35:58 716 ----a-w- c:\program files\CinemasterVideo.4.3.manifest

2010-05-09 07:35:58 572 ----a-w- c:\program files\CinemasterAudio.4.3.manifest

2010-05-09 07:35:58 488968 ----a-w- c:\program files\realplay.exe

2010-05-09 07:35:58 1559 ----a-w- c:\program files\realplay.exe.manifest

2010-05-09 07:35:57 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-09 07:35:57 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-09 07:35:57 23558 ----a-w- c:\program files\freeoffers.ico

2010-05-09 07:35:57 221 ----a-w- c:\program files\subscription.rnx

2010-05-09 07:35:57 17846 ----a-w- c:\program files\videotest.rm

2010-05-09 07:35:57 177 ----a-w- c:\program files\freeoffers.rnx

2010-05-09 07:35:54 685 ----a-w- c:\program files\RecordingManager.exe.manifest

2010-05-09 07:35:54 407104 ----a-w- c:\program files\RecordingManager.exe

2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 23:42:41.76 ===============

I have also ran Hijackthis, please let me know if you want the logs from that.

Thank you in advance for any assistance on this!

Attach.zip

Link to post
Share on other sites

Win 7 Antispyware 2010 Removal Guide

http://www.bleepingcomputer.com/virus-remo...irus-vista-2010

Malwarebytes Anti-Malware 1.44 is very old.

Download

Malwarebytes Anti-Malware 1.46

Update/Run Malwarebytes

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Link to post
Share on other sites

Ah, XP Security Tool 2010 rings a bell. I had a version of this a few months ago. I had thought I had eradicated it then as all seemed well for weeks after. Obviously not...

One thing I'm not certain about: the instructions at beepingcomputer.com say to "use a different computer than the infected one." Unfortunately I don't have that option, this is the only computer I can access.

Here's my log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4244

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

26/06/2010 21:11:53

mbam-log-2010-06-26 (21-11-53).txt

Scan type: Full scan (C:\|)

Objects scanned: 250775

Time elapsed: 1 hour(s), 46 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Thank you for your prompt assistance crysty2k5!

The first time I ran ComboFix I got a blue screen saying !A problem has been detected..." but I rebooted and ran it again, this time without any hitches.

I was pleased that it found 2 registry backups I had recently done (which I guessed would be infected).

It found some things I wasn't expecting. When I download anything I'm careful not to knowingly install adware/spyware too - or so I thought.

c:\program files\freeoffers.ico

c:\program files\subscription.rnx

c:\program files\videotest.rm

c:\program files\freeoffers.rnx

c:\program files\RecordingManager.exe.manifest

c:\program files\RecordingManager.exe

Limewire I do know about but never used and uninstalled a while back. (I hadn't realised the folder was still there)

ComboFix log:

ComboFix 10-06-26.03 - User 27/06/2010 16:43:26.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.959.655 [GMT 1:00]

Running from: c:\documents and settings\User\Desktop\CF.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::

"c:\system volume information\Microsoft\services.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\My Documents\regbackup 12 june 10.reg

c:\documents and settings\User\My Documents\regbackup 20 june 10.reg

c:\program files\Internet Explorer\SET11F.tmp

c:\program files\Internet Explorer\SET120.tmp

c:\program files\Internet Explorer\SET4.tmp

c:\program files\Internet Explorer\SET5.tmp

c:\program files\Internet Explorer\SET9.tmp

c:\program files\Internet Explorer\SETA.tmp

c:\system volume information\Microsoft\services.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))

.

2010-06-27 14:53 . 2010-06-27 14:53 -------- d-----w- C:\Backup C drive

2010-06-27 14:49 . 2010-06-27 15:06 -------- d-----w- c:\program files\Runtime Software

2010-06-24 19:32 . 2010-06-24 19:33 -------- d-----w- c:\documents and settings\User\Application Data\Facebook

2010-06-19 13:18 . 2010-06-19 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor

2010-06-19 13:18 . 2010-06-19 13:19 -------- d-----w- c:\documents and settings\User\Application Data\OnlineArmor

2010-06-19 13:17 . 2010-04-20 03:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-06-19 13:17 . 2010-04-20 03:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-06-19 13:17 . 2010-04-20 03:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-06-19 13:17 . 2010-06-19 22:24 -------- d-----w- c:\program files\Online Armor

2010-06-19 12:32 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-19 12:32 . 2010-06-19 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 4

2010-06-19 12:27 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-19 08:22 . 2010-06-19 08:22 -------- d-----w- c:\program files\Trend Micro

2010-06-19 08:16 . 2010-06-19 08:16 -------- d-----w- c:\program files\Revo Uninstaller

2010-06-18 19:04 . 2010-06-19 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 3

2010-06-15 18:31 . 2010-05-04 17:20 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll

2010-06-15 18:31 . 2010-05-04 17:20 63488 -c----w- c:\windows\system32\dllcache\icardie.dll

2010-06-15 18:31 . 2010-04-16 13:24 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe

2010-06-15 18:31 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat

2010-06-13 11:40 . 2010-06-13 11:40 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-13 11:39 . 2010-06-13 11:39 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Moon Phase

2010-06-06 11:56 . 2010-06-06 11:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2010-06-06 10:54 . 2010-06-06 10:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!

2010-06-06 10:54 . 2010-06-06 10:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-06-06 10:47 . 2010-06-19 09:45 -------- d-----w- c:\program files\LimeWire

2010-06-06 10:46 . 2010-06-06 10:46 -------- d-----w- C:\stained glass images

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-26 22:31 . 2008-05-28 11:19 90112 ----a-w- c:\windows\DUMP2c11.tmp

2010-06-22 19:08 . 2010-06-06 14:15 -------- d-----w- c:\program files\Firefox 363

2010-06-19 22:29 . 2010-03-10 23:30 -------- d-----w- c:\program files\EasyCleaner

2010-06-19 14:25 . 2008-05-28 11:19 90112 ----a-w- c:\windows\DUMP24be.tmp

2010-06-19 12:27 . 2010-03-07 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-19 09:44 . 2010-03-11 09:57 -------- d-----w- c:\documents and settings\User\Application Data\Juniper Networks

2010-06-19 09:42 . 2010-01-02 16:08 -------- d-----w- c:\program files\Jaangle

2010-06-19 09:37 . 2009-05-04 09:21 -------- d-----w- c:\program files\Ashampoo

2010-06-19 08:47 . 2009-01-02 23:05 -------- d-----w- c:\program files\Starry Night Backyard

2010-06-13 11:39 . 2010-06-06 12:59 -------- d-----w- c:\program files\Firefox 3011

2010-06-13 11:39 . 2010-06-13 11:39 -------- d-----w- c:\program files\Sharpe

2010-06-13 11:39 . 2008-06-05 17:26 -------- d-----w- c:\program files\Yahoo!

2010-06-13 11:38 . 2010-06-13 11:38 -------- d-----w- c:\program files\Firefox

2010-06-13 11:38 . 2010-06-12 12:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2

2010-06-13 11:38 . 2008-07-05 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-12 17:08 . 2010-06-12 17:08 -------- d-----w- c:\documents and settings\Administrator.PRIVATE-79D9A68.002\Application Data\Malwarebytes

2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\User\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-06-06 17:08 . 2008-05-28 11:35 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-06 12:42 . 2010-03-21 14:05 -------- d-----w- c:\program files\Avast5

2010-06-06 10:50 . 2010-05-16 12:54 -------- d-----w- c:\program files\Safari

2010-05-31 11:50 . 2009-11-08 17:45 -------- d-----w- c:\program files\Pattern Wizard

2010-05-30 19:38 . 2008-12-28 15:07 146504 -c--a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-24 16:10 . 2010-05-16 12:53 -------- d-----w- c:\program files\QuickTime

2010-05-24 16:10 . 2010-05-16 12:51 -------- d-----w- c:\program files\Apple Software Update

2010-05-24 16:09 . 2010-01-24 21:29 -------- d-----w- c:\program files\Google

2010-05-22 16:08 . 2010-04-05 08:23 -------- d-----w- c:\documents and settings\User\Application Data\Sites

2010-05-16 16:48 . 2010-04-05 08:23 -------- d-----w- c:\documents and settings\User\Application Data\SiteClasses

2010-05-16 12:59 . 2010-05-16 12:59 109536 ---ha-w- c:\windows\system32\mlfcache.dat

2010-05-16 12:55 . 2008-05-28 12:45 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer

2010-05-16 12:52 . 2008-05-28 12:43 -------- d-----w- c:\program files\Common Files\Apple

2010-05-10 15:06 . 2010-01-02 18:44 -------- d-----w- c:\program files\Dirhtml

2010-05-10 13:37 . 2010-05-10 13:37 -------- d-----w- c:\program files\dirhtml_-_v4-852_BETA

2010-05-09 16:39 . 2008-06-05 19:20 -------- d-----w- c:\program files\Opera

2010-05-09 07:36 . 2010-05-09 07:36 480 ----a-w- c:\program files\keys.dat

2010-05-09 07:35 . 2010-05-09 07:35 716 ----a-w- c:\program files\CinemasterVideo.4.3.manifest

2010-05-09 07:35 . 2010-05-09 07:35 572 ----a-w- c:\program files\CinemasterAudio.4.3.manifest

2010-05-09 07:35 . 2010-05-09 07:35 488968 ----a-w- c:\program files\realplay.exe

2010-05-09 07:35 . 2010-05-09 07:35 1559 ----a-w- c:\program files\realplay.exe.manifest

2010-05-09 07:35 . 2010-05-09 07:35 23558 ----a-w- c:\program files\freeoffers.ico

2010-05-09 07:35 . 2010-05-09 07:35 221 ----a-w- c:\program files\subscription.rnx

2010-05-09 07:35 . 2010-05-09 07:35 17846 ----a-w- c:\program files\videotest.rm

2010-05-09 07:35 . 2010-05-09 07:35 177 ----a-w- c:\program files\freeoffers.rnx

2010-05-09 07:35 . 2004-10-07 18:40 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-05-09 07:35 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-05-09 07:35 . 2010-05-09 07:35 685 ----a-w- c:\program files\RecordingManager.exe.manifest

2010-05-09 07:35 . 2010-05-09 07:35 407104 ----a-w- c:\program files\RecordingManager.exe

2010-05-07 17:43 . 2010-05-06 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-05-06 20:59 . 2010-03-21 14:06 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-06 20:39 . 2010-03-21 14:06 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-06 20:39 . 2010-03-21 14:06 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-06 20:38 . 2010-05-06 20:38 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2010-05-06 20:34 . 2010-03-21 14:06 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-06 20:33 . 2010-03-21 14:06 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-06 20:33 . 2010-03-21 14:06 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-06 20:33 . 2010-03-21 14:06 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-06 20:33 . 2010-03-21 14:06 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-06 20:32 . 2010-05-06 20:32 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2010-05-09 08:13 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-14 16:47 . 2010-03-21 14:06 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-04-13 19:27 . 2010-04-13 19:27 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\Motorola Phone Tools\faxres.cmd

2010-04-11 13:12 . 2009-12-27 22:38 38784 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast5"="c:\program files\Avast5\avastUI.exe" [2010-05-06 2815192]

"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Online Armor\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonui.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ScanPanel.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ScanPanel.lnk

backup=c:\windows\pss\ScanPanel.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk

backup=c:\windows\pss\Utility Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk

backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk

backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]

2003-05-06 08:28 72192 -c----w- c:\program files\VoyagerTest\fts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-03-24 18:17 952768 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]

2007-12-07 15:30 71008 -c--a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2004-08-04 12:00 15360 -c--a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]

2003-08-19 11:47 16384 ------w- c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]

2003-06-28 14:10 1658965 -c----w- c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1212686123\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2008-03-30 09:36 267048 -c--a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-06-04 17:24 1697792 -csh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]

2005-01-04 16:54 49152 -c--a-w- c:\windows\system32\SiSPower.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]

2002-07-12 18:15 106496 -c--a-w- c:\windows\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

2004-11-15 18:20 77824 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 16:07 2260480 -c----w- c:\program files\Spybot\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-05-21 10:34 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2010-05-09 07:35 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2009-07-01 16:37 37888 -c--a-w- c:\program files\Winamp 556\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMem]

2006-06-19 13:54 505856 -c--a-w- c:\program files\WinCleaner Memory Optimizer\WinMemOpt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\1212686123\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\ESTsoft\\ALFTP\\ALFTP.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/03/2010 15:06 164048]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [19/06/2010 14:17 228216]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [19/06/2010 14:17 24440]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [19/06/2010 14:17 29560]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/03/2010 15:06 19024]

R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [19/06/2010 14:17 1284600]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [06/06/2008 19:41 31424]

R3 SampleScanner;USB Flatbed Scanner Driver;c:\windows\system32\drivers\ArtecGT.sys [22/06/2008 18:37 18120]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24/01/2010 22:29 135664]

S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [19/06/2010 14:17 3364856]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6d31d3536ca.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-24 21:29]

2010-06-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1005613975-2905802216-136057822-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1005613975-2905802216-136057822-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?ei=ISO-8859-1&fr=vmn&type=vmn&q={searchTerms}

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

TCP: {8A0C53D9-E2B0-439B-B985-7CF83F2B5650} = 92.31.241.20 92.31.241.21

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\h63q6oq3.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\h63q6oq3.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\documents and settings\User\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Opera\program\plugins\NPMetaStream3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: nglayout.initialpaint.delay - 250

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.urlbar.autoFill - false

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

FF - user.js: browser.urlbar.hideGoButton - false

FF - user.js: yahoo.homepage.dontask - truec:\program files\Firefox 363\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Firefox 363\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Firefox 363\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Firefox 363\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Firefox 363\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Firefox 363\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Firefox 363\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Firefox 363\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Firefox 363\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Firefox 363\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10e.exe

MSConfigStartUp-ConnectionCenter - c:\program files\Citrix\ICA Client\concentr.exe

MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe

MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

AddRemove-Facebook Plug-In - c:\documents and settings\User\Application Data\Facebook\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-27 16:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,c2,d2,a7,a8,a8,c5,49,a0,61,51,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,c2,d2,a7,a8,a8,c5,49,a0,61,51,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-06-27 16:51:43

ComboFix-quarantined-files.txt 2010-06-27 15:51

Pre-Run: 6,058,258,432 bytes free

Post-Run: 6,151,172,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7358121E4D624F9CC890529F6857C3E5

Thanks again for your help! :-)

Link to post
Share on other sites

I see in your logs that you have RealPlayer installed. I thing you installed RealPayer in Program Files without any other folder.

Please pack this folder in an archive, protected with the password infected (with WinZIP, WinRAR, 7-ZIP, etc).

C:\Qoobox

I'll send them to MalwareBytes Lab.

You can pack those files if you didn't installed Real Player on your PC.

KASPERSKY ONLINE SCAN

-----------------------------------

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

Thank you elise025 for the canneds.

Link to post
Share on other sites

Argh, you're right, Realplayer is there. I regard it as 'foist-ware' and hadn't knowingly installed it. Unfortunately it's listed under 'Add & remove programs' so it looks like it's installed. I'd love to get rid of it - please let me know when it's ok to do that.

I'm having a problem uploading Qoobox.zip. Even with maximum compression it's 13mb. Instructions, please.

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, June 29, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, June 28, 2010 16:26:23

Records in database: 4271715

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Objects scanned 110132

Threats found 4

Infected objects found 9

Suspicious objects found 0

Scan duration 02:52:44

File name Threat Threats count

C:\System Volume Information\Microsoft\services.exe/C:\System Volume Information\Microsoft\services.exe Infected: Trojan-Clicker.Win32.Cycler.ajsm 1

C:\System Volume Information\Microsoft\smss.exe/C:\System Volume Information\Microsoft\smss.exe Infected: Trojan-Clicker.Win32.Cycler.ajsm 1

C:\Documents and Settings\User\My Documents\My Backups\TestFile.exe Infected: not-a-virus:AdWare.Win32.SearchIt.f 1

C:\Program Files\Opera\mail\store\account0\2008\07\30\399.mbs Infected: Packed.Win32.Katusha.a 1

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\services.exe.vir Infected: Trojan-Clicker.Win32.Cycler.ajsm 1

C:\System Volume Information\Microsoft\services.exe Infected: Trojan-Clicker.Win32.Cycler.ajsm 1

C:\System Volume Information\Microsoft\smss.exe Infected: Trojan-Clicker.Win32.Cycler.ajsm 1

C:\System Volume Information\_restore{147DC888-EBCE-482D-8920-A3F92445276E}\RP428\A0120701.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1

C:\System Volume Information\_restore{147DC888-EBCE-482D-8920-A3F92445276E}\RP428\A0120702.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1

Selected area has been scanned.

Thanks again.

Link to post
Share on other sites

Upload Qoobox.zip here:

http://www.rapidshare.com/

Send me a PM with the link.

http://forums.malwarebytes.org/index.php?a...=4&MID=7603

How to gain access to the System Volume Information folder

http://support.microsoft.com/kb/309531

Delete all the files and folders inside C:\System Volume Information.

After this, turn off System Restore. Restart. Activate System Restore.

* [XP] Control Panel -> System -> System Restore - check Turn off System Restore on all drives, Apply, OK.

Link to post
Share on other sites

Delete all the files and folders inside C:\System Volume Information.

I got stuck at this point. Two folders, Microsoft and _restore{147DC... On trying to delete them I get the error message "Cannot delete services.exe. It is being used by another person or program." Is there anything else I can do?

Thanks again.

Link to post
Share on other sites

Yes. Reboot in Safe Mode . Regain access System Volume Information folder and delete all the files and folders from here:

C:\System Volume Information\

Turn off System Restore.

Reboot in Normal Mode.

Update/Run Malwarebytes

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Link to post
Share on other sites

Right, that's done.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4261

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

30/06/2010 20:44:41

mbam-log-2010-06-30 (20-44-41).txt

Scan type: Full scan (C:\|)

Objects scanned: 245828

Time elapsed: 1 hour(s), 42 minute(s), 47 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\services.exe.vir (Trojan.Cycler) -> Quarantined and deleted successfully.

I rebooted - computer rebooted 3 times before it settled down but loaded things much more quickly. My broadband connected first time and quickly, for the first time in at least 3 weeks.

However, I decided to run MBAM again: Within 5 seconds it found them again (I only scanned for a few seconds):

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4261

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

30/06/2010 21:38:57

mbam-log-2010-06-30 (21-38-57).txt

Scan type: Quick scan

Objects scanned: 3889

Time elapsed: 20 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Delete on reboot.

Just now Online Armor popped up warnings about smss.exe and Avast about a Trojan in System Volume Information\Microsoft\smss.exe

Your time and offer to make a script is very much appreciated.

Link to post
Share on other sites

Take a look here:

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

Print it so you can read it offline. If Combofix doesn't do the trick, you need to fix the MBR.

Download: http://subs.geekstogo.com/ComboFix.exe and save it on your Desktop.

Open Notepad and copy/paste the text in the quotebox below into it:

File::

C:\System Volume Information\Microsoft\smss.exe

C:\System Volume Information\Microsoft\services.exe

Save this as:

CFScript.txt

Drag CFScript.txt into ComboFix.exe

CFScript.gif

Then post the resultant log here.

I got this from shadowwar, MalwareBytes Research Engineer.

http://forums.malwarebytes.org/index.php?showtopic=55448

This is a mbr patcher. We just added defs for it. The mbr has to be fixed to remove it.

Run mbam scan. reboot to recovery console.

run fixmbr.

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

Then exit console and let normal boot happen.. files should be gone. If not run scan one more time.

Cheers.

Link to post
Share on other sites

I ran Combofix as instructed. It rebooted then gave the message that it was preparing a log file, but didn't. Combofix seemed to finish, the dialogue box closed and an IE shortcut icon appeared on my desktop. I tried it 3 times altogether with the same result: no log file. Rather puzzling.

I don't have an Windows Xp setup disc but might be able to get one from the shop where my computer was built. That would have to wait until the weekend.

I've heard of Torrent but never used it. Could you please reccomend a trusted site, I don't want to risk going to a possible malware site.

Link to post
Share on other sites

I got the disc and followed instructions. It seemed to go well. The computer rebooted correctly the first time too.

I updated and ran mbam again, and it still found trojans on smss.exe and services.exe:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4277

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

05/07/2010 15:04:31

mbam-log-2010-07-05 (15-04-31).txt

Scan type: Full scan (C:\|)

Objects scanned: 245155

Time elapsed: 1 hour(s), 37 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Visicom Media (Adware.KeenValue) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\Microsoft\services.exe (Trojan.Cycler) -> Quarantined and deleted successfully.

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Quarantined and deleted successfully.

Visicom Media is the company behind my html editor (Acehtmlfree) and ftp program (Aceftp3free). I won't use them again.

After the computer rebooted (it took 2 goes to do this) I decided to run Kaspersky's online scanner again. This was the result:

Monday, July 5, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, July 05, 2010 10:29:17

Records in database: 4242618

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

A:\

C:\

D:\

Scan statistics

Objects scanned 111579

Threats found 4

Infected objects found 10

Suspicious objects found 0

Scan duration 03:58:44

File name Threat Threats count

C:\Documents and Settings\User\My Documents\My Backups\TestFile.exe Infected: not-a-virus:AdWare.Win32.SearchIt.f 1

C:\Program Files\Opera\mail\store\account0\2008\07\30\399.mbs Infected: Packed.Win32.Katusha.a 1

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\_services_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajsm 3

C:\Qoobox\Quarantine\C\System Volume Information\Microsoft\_smss_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajsm 3

C:\System Volume Information\_restore{147DC888-EBCE-482D-8920-A3F92445276E}\RP1\A0000265.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1

C:\System Volume Information\_restore{147DC888-EBCE-482D-8920-A3F92445276E}\RP1\A0000266.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1

Selected area has been scanned.

Is it ok for me to get rid of Qoobox now? (Also files from My Backups?)

Link to post
Share on other sites

I've now uninstalled Combofix and Qoobox.

I printed out and followed that tutorial to the letter. However, I did a full scan with mbam (updating each time) afterwards with the result is that smss.exe and services.exe are still infected. It quarantines then deletes the 2 files.

After running Kaspersky again (see my post above) and seeing the results I deleted the infected files:

C:\Documents and Settings\User\My Documents\My Backups\TestFile.exe Infected: not-a-virus:AdWare.Win32.SearchIt.f 1

C:\Program Files\Opera\mail\store\account0\2008\07\30\399.mbs Infected: Packed.Win32.Katusha.a 1

My problem is that after updating and running mbam once more I still get the result that smss.exe and services.exe were found to be infected again.

Link to post
Share on other sites

Well now, this is interesting.

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status

--------------------------------------------

37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

I've run mbam once more, this time it didn't find anything for smss.exe or services.exe, just one registry key for Visicom Media:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4288

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

07/07/2010 14:29:42

mbam-log-2010-07-07 (14-29-42).txt

Scan type: Full scan (C:\|)

Objects scanned: 238928

Time elapsed: 1 hour(s), 32 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\Software\Visicom Media (Adware.KeenValue) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Dare I hope that's it??

Link to post
Share on other sites

Turn off System Restore.

Restart your PC.

Run a full scan with MalwareBytes. If it doesn't find anything...that's all :D

If it does find something...

Open Notepad. Copy and paste the following text into it:

@ECHO OFF

START remover.exe fix \\.\PhysicalDrive0

EXIT

Note: remover.exe must be on your desktop !!!!!!

Save it as Fix.bat at the desktop. Make sure the Save as type: is All Files (*.*).

Double click on Fix.bat to run it. Allow if prompted by any security software.

Finally, please post your log file in your next reply.

http://forums.malwarebytes.org/index.php?s...st&p=279138

Link to post
Share on other sites

I'm pleased to report that mbam didn't find anything wrong this time:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4291

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

08/07/2010 09:05:23

mbam-log-2010-07-08 (09-05-23).txt

Scan type: Full scan (C:\|)

Objects scanned: 239529

Time elapsed: 1 hour(s), 28 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.