Jump to content

Browser/System infected - Trojan.Hiloti.Gen, Malware.Packer.Gen, Backdoor.Bot, Spyware.Zbot?


Recommended Posts

Hello all, hopefully someone can help me out.

I'm infected with something, not sure what or how it happened as I am normally very careful with what I click/install. In any case, the only visible symptom is that occasionally a new tab will open in Firefox while I am browsing, usually with some sort of search. For instance, last night I did a Google search and then this morning a new tab opened with the Google search terms entered in a search at "shopica.com".

There is probably something more nefarious going on behind the scenes but the search thing is the only symptom that is visible to me. The most recent Malwarebytes search classified some of the items as "Stolen.Data" so hopefully no passwords or personal data have been compromised.

I've updated/scanned/removed/quarantined with Malwarebytes, AVG and Ad Aware but still this remains.

I will include all of the MBAM, DDS and GMER logs as inline text or attached. Thanks in advance for any assistance!

========================================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/29/2010 12:03:41 PM

mbam-log-2010-06-29 (12-03-41).txt

Scan type: Quick scan

Objects scanned: 134421

Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\ociorp.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vnucaka (Trojan.Hiloti.Gen) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcydiolh (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\ociorp.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc4.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-1757981266-1383384898-725345543-1003\Dc8.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\0HA3W5IR\uiptnmgovj[1].htm (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\MXM309A7\kksahc[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\WJJF6KXP\070700Setup[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

========================================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/29/2010 1:31:29 PM

mbam-log-2010-06-29 (13-31-29).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 222200

Time elapsed: 1 hour(s), 3 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 28

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0\070700Setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\Bitrix Security\ysloiyiy6.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133497.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133498.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133501.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133506.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133642.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133679.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133683.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133684.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133686.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133687.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133688.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133689.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133690.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133701.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133705.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133706.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133708.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133709.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133711.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133680.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133744.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1260\A0133745.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136359.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136362.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136363.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1264\A0136393.dll (Adware.AdShot) -> Quarantined and deleted successfully.

========================================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/30/2010 1:08:51 PM

mbam-log-2010-06-30 (13-08-51).txt

Scan type: Quick scan

Objects scanned: 134657

Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

========================================================================

DDS (Ver_10-03-17.01) - NTFSx86

Run by at 3:16:41.89 on Wed 06/30/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.609 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Justin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ResChanger 2005] c:\program files\reschanger 2005\ResChanger2005.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe

mRun: [inCD] c:\program files\nero\nero 7\incd\InCD.exe

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Lrekokilo] rundll32.exe "c:\windows\iyococuwus.dll",Startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~2.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Download All Files by HiDownload - c:\program files\hidownload\HDGetAll.htm

IE: Download by HiDownload - c:\program files\hidownload\HDGet.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - c:\program files\hidownload\hidownload.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://extraweb-americas.ey.com/home/extraweb/iNotes6.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://luckynugget.microgaming.com/luckynugget/FlashAX.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

mASetup: {E268A72F-2A5C-4FD0-BD82-94A6E42ACA0E} - rundll32.exe "c:\documents and settings\networkservice\application data\bitrix security\ysloiyiy6.dll", DllUnregister

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - HiddenExtension: XULRunner: {C5BA2969-4C4A-454B-B55D-FCF8CED12623} - c:\documents and settings\justin\local settings\application data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-26 216200]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-24 29584]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-26 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

=============== Created Last 30 ================

2010-06-30 02:32:01 0 d-----w- c:\program files\URUSoft

2010-06-29 18:55:06 0 d-----w- c:\docume~1\justin\applic~1\Bitrix Security

2010-06-29 14:41:25 120 ----a-w- c:\windows\Mnato.dat

2010-06-29 14:41:25 0 ----a-w- c:\windows\Xpaqahigusudiho.bin

2010-06-29 12:33:52 0 d-----w- c:\docume~1\justin\applic~1\AE44686EE3C391E9A7BE88708BF334A0

2010-06-02 22:54:27 0 d-----w- c:\docume~1\justin\applic~1\avidemux

==================== Find3M ====================

2010-06-16 05:14:25 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-05 05:15:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-02 22:18:04 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-05-22 15:16:12 249856 ------w- c:\windows\Setup1.exe

2010-05-22 15:16:08 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-05-07 22:56:11 21616 ----a-w- c:\docume~1\justin\applic~1\GDIPFONTCACHEV1.DAT

2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 15:36:49 662016 ----a-w- c:\windows\system32\wininet.dll

2010-04-16 15:36:45 81920 ------w- c:\windows\system32\ieencode.dll

============= FINISH: 3:17:19.60 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Hi thanks for your reply.

I updated the database and did another scan. This time nothing was found but I know I am still infected.

Logs as follows:

========================================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4263

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

6/30/2010 11:25:34 PM

mbam-log-2010-06-30 (23-25-34).txt

Scan type: Quick scan

Objects scanned: 133902

Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

========================================================================

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:27:41 PM, on 6/30/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

C:\Program Files\Nero\Nero 7\InCD\InCD.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Lrekokilo] rundll32.exe "C:\WINDOWS\iyococuwus.dll",Startup

O4 - HKCU\..\Run: [ResChanger 2005] C:\Program Files\ResChanger 2005\ResChanger2005.exe

O4 - Global Startup: Acrobat Assistant (2).lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm

O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes6.cab

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://luckynugget.microgaming.com/luckynugget/FlashAX.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

--

End of file - 6442 bytes

Link to post
Share on other sites

  • Staff

Hi,

Please do the following...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi, the combofix log is below.

A few notes:

When it first began scanning, there was a prompt that indicated Combofix detected Rootkit activity and needed to be restarted. I did so, my computer restarted and then the scan started.

Around when Stage 5 was completed of the scan, there was a prompt that said "PEV.exe has encountered a problem and needs to close. If you were in the middle of something, the information you were working on might be lost." I clicked close and it continued to scan.

ComboFix 10-06-30.03 - Justin 06/30/2010 23:55:12.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.637 [GMT -7:00]

Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}

c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome.manifest

c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome\content\_cfg.js

c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\chrome\content\overlay.xul

c:\documents and settings\Justin\Local Settings\Application Data\{C5BA2969-4C4A-454B-B55D-FCF8CED12623}\install.rdf

c:\windows\iyococuwus.dll

c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected

Restored copy from - Kitty had a snack :D

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

2010-06-30 02:32 . 2010-06-30 02:32 -------- d-----w- c:\program files\URUSoft

2010-06-29 18:55 . 2010-06-29 18:55 -------- d-----w- c:\documents and settings\Justin\Application Data\Bitrix Security

2010-06-29 14:41 . 2010-07-01 06:17 120 ----a-w- c:\windows\Mnato.dat

2010-06-29 14:41 . 2010-06-30 10:15 0 ----a-w- c:\windows\Xpaqahigusudiho.bin

2010-06-29 13:44 . 2010-06-29 13:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security

2010-06-29 12:33 . 2010-06-29 20:31 -------- d-----w- c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0

2010-06-02 22:54 . 2010-06-02 22:55 -------- d-----w- c:\documents and settings\Justin\Application Data\avidemux

2010-06-02 22:18 . 2010-06-02 22:18 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 22:18 . 2010-06-02 22:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-01 06:05 . 2010-05-22 11:58 -------- d-----w- c:\documents and settings\Justin\Application Data\vlc

2010-06-30 22:04 . 2006-09-29 22:17 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-30 09:23 . 2006-10-06 05:42 -------- d-----w- c:\documents and settings\Justin\Application Data\uTorrent

2010-06-30 01:21 . 2006-09-29 21:31 22968 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-29 18:54 . 2010-03-01 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-29 13:43 . 2009-04-19 09:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-24 23:40 . 2007-08-13 03:09 -------- d-----w- c:\program files\foobar2000

2010-06-23 04:52 . 2006-09-29 21:57 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-06-16 05:14 . 2010-03-03 09:39 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-16 05:02 . 2006-09-30 00:30 -------- d--h--r- c:\documents and settings\Justin\Application Data\SendTo

2010-06-05 16:33 . 2008-06-17 05:31 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 05:15 . 2010-03-03 06:13 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-02 22:18 . 2008-05-27 03:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 22:18 . 2006-11-25 00:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-28 12:59 . 2006-12-03 02:55 -------- d-----w- c:\program files\PokerStars

2010-05-23 04:03 . 2010-05-23 03:58 -------- d-----w- c:\program files\Icons

2010-05-22 15:16 . 2010-05-22 15:16 249856 ------w- c:\windows\Setup1.exe

2010-05-22 15:16 . 2010-05-22 15:16 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-05-22 14:26 . 2007-04-01 15:07 -------- d-----w- c:\documents and settings\Justin\Application Data\dvdcss

2010-05-22 12:00 . 2010-05-22 11:40 -------- d-----w- c:\program files\Gabest

2010-05-16 21:56 . 2010-05-16 21:56 -------- d-----w- c:\program files\bobyte

2010-05-09 18:56 . 2006-09-29 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-02 05:56 . 2001-08-23 15:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39 . 2010-03-01 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2010-03-01 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:51 . 2001-08-23 15:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 15:36 . 2006-09-29 20:54 662016 ----a-w- c:\windows\system32\wininet.dll

2010-04-16 15:36 . 2006-09-29 21:25 81920 ------w- c:\windows\system32\ieencode.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"nwiz"="nwiz.exe" [2007-09-17 1626112]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant (2).lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254]

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-29 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-13 22:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18564:TCP"= 18564:TCP:BitComet 18564 TCP

"18564:UDP"= 18564:UDP:BitComet 18564 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216200]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/13/2010 3:06 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 3:06 PM 308064]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]

.

Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm

IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-ResChanger 2005 - c:\program files\ResChanger 2005\ResChanger2005.exe

HKLM-Run-Lrekokilo - c:\windows\iyococuwus.dll

Notify-WgaLogon - (no file)

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-01 00:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-07-01 00:01:30

ComboFix-quarantined-files.txt 2010-07-01 07:01

Pre-Run: 16,676,925,440 bytes free

Post-Run: 16,740,802,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1152726BA6516B91EAE0106A6EEFFFDB

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\Mnato.dat

c:\windows\Xpaqahigusudiho.bin

Dirlook::

c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0

c:\documents and settings\Justin\Application Data\avidemux

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi,

This time I wasn't prompted to reboot and PEV.exe didn't crash.

Here is the latest Combofix log:

ComboFix 10-06-30.03 - Justin 07/01/2010 0:25.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.491 [GMT -7:00]

Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Justin\Desktop\CFscript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\Mnato.dat"

"c:\windows\Xpaqahigusudiho.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Mnato.dat

c:\windows\Xpaqahigusudiho.bin

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

2010-06-30 02:32 . 2010-06-30 02:32 -------- d-----w- c:\program files\URUSoft

2010-06-29 18:55 . 2010-06-29 18:55 -------- d-----w- c:\documents and settings\Justin\Application Data\Bitrix Security

2010-06-29 13:44 . 2010-06-29 13:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security

2010-06-29 12:33 . 2010-06-29 20:31 -------- d-----w- c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0

2010-06-02 22:54 . 2010-06-02 22:55 -------- d-----w- c:\documents and settings\Justin\Application Data\avidemux

2010-06-02 22:18 . 2010-06-02 22:18 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 22:18 . 2010-06-02 22:18 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-01 06:05 . 2010-05-22 11:58 -------- d-----w- c:\documents and settings\Justin\Application Data\vlc

2010-06-30 22:04 . 2006-09-29 22:17 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-06-30 09:23 . 2006-10-06 05:42 -------- d-----w- c:\documents and settings\Justin\Application Data\uTorrent

2010-06-30 01:21 . 2006-09-29 21:31 22968 ----a-w- c:\documents and settings\Justin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-29 18:54 . 2010-03-01 13:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-29 13:43 . 2009-04-19 09:27 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-24 23:40 . 2007-08-13 03:09 -------- d-----w- c:\program files\foobar2000

2010-06-23 04:52 . 2006-09-29 21:57 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-06-16 05:14 . 2010-03-03 09:39 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-06-16 05:02 . 2006-09-30 00:30 -------- d--h--r- c:\documents and settings\Justin\Application Data\SendTo

2010-06-05 16:33 . 2008-06-17 05:31 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-05 05:15 . 2010-03-03 06:13 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-06-02 22:18 . 2008-05-27 03:41 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 22:18 . 2006-11-25 00:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-28 12:59 . 2006-12-03 02:55 -------- d-----w- c:\program files\PokerStars

2010-05-23 04:03 . 2010-05-23 03:58 -------- d-----w- c:\program files\Icons

2010-05-22 15:16 . 2010-05-22 15:16 249856 ------w- c:\windows\Setup1.exe

2010-05-22 15:16 . 2010-05-22 15:16 73216 ----a-w- c:\windows\ST6UNST.EXE

2010-05-22 14:26 . 2007-04-01 15:07 -------- d-----w- c:\documents and settings\Justin\Application Data\dvdcss

2010-05-22 12:00 . 2010-05-22 11:40 -------- d-----w- c:\program files\Gabest

2010-05-16 21:56 . 2010-05-16 21:56 -------- d-----w- c:\program files\bobyte

2010-05-09 18:56 . 2006-09-29 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-02 05:56 . 2001-08-23 15:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 22:39 . 2010-03-01 13:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39 . 2010-03-01 13:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:51 . 2001-08-23 15:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 15:36 . 2006-09-29 20:54 662016 ----a-w- c:\windows\system32\wininet.dll

2010-04-16 15:36 . 2006-09-29 21:25 81920 ------w- c:\windows\system32\ieencode.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\Justin\Application Data\AE44686EE3C391E9A7BE88708BF334A0 ----

---- Directory of c:\documents and settings\Justin\Application Data\avidemux ----

2010-06-02 22:55 . 2010-06-02 23:29 1074 ----a-w- c:\documents and settings\Justin\Application Data\avidemux\config

2010-06-02 22:54 . 2010-06-02 23:29 27942 ----a-w- c:\documents and settings\Justin\Application Data\avidemux\admlog.txt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"nwiz"="nwiz.exe" [2007-09-17 1626112]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]

"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]

"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant (2).lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254]

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-9-29 49254]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-29 113664]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-13 22:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18564:TCP"= 18564:TCP:BitComet 18564 TCP

"18564:UDP"= 18564:UDP:BitComet 18564 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216200]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 242896]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/13/2010 3:06 PM 916760]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 3:06 PM 308064]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]

.

Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

IE: Download All Files by HiDownload - c:\program files\HiDownload\HDGetAll.htm

IE: Download by HiDownload - c:\program files\HiDownload\HDGet.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-01 00:28

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-07-01 00:29:32

ComboFix-quarantined-files.txt 2010-07-01 07:29

ComboFix2.txt 2010-07-01 07:01

Pre-Run: 16,756,428,800 bytes free

Post-Run: 16,742,805,504 bytes free

- - End Of File - - F810898EFD1DFEADC399621733F9CC57

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi,

I think it is OK now but I won't know for sure until I have another day or two of regular usage. The Google search symptoms I was experiencing before were kind of random so I don't have a way to definitively test. I'll just wait to see if they re-occur in the next few days.

Thanks again for your quick help - it is much appreciated!

Link to post
Share on other sites

  • Staff

Hi,

Just let me know in a few days :D

Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.