Jump to content

IE won't launch, Firefox experiencing redirects


Recommended Posts

Title about says it all. Internet Explorer won't launch. The iexplore.exe process is running, but no UI ever appears. Firefox seems to run fine sometimes and other times all search results redirect to strange places. The user got some obvious malware a few days ago and successfully removed it with anti-malware, but these issues remain. Attached is the ark/attach zip, below are the anti-malware and DDS logs.

Latest Anti-Malware log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4342

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/23/2010 2:00:27 PM

mbam-log-2010-07-23 (14-00-27).txt

Scan type: Quick scan

Objects scanned: 151616

Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS log file:

DDS (Ver_10-03-17.01) - NTFSx86

Run by sysadmin at 14:01:22.26 on Fri 07/23/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.317 [GMT -6:00]

AV: eTrust ITM *On-access scanning disabled* (Outdated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe

C:\Program Files\CA\eTrustITM\InoRpc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\eTrustITM\InoRT.exe

C:\Program Files\CA\eTrustITM\InoTask.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\SysAid\IliAS.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\CA\eTrustITM\realmon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\sysadmin\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=all&pf=cmdt

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [Recguard] c:\windows\sminst\Recguard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [scheduler] c:\windows\sminst\Scheduler.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Ohavubiga] rundll32.exe "c:\windows\aceqeziw.dll",Startup

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2008-7-11 191872]

R1 MpKsle6280fb2;MpKsle6280fb2;c:\windows\system32\mpenginestore\MpKsle6280fb2.sys [2010-7-23 28752]

R1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [2007-1-24 80128]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-3-19 576024]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-25 38224]

R3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [2007-1-24 21888]

R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [2007-1-24 5888]

R3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [2007-1-24 70784]

S0 fzvmxmqj;fzvmxmqj; [x]

S2 0194961239289649mcinstcleanup;McAfee Application Installer Cleanup (0194961239289649);c:\docume~1\admini~1\locals~1\temp\019496~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\019496~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]

=============== Created Last 30 ================

2010-07-23 20:00:10 0 ----a-w- c:\documents and settings\sysadmin\defogger_reenable

2010-07-23 19:46:02 0 d-----w- c:\windows\system32\MpEngineStore

2010-07-23 14:57:17 172 ----a-w- c:\windows\system32\MRT.INI

2010-07-22 21:42:42 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2010-07-22 21:35:26 0 d-sh--w- c:\documents and settings\sysadmin\IETldCache

2010-07-22 21:28:56 0 dc-h--w- c:\windows\ie8

2010-07-22 21:25:02 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2010-07-22 21:18:01 0 d-----w- c:\windows\system32\wbem\Repository

2010-07-22 21:16:42 0 d-----w- c:\windows\LastGood(2)

2010-07-22 21:09:27 66048 ----a-w- c:\windows\ieResetIcons.exe

2010-07-22 20:17:27 0 d-----w- c:\docume~1\sysadmin\applic~1\Malwarebytes

2010-07-14 14:05:14 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-13 23:07:28 120 ----a-w- c:\windows\Pporagawo.dat

2010-07-13 23:07:28 0 ----a-w- c:\windows\Acoxulaliho.bin

2010-07-13 23:02:39 47616 ---ha-w- c:\windows\system32\fixmjava.dll

2010-07-13 23:02:39 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat

2010-07-02 16:53:36 0 d-----w- c:\program files\SysAid

==================== Find3M ====================

2010-05-04 17:20:33 133120 ------w- c:\windows\system32\dllcache\extmgr.dll

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 07:09:03 1859968 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 07:09:03 1859968 ------w- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 14:02:46.96 ===============

Thanks a bunch for the forthcoming help!

attach.zip

Link to post
Share on other sites

Ok, ran ComboFix. It appears to have fixed a bunch of stuff! Got a warning at the beginning:

4831583551_c3b60d0d92.jpg

Here's the log:

ComboFix 10-07-24.06 - sysadmin 07/26/2010 14:41:34.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.668 [GMT -6:00]

Running from: c:\documents and settings\sysadmin\Desktop\ComboFix.exe

AV: eTrust ITM *On-access scanning disabled* (Outdated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

* Created a new restore point

.

The following files were disabled during the run:

c:\windows\system32\fixmjava.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\dadams\Local Settings\Application Data\{6CDAF03D-19A0-4361-B902-0B0FDC1BF454}

c:\documents and settings\dadams\Local Settings\Application Data\{6CDAF03D-19A0-4361-B902-0B0FDC1BF454}\chrome.manifest

c:\documents and settings\dadams\Local Settings\Application Data\{6CDAF03D-19A0-4361-B902-0B0FDC1BF454}\chrome\content\_cfg.js

c:\documents and settings\dadams\Local Settings\Application Data\{6CDAF03D-19A0-4361-B902-0B0FDC1BF454}\chrome\content\overlay.xul

c:\documents and settings\dadams\Local Settings\Application Data\{6CDAF03D-19A0-4361-B902-0B0FDC1BF454}\install.rdf

c:\windows\aceqeziw.dll

c:\windows\g32.txt

c:\windows\system32\_000003_.tmp.dll

c:\windows\system32\_000005_.tmp.dll

c:\windows\system32\_000110_.tmp.dll

c:\windows\system32\fjhdyfhsn.bat

D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))

.

2010-07-26 20:09 . 2010-07-26 20:33 118784 ----a-w- c:\windows\system32\chg.exe

2010-07-23 22:52 . 2010-07-23 22:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-07-23 22:11 . 2010-07-23 22:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-07-23 19:46 . 2010-07-26 20:31 -------- d-----w- c:\windows\system32\MpEngineStore

2010-07-22 23:11 . 2010-07-22 23:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-22 23:10 . 2010-07-22 23:10 -------- d-----w- c:\documents and settings\dadams\Local Settings\Application Data\Mozilla

2010-07-22 22:46 . 2010-07-22 22:46 -------- d-sh--w- c:\documents and settings\dadams\IETldCache

2010-07-22 21:42 . 2004-08-04 05:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2010-07-22 21:35 . 2010-07-22 21:35 -------- d-sh--w- c:\documents and settings\sysadmin\IETldCache

2010-07-22 21:28 . 2010-07-22 21:30 -------- dc-h--w- c:\windows\ie8

2010-07-22 21:25 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2010-07-22 21:18 . 2010-07-22 21:18 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-14 14:05 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-13 23:07 . 2010-07-26 19:26 0 ----a-w- c:\windows\Acoxulaliho.bin

2010-07-13 23:07 . 2010-07-22 21:21 120 ----a-w- c:\windows\Pporagawo.dat

2010-07-13 23:02 . 2010-07-13 23:02 47616 ----a-w- c:\windows\system32\fixmjava.dll

2010-07-02 16:53 . 2010-07-02 16:53 -------- d-----w- c:\program files\SysAid

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-23 14:55 . 2009-03-19 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-22 21:44 . 2010-02-25 22:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-22 21:03 . 2010-07-22 21:03 0 ----a-w- c:\windows\nsreg.dat

2010-07-22 21:02 . 2010-07-22 21:02 61440 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5e35d4-n\decora-sse.dll

2010-07-22 21:02 . 2010-07-22 21:02 503808 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\msvcp71.dll

2010-07-22 21:02 . 2010-07-22 21:02 499712 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\jmc.dll

2010-07-22 21:02 . 2010-07-22 21:02 348160 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\msvcr71.dll

2010-07-22 21:02 . 2010-07-22 21:02 12800 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5e35d4-n\decora-d3d.dll

2010-07-22 20:17 . 2010-07-22 20:17 -------- d-----w- c:\documents and settings\sysadmin\Application Data\Malwarebytes

2010-06-22 14:08 . 2010-06-22 14:08 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1B.tmp.exe

2010-06-14 14:30 . 2006-02-28 02:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-03 23:33 . 2009-04-09 16:12 -------- d-----w- c:\program files\Encompass

2010-05-24 19:18 . 2010-05-24 19:18 503808 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\msvcp71.dll

2010-05-24 19:18 . 2010-05-24 19:18 499712 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\jmc.dll

2010-05-24 19:18 . 2010-05-24 19:18 348160 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\msvcr71.dll

2010-05-24 19:18 . 2010-05-24 19:18 61440 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27c1b66c-n\decora-sse.dll

2010-05-24 19:18 . 2010-05-24 19:18 12800 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27c1b66c-n\decora-d3d.dll

2010-05-02 07:09 . 2006-02-28 02:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 21:39 . 2010-02-25 22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-02-25 22:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-02-28 143360]

"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2005-12-10 274432]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1545287438-2170609858-2397693682-1167\Scripts\Logon\0\0]

"Script"=Global.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1545287438-2170609858-2397693682-500\Scripts\Logon\0\0]

"Script"=Global.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [7/11/2008 4:44 PM 191872]

R1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [1/24/2007 4:28 AM 80128]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [3/19/2009 12:59 AM 576024]

R3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/24/2007 4:28 AM 21888]

R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/24/2007 4:28 AM 5888]

R3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/24/2007 4:28 AM 70784]

S0 fzvmxmqj;fzvmxmqj; [x]

S2 0194961239289649mcinstcleanup;McAfee Application Installer Cleanup (0194961239289649);c:\docume~1\ADMINI~1\LOCALS~1\Temp\019496~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\019496~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 1:44 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:44]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=all&pf=cmdt

DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ohavubiga - c:\windows\aceqeziw.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-26 14:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

Completion time: 2010-07-26 14:50:33

ComboFix-quarantined-files.txt 2010-07-26 20:50

Pre-Run: 41,948,729,344 bytes free

Post-Run: 43,317,710,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2BCDA259E49FBED15FFE2B484E74E329

Link to post
Share on other sites

nate1234,

Your AV shows that it is out of date. Do you still have a valid suscription?

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above KillAll::

KillAll::
File::
c:\windows\Acoxulaliho.bin
c:\windows\Pporagawo.dat
c:\windows\system32\fixmjava.dll
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service
Driver::
fzvmxmqj
0194961239289649mcinstcleanup

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • ComboFix log log

Link to post
Share on other sites

I hadn't touched this machine before, so I'll have to do a little looking to see what's up with the AV. I can make sure I get everything up to date.

Ran ComboFix with your script, here's the new log file: (thanks again for your help!)

ComboFix 10-07-24.06 - sysadmin 07/27/2010 11:03:51.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.494 [GMT -6:00]

Running from: c:\documents and settings\sysadmin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\sysadmin\Desktop\CFScript.txt

AV: eTrust ITM *On-access scanning disabled* (Outdated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

FILE ::

"c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service"

"c:\windows\Acoxulaliho.bin"

"c:\windows\Pporagawo.dat"

"c:\windows\system32\fixmjava.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\sysadmin\Local Settings\Application Data\{07DCB8FA-829F-448E-A642-21AAA249C1B5}

c:\documents and settings\sysadmin\Local Settings\Application Data\{07DCB8FA-829F-448E-A642-21AAA249C1B5}\chrome\content\_cfg.js

c:\documents and settings\sysadmin\Local Settings\Application Data\{07DCB8FA-829F-448E-A642-21AAA249C1B5}\chrome\content\overlay.xul

c:\documents and settings\sysadmin\Local Settings\Application Data\{07DCB8FA-829F-448E-A642-21AAA249C1B5}\install.rdf

c:\windows\Acoxulaliho.bin

c:\windows\Pporagawo.dat

c:\windows\system32\fixmjava.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_0194961239289649MCINSTCLEANUP

-------\Legacy_FZVMXMQJ

-------\Service_0194961239289649mcinstcleanup

-------\Service_fzvmxmqj

((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))

.

2010-07-27 13:59 . 2010-07-27 13:59 -------- d-sh--w- c:\documents and settings\dadams\PrivacIE

2010-07-26 21:01 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\sysadmin\Local Settings\Application Data\Google

2010-07-26 20:09 . 2010-07-27 17:08 118784 ----a-w- c:\windows\system32\chg.exe

2010-07-23 22:52 . 2010-07-23 22:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2010-07-23 22:11 . 2010-07-23 22:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-07-23 19:46 . 2010-07-26 20:31 -------- d-----w- c:\windows\system32\MpEngineStore

2010-07-22 23:11 . 2010-07-22 23:11 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-22 23:10 . 2010-07-22 23:10 -------- d-----w- c:\documents and settings\dadams\Local Settings\Application Data\Mozilla

2010-07-22 22:46 . 2010-07-22 22:46 -------- d-sh--w- c:\documents and settings\dadams\IETldCache

2010-07-22 21:42 . 2004-08-04 05:08 26496 ----a-w- c:\windows\system32\dllcache\usbstor.sys

2010-07-22 21:35 . 2010-07-22 21:35 -------- d-sh--w- c:\documents and settings\sysadmin\IETldCache

2010-07-22 21:28 . 2010-07-22 21:30 -------- dc-h--w- c:\windows\ie8

2010-07-22 21:25 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll

2010-07-22 21:18 . 2010-07-22 21:18 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-22 21:16 . 2010-07-22 21:16 -------- d-----w- c:\windows\LastGood(2)

2010-07-22 21:09 . 2007-08-14 00:52 66048 ----a-w- c:\windows\ieResetIcons.exe

2010-07-22 21:03 . 2010-07-22 21:03 0 ----a-w- c:\windows\nsreg.dat

2010-07-22 21:03 . 2010-07-22 21:03 -------- d-----w- c:\documents and settings\sysadmin\Local Settings\Application Data\Mozilla

2010-07-22 21:02 . 2010-07-22 21:02 61440 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5e35d4-n\decora-sse.dll

2010-07-22 21:02 . 2010-07-22 21:02 503808 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\msvcp71.dll

2010-07-22 21:02 . 2010-07-22 21:02 499712 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\jmc.dll

2010-07-22 21:02 . 2010-07-22 21:02 348160 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-395fe467-n\msvcr71.dll

2010-07-22 21:02 . 2010-07-22 21:02 12800 ----a-w- c:\documents and settings\sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1c5e35d4-n\decora-d3d.dll

2010-07-22 20:17 . 2010-07-22 20:17 -------- d-----w- c:\documents and settings\sysadmin\Application Data\Malwarebytes

2010-07-14 14:05 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-07-02 16:53 . 2010-07-02 16:53 -------- d-----w- c:\program files\SysAid

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-23 14:55 . 2009-03-19 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-22 21:44 . 2010-02-25 22:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-22 14:08 . 2010-06-22 14:08 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1B.tmp.exe

2010-06-14 14:30 . 2006-02-28 02:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-03 23:33 . 2009-04-09 16:12 -------- d-----w- c:\program files\Encompass

2010-05-24 19:18 . 2010-05-24 19:18 503808 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\msvcp71.dll

2010-05-24 19:18 . 2010-05-24 19:18 499712 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\jmc.dll

2010-05-24 19:18 . 2010-05-24 19:18 348160 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6c4a7957-n\msvcr71.dll

2010-05-24 19:18 . 2010-05-24 19:18 61440 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27c1b66c-n\decora-sse.dll

2010-05-24 19:18 . 2010-05-24 19:18 12800 ----a-w- c:\documents and settings\dadams\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-27c1b66c-n\decora-d3d.dll

2010-05-02 07:09 . 2006-02-28 02:00 1859968 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 21:39 . 2010-02-25 22:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-02-25 22:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_20.48.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-27 17:08 . 2010-07-27 17:08 16384 c:\windows\temp\Perflib_Perfdata_b8.dat

+ 2010-07-27 13:57 . 2010-07-27 14:00 3384 c:\windows\SoftwareDistribution\EventCache\{C9091E3E-1530-472A-A667-77E276F19780}.bin

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2006-02-28 143360]

"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2005-12-10 274432]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1545287438-2170609858-2397693682-1167\Scripts\Logon\0\0]

"Script"=Global.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1545287438-2170609858-2397693682-500\Scripts\Logon\0\0]

"Script"=Global.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [7/11/2008 4:44 PM 191872]

R1 oxpar;%OXPAR.SVCDESC%;c:\windows\system32\drivers\oxpar.sys [1/24/2007 4:28 AM 80128]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [3/19/2009 12:59 AM 576024]

R3 oxmf;OXPCI Bus enumerator;c:\windows\system32\drivers\oxmf.sys [1/24/2007 4:28 AM 21888]

R3 Oxmfuf;Filter driver for OX16PCI95x ports;c:\windows\system32\drivers\oxmfuf.sys [1/24/2007 4:28 AM 5888]

R3 oxser;OX16C95x Serial port driver;c:\windows\system32\drivers\oxser.sys [1/24/2007 4:28 AM 70784]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 1:44 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:44]

2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:44]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=92&bd=all&pf=cmdt

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} - hxxps://widow1.factualdata.com/ocx/print3.ocx

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-27 11:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1576)

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\CA\SharedComponents\iTechnology\igateway.exe

c:\program files\CA\eTrustITM\InoRpc.exe

c:\program files\CA\eTrustITM\InoRT.exe

c:\program files\CA\eTrustITM\InoTask.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\SysAid\IliAS.exe

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2010-07-27 11:11:31 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-27 17:11

ComboFix2.txt 2010-07-26 20:50

Pre-Run: 43,286,417,408 bytes free

Post-Run: 43,212,218,368 bytes free

- - End Of File - - 5ED79C9B926850545F2A8C870B23F520

Link to post
Share on other sites

nate1234,

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • MBAM log
  • Kasperksy log

Link to post
Share on other sites

On reboot of the machine now, by the way, we get two error messages. The first is

4843228375_5aca99dbe3_b.jpg

after clicking ok on that one we get

4843843628_d1dc227ee0.jpg

Ok, ran MBAM and Kaspersky. MBAM was clean, but here's the log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4367

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

7/29/2010 2:08:52 PM

mbam-log-2010-07-29 (14-08-52).txt

Scan type: Quick scan

Objects scanned: 151050

Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kaspersky was not clean, but it looks like it mostly found stupid stuff. Here's the log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, July 30, 2010

Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, July 29, 2010 19:05:11

Records in database: 4199205

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

P:\

T:\

Scan statistics:

Objects scanned: 56066

Threats found: 6

Infected objects found: 14

Suspicious objects found: 0

Scan duration: 02:13:45

File name / Threat / Threats count

C:\Program Files\SysAid\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.n 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\fixmjava.dll.vir Infected: Trojan-PSW.Win32.Agent.suy 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\fjhdyfhsn.bat.vir Infected: Trojan.BAT.Agent.vf 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP255\A0021354.bat Infected: Trojan.BAT.Agent.vf 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP260\A0025771.bat Infected: Trojan.BAT.Agent.vf 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP260\A0025772.dll Infected: Trojan-PSW.Win32.Agent.svi 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP263\A0027343.dll Infected: Trojan-PSW.Win32.Agent.suy 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP264\A0027382.sys Infected: Rootkit.Win32.TDSS.ap 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP264\A0027427.bat Infected: Trojan.BAT.Agent.vf 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP264\A0027540.dll Infected: Trojan-PSW.Win32.Agent.suy 1

C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP264\snapshot\MFEX-1.DAT Infected: Trojan-PSW.Win32.Agent.suy 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A3G9UZUP\SetupSE2010[1].exe Infected: Packed.Win32.Katusha.o 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHSD6F4R\firewall[1].dll Infected: Packed.Win32.Katusha.o 1

Selected area has been scanned.

Thanks again for your help!

Link to post
Share on other sites

nate1234,

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ebdepi.dll
    :regfind
    ebdepi.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:

  • SystemLook log

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.