Jump to content

Recommended Posts

Hello,

History of events:

- ESET NOD32 detected and supposedly cleaned some stuff including "C:\cleansweep.exe\cleansweep.exe - a variant of Win32/Kryptik.GBE" (see eset-nod32.txt).

- ESET NOD32 kept popping messages (once every hour or so) about blocking a particular IP/website

- Downloaded/Purchased Malwarebytes Anti-Malware. It too claims to have removed a trojan (mbam-log-2010-08-30 (16-04-26).txt and mbam-log-2010-08-30 (16-21-13).txt).

- Nevertheless, it still keeps telling me that it is blocking some IP... (IP-BLOCK - 94.96.214.220), so I assume that something is still infecting my system.

I followed all the instructions on the "What to do" page of this forum, HOWEVER, my computer always reboots in the middle of a GMER scan, so that can't complete...

Any help would be much appreciated.

Bill

DDS (Ver_10-03-17.01) - NTFSx86

Run by Bill at 8:31:52.89 on 2010-08-31

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2712 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Pogoplug\dokanmnt.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\vmnat.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SuperCopier2\SuperCopier2.exe

C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Brownie\Brnipmon.exe

C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe

C:\Program Files\Pidgin\pidgin.exe

C:\Program Files\ProcessExplorer\procexp.exe

C:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\tmp\dl\dds\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://logidelic.pogoplug.com/view.html

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [superCopier2.exe] c:\program files\supercopier2\SuperCopier2.exe

uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Alcmtr] ALCMTR.EXE

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

mRun: [brStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\proces~1.lnk - c:\program files\processexplorer\procexp.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spyder~1.lnk - c:\program files\datacolor\spyder3pro\utility\Spyder3Utility.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: c:\program files\vmware\vmware workstation\vsocklib.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224259654703

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 192.168.0.191 logidelic.pogoplug.com

Hosts: 192.168.0.191 bdhome.pogoplug.com

Hosts: 192.168.0.185 logibilling.pogoplug.com

Hosts: 192.168.0.198 plugnix

Hosts: 192.168.0.195 docknix

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bill\applic~1\mozilla\firefox\profiles\dxuo2sr5.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\documents and settings\bill\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 96408]

R2 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-12-10 24636]

R2 DokanCEDriver;DokanCEDriver;c:\program files\pogoplug\dokance.sys [2009-10-19 52072]

R2 DokanCEMounter;DokanCEMounter;c:\program files\pogoplug\dokanmnt.exe [2010-2-11 122984]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-30 304464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-14 24652]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-29 54960]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-30 20952]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2008-3-19 12288]

============== File Associations ===============

.txt=UltraEdit.txt

=============== Created Last 30 ================

2010-08-31 12:25:12 176 ----a-w- c:\documents and settings\bill\defogger_reenable

2010-08-30 16:58:57 0 d-----w- c:\docume~1\bill\applic~1\Malwarebytes

2010-08-30 16:58:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 16:58:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 16:58:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-30 16:58:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-13 14:52:25 0 d-----w- c:\program files\PowerArchiver

2010-08-10 09:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-08-10 09:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-08-04 17:37:24 0 d-----w- c:\docume~1\bill\applic~1\K-Meleon

2010-08-04 17:37:15 0 d-----w- c:\program files\K-Meleon

2010-08-04 17:32:20 91 ----a-w- c:\windows\ob1.INI

2010-08-04 17:32:15 0 d-----w- c:\program files\HPSW

2010-08-03 19:27:34 0 d-----w- c:\program files\NCH Software

2010-08-03 19:26:58 0 d-----w- c:\program files\NCH Swift Sound

2010-08-03 19:17:53 0 d-----w- c:\program files\Audacity

2010-08-03 16:59:45 0 d-----w- c:\docume~1\bill\applic~1\webex

2010-08-03 12:18:03 0 d-----w- c:\program files\iPhoneBrowser

2010-08-02 23:08:24 0 d-----w- c:\program files\WinSCP

==================== Find3M ====================

2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 8:32:56.06 ===============

logs.zip

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems

  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Here is the report as requested. Thank you so much for your help!

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB6914000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10235904 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 197.45 )

0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6434816 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 197.45 )

0xAC3A2000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 5206016 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xB74B4000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 987136 bytes (Conexant Systems, Inc., HSF_DP driver)

0xB72EF000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 958464 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xA63BC000 C:\WINDOWS\system32\Drivers\vmx86.sys 851968 bytes (VMware, Inc., VMware kernel driver)

0xA6559000 C:\WINDOWS\system32\DRIVERS\eamon.sys 835584 bytes (ESET, Amon monitor)

0xB7401000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)

0xB7DE5000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xAAA49000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB685B000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xAABA9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA6315000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xB75C8000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 270336 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)

0xA5C36000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xB68B9000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA648C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB7DB8000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xAAAB9000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB73D9000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xAAB6F000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xAAB49000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xA7206000 C:\WINDOWS\System32\Drivers\dump_nvgts.sys 151552 bytes

0xB7EE6000 nvgts.sys 151552 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Hi, I see some hosts file hijacking in your log and further more a few entries that need taken care of.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi, I see some hosts file hijacking in your log and further more a few entries that need taken care of.

Hi Elise. Just to be clear, those 192.168.0.* hosts lines are actually ok. I put them there myself.

I will nevertheless proceed with your instructions unless you tell me otherwise.

Thanks!

Link to post
Share on other sites

Here's the ComboFix log:

ComboFix 10-08-31.01 - Bill 2010-08-31 14:42:26.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.2195 [GMT -4:00]

Running from: c:\tmp\dl\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

The following files were disabled during the run:

c:\program files\SuperCopier2\SC2Hook.dll

ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bill\Application Data\ACD Systems\ACDSee\ImageDB.ddf

c:\documents and settings\Bill\g2mdlhlpx.exe

C:\Install.exe

c:\windows\system32\Cache

c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif

.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))

.

2010-08-30 16:58 . 2010-08-30 16:58 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes

2010-08-30 16:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-30 16:58 . 2010-08-30 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-30 16:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-30 16:58 . 2010-08-30 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-14 00:02 . 2010-08-14 00:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-08-13 14:52 . 2010-08-31 14:22 -------- d-----w- c:\program files\PowerArchiver

2010-08-13 14:20 . 2010-08-13 14:20 -------- d-----w- c:\program files\Common Files\Java

2010-08-09 04:24 . 2010-08-09 04:24 503808 ----a-w- c:\documents and settings\Bill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6561a9dd-n\msvcp71.dll

2010-08-09 04:24 . 2010-08-09 04:24 499712 ----a-w- c:\documents and settings\Bill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6561a9dd-n\jmc.dll

2010-08-09 04:24 . 2010-08-09 04:24 348160 ----a-w- c:\documents and settings\Bill\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6561a9dd-n\msvcr71.dll

2010-08-09 04:24 . 2010-08-09 04:24 61440 ----a-w- c:\documents and settings\Bill\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7964e978-n\decora-sse.dll

2010-08-09 04:24 . 2010-08-09 04:24 12800 ----a-w- c:\documents and settings\Bill\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7964e978-n\decora-d3d.dll

2010-08-04 17:37 . 2010-08-04 17:37 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\K-Meleon

2010-08-04 17:37 . 2010-08-04 17:37 -------- d-----w- c:\documents and settings\Bill\Application Data\K-Meleon

2010-08-04 17:37 . 2010-08-04 17:37 -------- d-----w- c:\program files\K-Meleon

2010-08-04 17:32 . 2010-08-04 17:32 -------- d-----w- c:\program files\HPSW

2010-08-03 19:29 . 2010-08-03 19:29 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Cranium

2010-08-03 19:27 . 2010-08-03 19:27 -------- d-----w- c:\program files\NCH Software

2010-08-03 19:27 . 2010-08-03 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound

2010-08-03 19:26 . 2010-08-03 19:26 -------- d-----w- c:\program files\NCH Swift Sound

2010-08-03 19:26 . 2010-08-03 19:26 -------- d-----w- c:\documents and settings\Bill\Application Data\NCH Swift Sound

2010-08-03 19:17 . 2010-08-03 19:17 -------- d-----w- c:\program files\Audacity

2010-08-03 16:59 . 2010-08-03 16:59 -------- d-----w- c:\documents and settings\Bill\Application Data\webex

2010-08-03 12:18 . 2010-08-03 12:18 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Cranium_Consulting_and_Cu

2010-08-03 12:18 . 2010-08-03 12:18 25214 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_E38944F26F8D876B004311.exe

2010-08-03 12:18 . 2010-08-03 12:18 10398 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_6FA99008F6BBB97A091E2D.exe

2010-08-03 12:18 . 2010-08-03 12:18 -------- d-----w- c:\program files\iPhoneBrowser

2010-08-02 23:08 . 2010-08-02 23:08 -------- d-----w- c:\program files\WinSCP

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-31 18:30 . 2008-10-16 22:55 -------- d-----w- c:\program files\SuperCopier2

2010-08-31 18:08 . 2009-07-30 13:40 -------- d-----w- c:\documents and settings\Bill\Application Data\.purple

2010-08-31 17:40 . 2009-10-21 16:05 -------- d-----w- c:\documents and settings\Bill\Application Data\MySQL

2010-08-31 13:44 . 2008-10-17 00:10 -------- d-----w- c:\program files\Taskbar Shuffle

2010-08-31 13:18 . 2009-03-03 19:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware

2010-08-31 13:18 . 2009-03-03 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware

2010-08-31 12:25 . 2008-10-17 00:03 -------- d-----w- c:\documents and settings\Bill\Application Data\KeePass

2010-08-30 20:57 . 2009-10-26 16:55 1 ----a-w- c:\documents and settings\Bill\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-08-30 20:05 . 2009-04-14 02:05 -------- d-----w- c:\documents and settings\Bill\Application Data\Skype

2010-08-30 16:21 . 2008-10-17 02:55 -------- d-----w- c:\documents and settings\Bill\Application Data\uTorrent

2010-08-30 16:21 . 2008-05-14 20:07 -------- d-----w- c:\program files\utorrent

2010-08-30 16:21 . 2010-02-11 16:16 -------- d-----w- c:\documents and settings\Bill\Application Data\vlc

2010-08-30 04:24 . 2009-03-07 18:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-29 00:30 . 2009-01-07 22:50 -------- d-----w- c:\documents and settings\Bill\Application Data\FileZilla

2010-08-25 13:51 . 2009-04-14 02:04 -------- d-----r- c:\program files\Skype

2010-08-25 13:51 . 2009-04-14 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-08-25 12:21 . 2009-03-03 19:50 -------- d-----w- c:\documents and settings\Bill\Application Data\VMware

2010-08-23 20:56 . 2009-11-23 18:24 -------- d-----w- c:\program files\FileZilla FTP Client

2010-08-19 20:52 . 2009-06-23 23:33 -------- d-----w- c:\program files\QuickTime

2010-08-15 16:45 . 2008-10-17 00:12 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-08-13 14:20 . 2009-03-11 14:52 -------- d-----w- c:\program files\Java

2010-08-07 19:28 . 2008-10-17 13:59 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-30 16:40 . 2010-02-02 23:51 -------- d-----w- c:\program files\NVIDIA Corporation

2010-07-29 20:59 . 2009-06-22 20:58 -------- d-----w- c:\program files\Safari

2010-07-29 20:55 . 2010-07-29 20:55 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

2010-07-24 23:30 . 2010-07-24 23:29 -------- d-----w- c:\program files\iTunes

2010-07-24 23:29 . 2010-07-24 23:29 -------- d-----w- c:\program files\iPod

2010-07-24 23:29 . 2009-12-31 22:07 -------- d-----w- c:\program files\Common Files\Apple

2010-07-24 23:23 . 2010-07-24 23:23 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-07-17 09:00 . 2010-04-15 20:09 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-13 20:32 . 2010-07-13 20:30 -------- d-----w- c:\program files\BookSmart

2010-07-06 17:13 . 2009-12-03 01:22 -------- d-----w- c:\documents and settings\Bill\Application Data\Vidalia

2010-07-06 16:50 . 2009-12-03 01:22 -------- d-----w- c:\documents and settings\Bill\Application Data\Tor

2010-07-06 12:54 . 2010-07-06 12:35 -------- d-----w- c:\program files\android-sdk-windows

2010-06-30 12:31 . 2004-08-04 04:56 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 20:46 . 2010-06-24 20:46 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe

2010-06-24 12:22 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2004-08-04 03:17 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 03:14 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-04 04:56 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2008-10-16 21:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 04:56 1172480 ----a-w- c:\windows\system32\msxml3.dll

2008-10-17 01:06 . 2008-10-17 01:06 0 --sha-w- c:\windows\SB211A192.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]

"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-01-09 2522048]

"Google Update"="c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-05-19 3618104]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2009-10-17 45603]

ProcessExplorer.lnk - c:\program files\ProcessExplorer\procexp.exe [2008-10-16 3522600]

Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe [2008-3-19 6333954]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=

"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Pogoplug\\ppfs.exe"=

"c:\\Program Files\\Pogoplug\\ppsync.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\Stanza.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"19835:TCP"= 19835:TCP:Torrents

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-11-16 108792]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-02-20 96408]

R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-12-10 24636]

R2 DokanCEDriver;DokanCEDriver;c:\program files\Pogoplug\dokance.sys [2009-10-19 52072]

R2 DokanCEMounter;DokanCEMounter;c:\program files\Pogoplug\dokanmnt.exe [2010-02-11 122984]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-08-30 304464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-07-14 24652]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-29 54960]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-08-30 20952]

S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2008-03-19 12288]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-05 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY

*Deregistered* - mchInjDrv

*Deregistered* - Normandy

*Deregistered* - PROCEXP111

.

Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-08-31 c:\windows\Tasks\Backup.job

- c:\documents and settings\Bill\Desktop\Backup.bat [2009-07-01 14:24]

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1177238915-682003330-1003Core.job

- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-18 13:23]

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1177238915-682003330-1003UA.job

- c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-18 13:23]

2010-08-06 c:\windows\Tasks\switchShakeIcon.job

- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-08-03 19:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://logidelic.pogoplug.com/view.html

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll

FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\dxuo2sr5.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\documents and settings\Bill\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

.txt=UltraEdit.txt

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-31 14:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]

"ImagePath"="\??\c:\docume~1\Bill\LOCALS~1\Temp\mc21.tmp"

.

Completion time: 2010-08-31 14:51:25

ComboFix-quarantined-files.txt 2010-08-31 18:51

Pre-Run: 233,569,849,344 bytes free

Post-Run: 235,679,735,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DD4E6E10A4FA7BBCF56BBC2A14DD075C

Link to post
Share on other sites

Unfortunately, no, they are still happening. :)

18:39:44 Bill IP-BLOCK 94.96.57.118

18:39:54 Bill IP-BLOCK 94.96.85.80

Based on the above logs, etc, do you an idea about what I'm infected with at least? I notice that the IPs are all part of dynamic.saudi.net.sa, but I don't know if that tells us anything.

Thank you so much for your efforts here, it's really appreciated.

Link to post
Share on other sites

I am willing to bet your open http port is causing this. In your case, you need this port open because of your Apache server. However, you will need some extra protection in the form of a software firewall.

First however, lets confirm this. Can you temporarily close port 80 and see if you still get IP blocks? This way we can confirm it is indeed this open port that is causing some unwanted traffic towards your computer.

Link to post
Share on other sites

Just wanted to say thanks, and you were right. There's actually no problem of course, it's just an attempted intrusion from those IPs. It would be nice if Malwarebytes could specify that these were incoming connection attempts. Would have clarified things a lot. ;)

I just setup my router to block these IPs so that they stop bugging me. Problem solved.

Thanks for all your help!

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.