Jump to content

Blocking Malicious Sites


Recommended Posts

For the past two days I've been having problems with obvious spam and computer slowdown and locking. MBAM nor any of my other programs have found any viruses or other issues, however the baloon keeps popping up stating that it is blocking access to a malicious site. There are multiple sites that continually get blocked but how do I clean the PC so the stuff stops running? I followed the instructions on topic #9573 ? and the log files are attached. What do I do next? I really could use some help

ark.zip

Attach.zip

DDS.zip

mbam_log_2011_02_04__11_23_28_.txt

protection_log_2011_02_04.txt

Link to post
Share on other sites

Hello Ohwhatnow! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please post your logs, don't attach it and use Regular mode.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have three so you need to uninstall two of them. Of the two, I would recommend keeping Avira AntiVir , so please uninstall the following items:

McAfee Security Scan Plus

McAfee SiteAdvisor

Symantec AntiVirus

Step 2

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on -TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include this log:

  • TDSSKiller log
  • a new fresh DDS log only

Link to post
Share on other sites

Hello Ohwhatnow! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please post your logs, don't attach it and use Regular mode.

Step 1

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have three so you need to uninstall two of them. Of the two, I would recommend keeping Avira AntiVir , so please uninstall the following items:

Step 2

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on -TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, choose it.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

In your next reply, please include this log:

  • TDSSKiller log
  • a new fresh DDS log only

TDSSKiller.2.4.16.0_04.02.2011_15.23.58_log.txt

DDS2.txt

Link to post
Share on other sites

DDS (Ver_10-12-12.02) - NTFSx86

Run by rpeterson at 15:42:04.79 on Fri 02/04/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1229 [GMT -6:00]

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MOVEit\MOVEitEZ.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.weather.com/weather/local/55792?lswe=55792&lwsa=WeatherLocalUndeclared&from=whatwhere

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.compudyne.net/

uInternet Settings,ProxyOverride = 10.73.1.212;10.73.1.34

uInternet Settings,ProxyServer = 10.72.216.51:8080

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mapdri~1.lnk - c:\iti\director\DIRWIN-Generic.bat

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runmov~1.lnk - c:\program files\moveit\MOVEitEZ.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

Trusted Zone: fmwrdc.com

Trusted Zone: fmwrdc.com\mwrawdir

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {03DED275-9DA6-450E-8A34-26684B2DDC78} - hxxps://evaultdsm01.com/COM/MOVEitUploadWizard4.5.0.ocx

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1173892033390

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1296591954265

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxp://10.73.1.212/NAV_nav1151/NAV1251.CAB

DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://edge.compudyne.net/inc/kaxRemote.dll

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {A34F4152-B85E-4433-B70A-F68962FF91F2} = 10.72.216.130,137.192.2.4,10.73.18.253,10.72.88.254

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 65.207.128.140 premier.client.fiservdmdr.net

Hosts: 10.73.1.236 DSMDIR04

Hosts: 10.73.1.236 DIRECTOR

Hosts: 10.73.23.37 DSMDIRECTORA

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-2-4 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-4 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-4 267944]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-4 61960]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-2-1 363344]

R2 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]

R2 MSSQL$WHATSUP;SQL Server (WHATSUP);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-2-1 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-13 135664]

S3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\mach3.sys --> c:\windows\system32\drivers\Mach3.sys [?]

S4 MOVEitEZ;MOVEit EZ;c:\program files\moveit\MOVEitEZ.exe [2009-6-30 996760]

=============== Created Last 30 ================

2011-02-04 21:39:42 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-02-04 19:24:26 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-04 19:24:22 -------- d-----w- c:\program files\Avira

2011-02-04 19:24:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-02-04 15:08:03 -------- d-----w- c:\program files\McAfee

2011-02-03 16:38:18 -------- d-----w- c:\windows\pss

2011-02-03 15:41:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-03 15:41:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-02-02 16:59:05 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-02-02 16:18:59 76800 ------w- c:\windows\system32\qutil.dll

2011-02-02 16:16:46 -------- d-----w- c:\windows\ServicePackFiles

2011-02-02 16:16:29 294912 ------w- c:\program files\windows media player\dlimport.exe

2011-02-02 16:16:25 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2011-02-02 16:12:58 19569 ----a-w- c:\windows\003242_.tmp

2011-02-02 15:06:51 -------- d-sh--w- c:\documents and settings\rpeterson\IECompatCache

2011-02-01 20:17:43 -------- d-sh--w- c:\documents and settings\rpeterson\PrivacIE

2011-02-01 20:16:11 -------- d-sh--w- c:\documents and settings\rpeterson\IETldCache

2011-02-01 20:12:06 -------- dc-h--w- c:\windows\ie8

2011-02-01 18:53:36 -------- d-----w- c:\docume~1\rpeter~1\applic~1\Malwarebytes

2011-02-01 18:53:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-01 18:53:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-02-01 18:53:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-01 18:53:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-01 18:30:53 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-01 18:30:53 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-01-31 14:32:21 -------- d-----w- c:\docume~1\rpeter~1\locals~1\applic~1\Starfield

2011-01-31 14:32:12 -------- d-----w- c:\program files\Starfield

==================== Find3M ====================

============= FINISH: 15:43:22.25 ===============

011/02/04 15:23:58.0062 2564 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03

2011/02/04 15:23:58.0406 2564 ================================================================================

2011/02/04 15:23:58.0406 2564 SystemInfo:

2011/02/04 15:23:58.0406 2564

2011/02/04 15:23:58.0406 2564 OS Version: 5.1.2600 ServicePack: 3.0

2011/02/04 15:23:58.0406 2564 Product type: Workstation

2011/02/04 15:23:58.0406 2564 ComputerName: WINXP-10388

2011/02/04 15:23:58.0406 2564 UserName: rpeterson

2011/02/04 15:23:58.0406 2564 Windows directory: C:\WINDOWS

2011/02/04 15:23:58.0406 2564 System windows directory: C:\WINDOWS

2011/02/04 15:23:58.0406 2564 Processor architecture: Intel x86

2011/02/04 15:23:58.0406 2564 Number of processors: 2

2011/02/04 15:23:58.0406 2564 Page size: 0x1000

2011/02/04 15:23:58.0406 2564 Boot type: Normal boot

2011/02/04 15:23:58.0406 2564 ================================================================================

2011/02/04 15:23:58.0578 2564 Initialize success

2011/02/04 15:24:04.0593 4068 ================================================================================

2011/02/04 15:24:04.0593 4068 Scan started

2011/02/04 15:24:04.0593 4068 Mode: Manual;

2011/02/04 15:24:04.0593 4068 ================================================================================

2011/02/04 15:24:06.0328 4068 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/02/04 15:24:06.0406 4068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/02/04 15:24:06.0515 4068 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/02/04 15:24:06.0578 4068 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/02/04 15:24:06.0750 4068 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/02/04 15:24:06.0890 4068 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/02/04 15:24:06.0921 4068 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/02/04 15:24:07.0046 4068 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/02/04 15:24:07.0140 4068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/02/04 15:24:07.0359 4068 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys

2011/02/04 15:24:07.0421 4068 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

2011/02/04 15:24:07.0484 4068 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\WINDOWS\system32\DRIVERS\avipbb.sys

2011/02/04 15:24:07.0531 4068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/02/04 15:24:07.0578 4068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/02/04 15:24:07.0625 4068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/02/04 15:24:07.0671 4068 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/02/04 15:24:07.0734 4068 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/02/04 15:24:07.0937 4068 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/02/04 15:24:08.0031 4068 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/02/04 15:24:08.0078 4068 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/02/04 15:24:08.0140 4068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/02/04 15:24:08.0187 4068 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/02/04 15:24:08.0234 4068 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/02/04 15:24:08.0312 4068 e1express (c477f783ed345ec9d739d58eff63a224) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2011/02/04 15:24:08.0406 4068 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/02/04 15:24:08.0468 4068 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/02/04 15:24:08.0500 4068 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/02/04 15:24:08.0562 4068 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/02/04 15:24:08.0593 4068 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/02/04 15:24:08.0703 4068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/02/04 15:24:08.0765 4068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/02/04 15:24:08.0828 4068 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/02/04 15:24:08.0890 4068 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/02/04 15:24:08.0953 4068 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/02/04 15:24:09.0031 4068 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys

2011/02/04 15:24:09.0109 4068 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/02/04 15:24:09.0250 4068 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/02/04 15:24:09.0359 4068 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/02/04 15:24:09.0562 4068 ialm (c1c2d6940d6ec2f247b0f3c11e0a18e0) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/02/04 15:24:09.0781 4068 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/02/04 15:24:09.0953 4068 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/02/04 15:24:09.0968 4068 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/02/04 15:24:10.0046 4068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/02/04 15:24:10.0093 4068 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/02/04 15:24:10.0125 4068 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/02/04 15:24:10.0171 4068 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/02/04 15:24:10.0218 4068 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/02/04 15:24:10.0250 4068 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/02/04 15:24:10.0296 4068 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/02/04 15:24:10.0328 4068 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/02/04 15:24:10.0359 4068 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/02/04 15:24:10.0375 4068 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/02/04 15:24:10.0484 4068 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys

2011/02/04 15:24:10.0531 4068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/02/04 15:24:10.0593 4068 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/02/04 15:24:10.0671 4068 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys

2011/02/04 15:24:10.0718 4068 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/02/04 15:24:10.0781 4068 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/02/04 15:24:10.0796 4068 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/02/04 15:24:10.0859 4068 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/02/04 15:24:10.0937 4068 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/02/04 15:24:11.0015 4068 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/02/04 15:24:11.0203 4068 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/02/04 15:24:11.0343 4068 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/02/04 15:24:11.0390 4068 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/02/04 15:24:11.0453 4068 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/02/04 15:24:11.0515 4068 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/02/04 15:24:11.0593 4068 NAL (16ea7d22102b952621ef4d4f87e3463b) C:\WINDOWS\system32\Drivers\iqvw32.sys

2011/02/04 15:24:11.0640 4068 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/02/04 15:24:11.0671 4068 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/02/04 15:24:11.0687 4068 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/02/04 15:24:11.0703 4068 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/02/04 15:24:11.0734 4068 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/02/04 15:24:11.0750 4068 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/02/04 15:24:11.0781 4068 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/02/04 15:24:11.0828 4068 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/02/04 15:24:11.0859 4068 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/02/04 15:24:11.0875 4068 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/02/04 15:24:11.0984 4068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/02/04 15:24:12.0046 4068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/02/04 15:24:12.0078 4068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/02/04 15:24:12.0140 4068 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/02/04 15:24:12.0171 4068 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/02/04 15:24:12.0234 4068 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/02/04 15:24:12.0281 4068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/02/04 15:24:12.0312 4068 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/02/04 15:24:12.0421 4068 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/02/04 15:24:12.0500 4068 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/02/04 15:24:12.0828 4068 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/02/04 15:24:12.0875 4068 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/02/04 15:24:12.0906 4068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/02/04 15:24:13.0078 4068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/02/04 15:24:13.0109 4068 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/02/04 15:24:13.0125 4068 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/02/04 15:24:13.0156 4068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/02/04 15:24:13.0187 4068 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/02/04 15:24:13.0281 4068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/02/04 15:24:13.0312 4068 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/02/04 15:24:13.0359 4068 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/02/04 15:24:13.0437 4068 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/02/04 15:24:13.0500 4068 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/02/04 15:24:13.0562 4068 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/02/04 15:24:13.0593 4068 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/02/04 15:24:13.0656 4068 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/02/04 15:24:13.0703 4068 sfng32 (5fe18fff6fbcf218290042009eab023d) C:\WINDOWS\system32\drivers\sfng32.sys

2011/02/04 15:24:13.0750 4068 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/02/04 15:24:13.0781 4068 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/02/04 15:24:13.0859 4068 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/02/04 15:24:13.0906 4068 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

2011/02/04 15:24:14.0015 4068 STHDA (237ccbfc82b4c98435461972597f29d5) C:\WINDOWS\system32\drivers\sthda.sys

2011/02/04 15:24:14.0078 4068 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/02/04 15:24:14.0109 4068 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/02/04 15:24:14.0375 4068 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/02/04 15:24:14.0453 4068 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/02/04 15:24:14.0484 4068 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/02/04 15:24:14.0531 4068 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/02/04 15:24:14.0578 4068 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/02/04 15:24:14.0703 4068 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/02/04 15:24:14.0781 4068 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/02/04 15:24:14.0875 4068 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/02/04 15:24:14.0921 4068 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/02/04 15:24:14.0953 4068 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/02/04 15:24:15.0031 4068 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/02/04 15:24:15.0078 4068 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/02/04 15:24:15.0125 4068 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/02/04 15:24:15.0187 4068 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/02/04 15:24:15.0250 4068 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/02/04 15:24:15.0328 4068 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/02/04 15:24:15.0421 4068 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/02/04 15:24:15.0484 4068 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2011/02/04 15:24:15.0546 4068 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/02/04 15:24:15.0609 4068 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/02/04 15:24:15.0703 4068 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/02/04 15:24:15.0765 4068 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/02/04 15:24:15.0812 4068 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/02/04 15:24:15.0812 4068 ================================================================================

2011/02/04 15:24:15.0812 4068 Scan finished

2011/02/04 15:24:15.0812 4068 ================================================================================

2011/02/04 15:24:15.0828 0728 Detected object count: 1

2011/02/04 15:24:41.0625 0728 \HardDisk0 - will be cured after reboot

2011/02/04 15:24:41.0625 0728 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/02/04 15:25:51.0703 0776 Deinitialize success

Link to post
Share on other sites

Please remove it! :)

Next:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If is difficult for you with any of the operations with Malwarebytes' Anti-Malware, for your convenience we have a video on YouTube, which shows visually how to do that. Check them out here.

Link to post
Share on other sites

ComboFix 11-01-31.02 - rpeterson 02/04/2011 16:45:55.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1397 [GMT -6:00]

Running from: E:\Combo-Fix.exe

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Install.exe

c:\windows\system32\drivers\etc\lmhosts

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))

.

2011-02-04 22:28 . 2011-02-04 22:28 -------- d-----w- c:\documents and settings\rpeterson\Application Data\Avira

2011-02-04 21:39 . 2011-02-04 21:39 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-02-04 19:24 . 2011-01-10 20:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-02-04 19:24 . 2011-01-10 20:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-02-04 19:24 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-02-04 19:24 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-02-04 19:24 . 2011-02-04 19:24 -------- d-----w- c:\program files\Avira

2011-02-04 19:24 . 2011-02-04 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-02-04 15:08 . 2011-02-04 15:08 -------- d-----w- c:\program files\McAfee

2011-02-03 17:59 . 2011-02-03 17:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-02-03 15:41 . 2011-02-03 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-02-03 15:41 . 2011-02-03 16:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-02-02 21:40 . 2011-02-02 21:40 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

2011-02-02 21:36 . 2011-02-02 21:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2011-02-02 20:59 . 2011-02-02 20:59 -------- d-----w- c:\program files\Common Files\Adobe AIR

2011-02-02 20:57 . 2011-02-02 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2011-02-02 16:59 . 2008-04-14 11:42 221184 ----a-w- c:\windows\system32\wmpns.dll

2011-02-02 16:18 . 2008-04-14 11:42 73796 ------w- c:\windows\system32\slserv.exe

2011-02-02 16:16 . 2011-02-02 16:19 -------- d-----w- c:\windows\ServicePackFiles

2011-02-02 16:16 . 2008-04-14 11:42 294912 ------w- c:\program files\Windows Media Player\dlimport.exe

2011-02-02 16:16 . 2008-04-14 11:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe

2011-02-02 16:12 . 2006-12-29 06:31 19569 ----a-w- c:\windows\003242_.tmp

2011-02-02 15:06 . 2011-02-02 15:06 -------- d-sh--w- c:\documents and settings\rpeterson\IECompatCache

2011-02-01 20:25 . 2011-02-01 20:25 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-02-01 20:17 . 2011-02-01 20:17 -------- d-sh--w- c:\documents and settings\rpeterson\PrivacIE

2011-02-01 20:16 . 2011-02-01 20:16 -------- d-sh--w- c:\documents and settings\rpeterson\IETldCache

2011-02-01 20:12 . 2011-02-01 20:13 -------- dc-h--w- c:\windows\ie8

2011-02-01 18:53 . 2011-02-01 18:53 -------- d-----w- c:\documents and settings\rpeterson\Application Data\Malwarebytes

2011-02-01 18:53 . 2011-02-01 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-02-01 18:53 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-02-01 18:53 . 2011-02-04 16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-02-01 18:53 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-02-01 18:31 . 2011-02-01 18:31 -------- d-----w- c:\program files\Common Files\Java

2011-02-01 18:30 . 2011-02-01 18:30 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-01 18:30 . 2011-02-01 18:30 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-01 18:30 . 2011-02-01 18:30 -------- d-----w- c:\program files\Java

2011-01-31 14:32 . 2011-01-31 14:32 -------- d-----w- c:\documents and settings\rpeterson\Local Settings\Application Data\Starfield

2011-01-31 14:32 . 2011-02-02 14:21 -------- d-----w- c:\program files\Starfield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-16 147456]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-11 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-21 443728]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

MAP DRIVE TO DIRECTOR.lnk - c:\iti\DIRECTOR\DIRWIN-Generic.bat [2007-9-25 102]

Run MOVEit EZ Service in Foreground.lnk - c:\program files\MOVEit\MOVEitEZ.exe [2009-6-30 996760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3816717236-463642699-2401961290-1142\Scripts\Logon\0\0]

"Script"=all.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3816717236-463642699-2401961290-1143\Scripts\Logon\0\0]

"Script"=all.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-11-10 18:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-11-10 18:49 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-01-06 19:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 23:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-01-05 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2008-04-11 19:03 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MOVEit\\MOVEitEZ.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/4/2011 1:24 PM 135336]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/1/2011 12:53 PM 363344]

R2 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2/10/2007 7:29 AM 29178224]

R2 MSSQL$WHATSUP;SQL Server (WHATSUP);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 9:31 PM 29263712]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/1/2011 12:53 PM 20952]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/13/2009 8:26 AM 135664]

S3 Mach3;Mach3 Pulseing Service;c:\windows\system32\Drivers\Mach3.sys --> c:\windows\system32\Drivers\Mach3.sys [?]

S4 MOVEitEZ;MOVEit EZ;c:\program files\MOVEit\MOVEitEZ.exe [6/30/2009 12:37 PM 996760]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

.

Contents of the 'Scheduled Tasks' folder

2011-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-13 14:26]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-13 14:26]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.weather.com/weather/local/55792?lswe=55792&lwsa=WeatherLocalUndeclared&from=whatwhere

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.compudyne.net/

uInternet Settings,ProxyOverride = 10.73.1.212;10.73.1.34

uInternet Settings,ProxyServer = 10.72.216.51:8080

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

Trusted Zone: fmwrdc.com

Trusted Zone: fmwrdc.com\mwrawdir

TCP: {A34F4152-B85E-4433-B70A-F68962FF91F2} = 10.72.216.130,137.192.2.4,10.73.18.253,10.72.88.254

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {03DED275-9DA6-450E-8A34-26684B2DDC78} - hxxps://evaultdsm01.com/COM/MOVEitUploadWizard4.5.0.ocx

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxp://10.73.1.212/NAV_nav1151/NAV1251.CAB

.

- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-04 16:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3816717236-463642699-2401961290-1142\

Link to post
Share on other sites

Please visit www.virustotal.com and upload the following files one by one:

c:\windows\003242_.tmp

c:\Program Files\MOVEit\MOVEitEZ.exe

Post the resaults in your next reply.

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 8737f6f4c8ec1e2a9ea5516f1b3ae1ad

Date first seen: 2009-01-30 21:58:47 (UTC)

Date last seen: 2011-01-29 12:32:03 (UTC)

Detection ratio: 0/43

What do you wish to do?

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: MOVEitEZ.exe

Submission date: 2011-02-04 23:06:48 (UTC)

Current status: queued queued analysing finished

Result: 0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2011.01.27.01 2011.01.27 -

AntiVir 7.11.2.80 2011.02.04 -

Antiy-AVL 2.0.3.7 2011.01.28 -

Avast 4.8.1351.0 2011.02.04 -

Avast5 5.0.677.0 2011.02.04 -

AVG 10.0.0.1190 2011.02.04 -

BitDefender 7.2 2011.02.04 -

CAT-QuickHeal 11.00 2011.02.04 -

ClamAV 0.96.4.0 2011.02.04 -

Commtouch 5.2.11.5 2011.02.04 -

Comodo 7594 2011.02.04 -

DrWeb 5.0.2.03300 2011.02.04 -

Emsisoft 5.1.0.2 2011.02.04 -

eSafe 7.0.17.0 2011.02.03 -

eTrust-Vet 36.1.8141 2011.02.04 -

F-Prot 4.6.2.117 2011.02.04 -

F-Secure 9.0.16160.0 2011.02.04 -

Fortinet 4.2.254.0 2011.02.04 -

GData 21 2011.02.04 -

Ikarus T3.1.1.97.0 2011.02.04 -

Jiangmin 13.0.900 2011.02.04 -

K7AntiVirus 9.81.3750 2011.02.04 -

Kaspersky 7.0.0.125 2011.02.04 -

McAfee 5.400.0.1158 2011.02.04 -

McAfee-GW-Edition 2010.1C 2011.02.04 -

Microsoft 1.6502 2011.02.04 -

NOD32 5847 2011.02.04 -

Norman 6.07.03 2011.02.04 -

nProtect 2011-01-27.01 2011.02.02 -

Panda 10.0.3.5 2011.02.04 -

PCTools 7.0.3.5 2011.02.04 -

Prevx 3.0 2011.02.05 -

Rising 23.43.04.07 2011.02.04 -

Sophos 4.61.0 2011.02.04 -

SUPERAntiSpyware 4.40.0.1006 2011.02.04 -

Symantec 20101.3.0.103 2011.02.04 -

TheHacker 6.7.0.1.124 2011.02.04 -

TrendMicro 9.200.0.1012 2011.02.04 -

TrendMicro-HouseCall 9.200.0.1012 2011.02.04 -

VBA32 3.12.14.3 2011.02.04 -

VIPRE 8309 2011.02.04 -

ViRobot 2011.2.4.4292 2011.02.04 -

VirusBuster 13.6.182.0 2011.02.04 -

Additional informationShow all

MD5 : 94f712ff9cfba58084a4713fe1e37df1

SHA1 : 6af47aead4389ce73a113c0913c176c1b909c3b0

SHA256: 7f1dc46fa7d1acf1b6d7691ad4c3811dc1bd00595da273befb4ab323400dd242

ssdeep: 24576:QH6/2ES9jFvPJd5oWSOQ8uBx37jZtTg1D1Vu:8zvPJd5orTHfTgU

File size : 996760 bytes

First seen: 2010-03-04 20:26:25

Last seen : 2011-02-04 23:06:48

TrID:

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

sigcheck:

publisher....: Ipswitch, Inc.

copyright....: Copyright © 2003-2009, Ipswitch, Inc.

product......: MOVEit EZ

description..: MOVEitEZ

original name: MOVEitEZ.exe

internal name: MOVEit EZ

file version.: 6, 5, 0, 0

comments.....: MOVEit Desktop Automation

signers......: Ipswitch, Inc.

VeriSign Class 3 Code Signing 2004 CA

Class 3 Public Primary Certification Authority

signing date.: 9:44 PM 7/24/2009

verified.....: -

PEiD: Armadillo v1.71

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x6BC9E

timedatestamp....: 0x4A6A1D0E (Fri Jul 24 20:43:58 2009)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x7B83E, 0x7C000, 6.62, 260015f8bb8dfec02f4e601832888076

.rdata, 0x7D000, 0xC31C, 0xD000, 5.79, 4b9253cd4b5d32ad1b9ffa08b71634c7

.data, 0x8A000, 0x59391, 0x13000, 5.37, bdb11961e88ba911f1c2607398959ff0

.tls, 0xE4000, 0x134, 0x1000, 0.00, 620f0b67a91f7f74151bc5be745b7110

.rsrc, 0xE5000, 0x53598, 0x54000, 3.26, ea60d09b7ed9e50ce021946a29a51d10

[[ 18 import(s) ]]

SHFOLDER.dll: SHGetFolderPathA

NETAPI32.dll: NetGroupGetUsers, NetQueryDisplayInformation, NetUserEnum, NetLocalGroupAddMembers, NetUserAdd, NetUserDel, NetApiBufferFree, NetUserGetInfo, NetGroupAddUser, NetLocalGroupDelMembers, NetGroupDelUser, NetLocalGroupDel, NetGroupDel, NetGroupGetInfo, NetLocalGroupGetMembers, NetWkstaGetInfo, NetUserSetInfo, NetGetDCName

KERNEL32.dll: GetCurrentThread, ReadProcessMemory, GetCurrentProcess, CompareFileTime, GetSystemTimeAsFileTime, SystemTimeToFileTime, QueryPerformanceCounter, QueryPerformanceFrequency, GetTimeZoneInformation, FreeLibrary, FormatMessageA, LoadLibraryExA, FileTimeToLocalFileTime, SetFilePointer, CopyFileExA, GetProcessHeap, LocalFree, LocalAlloc, GetComputerNameA, TerminateThread, lstrcatA, GetTempFileNameA, GetTempPathA, MapViewOfFile, CreateFileMappingA, SetEndOfFile, UnmapViewOfFile, FlushViewOfFile, GetVersionExA, CreateMutexA, Sleep, lstrlenW, InterlockedExchange, SetEnvironmentVariableA, CompareStringW, CompareStringA, GetLocaleInfoW, SetConsoleCtrlHandler, GetOEMCP, GetACP, FlushFileBuffers, SetStdHandle, IsBadCodePtr, IsBadReadPtr, GetFileAttributesExA, GetStringTypeA, GetFileType, LeaveCriticalSection, LoadLibraryA, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, SetUnhandledExceptionFilter, GetUserDefaultLCID, EnumSystemLocalesA, GetLocaleInfoA, IsValidCodePage, IsValidLocale, GetCPInfo, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, HeapSize, LCMapStringW, LCMapStringA, FatalAppExitA, UnhandledExceptionFilter, TerminateProcess, SetLastError, TlsFree, TlsAlloc, ExitProcess, GetVersion, GetStartupInfoA, GetModuleHandleA, RaiseException, HeapReAlloc, GetSystemTime, HeapAlloc, HeapFree, RtlUnwind, ExitThread, TlsGetValue, TlsSetValue, CreateThread, EnterCriticalSection, ReadFile, WriteFile, GetFileSize, SetFileAttributesA, InterlockedIncrement, MultiByteToWideChar, DeleteCriticalSection, CreateFileA, GetFileAttributesA, FileTimeToSystemTime, GetCommandLineA, GetStringTypeW, GetModuleFileNameA, GetLocalTime, GetCurrentThreadId, GetProcAddress, CloseHandle, ResumeThread, SuspendThread, SetEvent, GetLastError, CreateEventA, WaitForSingleObject, lstrlenA, lstrcpyA, OutputDebugStringA, lstrcpynA, InitializeCriticalSection, WideCharToMultiByte, CreateDirectoryA, InterlockedDecrement, FindFirstFileA, FindNextFileA, FindClose, GetTickCount, DeleteFileA, MoveFileA, WritePrivateProfileStringA, GetStdHandle, GetPrivateProfileStringA, SetHandleCount

USER32.dll: InvalidateRect, DispatchMessageA, TranslateMessage, TranslateAcceleratorA, GetMessageA, LoadAcceleratorsA, LoadIconA, LoadMenuA, LoadStringA, RegisterClassExA, LoadCursorA, UpdateWindow, ShowWindow, GetWindow, GetClientRect, GetParent, IsWindow, SetForegroundWindow, EnumChildWindows, ModifyMenuA, LoadImageA, GetSubMenu, PostQuitMessage, DestroyMenu, DefFrameProcA, KillTimer, SetTimer, TrackPopupMenu, SetMenuDefaultItem, CreateWindowExA, InsertMenuA, MessageBoxA, wsprintfA, SendMessageA, GetWindowRect, EndDialog, SetWindowTextA, GetDlgItem, GetWindowTextA, IsDlgButtonChecked, DeleteMenu, ReleaseDC, GetDC, CreateMDIWindowA, SetScrollInfo, CheckDlgButton, SetFocus, DialogBoxParamA, SetWindowLongA, EnableWindow, SetWindowPos, FillRect, EndPaint, IsIconic, BeginPaint, DefMDIChildProcA, IsZoomed, GetWindowPlacement, GetCursorPos, PostMessageA, SetWindowPlacement

GDI32.dll: Polygon, CreateFontA, GetStockObject, SelectObject, GetTextMetricsA, SetTextColor, TextOutA, GetTextExtentPoint32A, SetBkColor, CreateSolidBrush, DeleteObject, GetDeviceCaps

comdlg32.dll: GetOpenFileNameA

ADVAPI32.dll: RegQueryValueExA, RegisterServiceCtrlHandlerA, LsaNtStatusToWinError, LookupAccountNameW, LsaAddAccountRights, LsaClose, LookupAccountSidW, LsaOpenPolicy, LsaQueryInformationPolicy, RegEnumKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCreateKeyExA, RegOpenKeyExA, RegCloseKey, GetTokenInformation, LookupAccountSidA, LogonUserA, RegCreateKeyA, RegSetValueExA, StartServiceA, OpenServiceA, ControlService, DeleteService, OpenSCManagerA, CreateServiceA, CloseServiceHandle, SetServiceStatus, StartServiceCtrlDispatcherA

SHELL32.dll: SHBrowseForFolderA, Shell_NotifyIconA, SHGetPathFromIDListA, ShellExecuteA, SHGetSpecialFolderLocation, SHGetMalloc

ole32.dll: CoInitialize, CoUninitialize, CoCreateInstance, OleRun, CoTaskMemFree

OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -

WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA

COMCTL32.dll: PropertySheetA

WININET.dll: InternetSetOptionA, InternetQueryOptionA, HttpSendRequestExA, InternetReadFile, HttpSendRequestA, HttpAddRequestHeadersA, HttpOpenRequestA, InternetConnectA, InternetOpenA, InternetWriteFile, InternetCloseHandle, HttpQueryInfoA, HttpEndRequestA, InternetCrackUrlA

MPR.dll: WNetAddConnection2A, WNetCancelConnection2A

SHLWAPI.dll: PathMatchSpecA

imagehlp.dll: SymGetModuleBase, SymCleanup, UnDecorateSymbolName, SymGetSymFromAddr, SymGetModuleInfo, StackWalk, SymInitialize, SymSetOptions, SymFunctionTableAccess

CRYPT32.dll: CertFreeCertificateChain, CryptFindOIDInfo, CertGetIntendedKeyUsage, CertGetPublicKeyLength, CertNameToStrA, CertGetNameStringA, CertVerifyTimeValidity, CertEnumCertificatesInStore, CertDeleteCertificateFromStore, CertOpenStore, CertEnumSystemStore, CertFreeCertificateContext, CertCloseStore, CertOpenSystemStoreA, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertFindChainInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CryptHashCertificate

ExifTool:

file metadata

CharacterSet: Unicode

CodeSize: 507904

Comments: MOVEit Desktop Automation

CompanyName: Ipswitch, Inc.

EntryPoint: 0x6bc9e

FileDescription: MOVEitEZ

FileFlagsMask: 0x003f

FileOS: Windows NT 32-bit

FileSize: 973 kB

FileSubtype: 0

FileType: Win32 EXE

FileVersion: 6, 5, 0, 0

FileVersionNumber: 6.5.0.0

ImageVersion: 0.0

InitializedDataSize: 770048

InternalName: MOVEit EZ

LanguageCode: English (U.S.)

LegalCopyright: Copyright 2003-2009, Ipswitch, Inc.

LegalTrademarks: MOVEit is a registered trademark of Ipswitch, Inc.

LinkerVersion: 6.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Executable application

OriginalFilename: MOVEitEZ.exe

PEType: PE32

PrivateBuild:

ProductName: MOVEit EZ

ProductVersion: 6, 5, 0, 0

ProductVersionNumber: 6.5.0.0

SpecialBuild:

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2009:07:24 22:43:58+02:00

UninitializedDataSize: 0

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team

Link to post
Share on other sites

Glad I could help! :)

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete DDS, GMER and TDSSKiller.

Step 3

Keep your software up-to-date:

www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.