Jump to content

Recommended Posts

Hello,

I recently was infected with a "Trojan.FakeMS.MGen" virus. I remove it each time with Malwarebytes but it comes back upon restart. I think it has affect on Internet Explorer which will appear then instantly disappear when I open the browser. Any advice on removing this virus is appreciated!

Link to post
Share on other sites

Below is the DDS readout and i have attached GMER and ark logs. Help me please.

DDS File

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Michael at 17:22:06.57 on 08/05/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2416 [GMT 1:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe

C:\Program Files\Saitek\SD6\Software\ProfilerU.exe

C:\Program Files\Saitek\SD6\Software\SaiMfd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\M-AudioTaskBarIcon.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Michael\Desktop\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.wanadoo.co.uk/iesearch/default.htm

uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\kpltalol\svermmbl.exe,

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [DeltTray] DeltTray.exe

mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"

mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start

mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe

mRun: [saiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [RunNarrator] Narrator.exe

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

dPolicies-explorer: DisallowRun = 1 (0x1)

dPolicies-disallowrun: 1 = firefox.exe

dPolicies-disallowrun: 2 = opera.exe

dPolicies-disallowrun: 3 = chrome.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = :\WINDOW

Hosts: 66.98.148.65 auto.search.msn.com

Hosts: 66.98.148.65 auto.search.msn.es

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-30 64288]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1355928]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]

R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-5-27 7680]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15008]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-30 136176]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [2010-12-6 22144]

S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\MAudioDelta.sys [2011-4-3 302472]

S3 EVOLUSB;Evolution MK-361C USB Driver;c:\windows\system32\drivers\evolusb.sys [2011-2-13 28956]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-30 136176]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-12-2 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]

S3 jswmidin;jswmidin;c:\docume~1\michael\locals~1\temp\jswmidin.sys [2004-9-23 15872]

S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\michael\locals~1\temp\ahfypjwx.sys --> c:\docume~1\michael\locals~1\temp\ahfypjwx.sys [?]

S3 SaiK0836;SaiK0836;c:\windows\system32\drivers\SaiK0836.sys [2010-12-28 107008]

S4 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

.

=============== Created Last 30 ================

.

2011-05-04 20:26:49 15880 ----a-w- c:\windows\system32\lsdelete.exe

2011-05-04 17:22:42 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2011-05-04 17:22:24 -------- d-----w- c:\program files\Lavasoft

2011-05-04 16:27:42 1033216 ----a-w- c:\windows\myexplorer.exe

2011-05-03 19:19:35 -------- d--h--w- C:\$AVG8.VAULT$

2011-05-02 14:48:12 -------- d-----w- c:\program files\kpltalol

2011-04-28 17:40:32 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-28 17:40:32 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-25 10:46:54 22528 ----a-w- c:\windows\system32\deltasio.dll

2011-04-25 10:46:53 46592 ----a-w- c:\windows\system32\deltapnl.dll

2011-04-25 10:46:53 302336 ----a-w- c:\windows\system32\drivers\delta.sys

2011-04-25 10:46:53 19456 ----a-w- c:\windows\system32\DeltaCPL.cpl

2011-04-25 10:46:53 154112 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe

2011-04-25 10:46:53 1122304 ----a-w- c:\windows\system32\deltapnl.exe

2011-04-23 12:23:18 -------- d-----w- c:\docume~1\michael\locals~1\applic~1\World in Conflict

2011-04-23 10:51:57 262576 ----a-r- c:\docume~1\michael\applic~1\microsoft\installer\{458c07cb-75d4-4987-b46b-d9cd88583bf4}\New_Shortcut_S5846_D43F473F7E40495F971D19BD4DBED1BD.exe

2011-04-23 10:51:57 262534 ----a-r- c:\docume~1\michael\applic~1\microsoft\installer\{458c07cb-75d4-4987-b46b-d9cd88583bf4}\NewShortcut2_458C07CB75D44987B46BD9CD88583BF4.exe

2011-04-23 10:51:57 262500 ----a-r- c:\docume~1\michael\applic~1\microsoft\installer\{458c07cb-75d4-4987-b46b-d9cd88583bf4}\ARPPRODUCTICON.exe

2011-04-23 10:51:44 -------- d-----w- c:\program files\Rising Software

2011-04-23 01:24:19 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-04-23 01:24:19 -------- d-----w- c:\windows\system32\wbem\Repository

2011-04-22 15:02:59 749568 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iKernel.dll

2011-04-22 15:02:59 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\ctor.dll

2011-04-22 15:02:59 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\DotNetInstaller.exe

2011-04-22 15:02:59 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iscript.dll

2011-04-22 15:02:59 180224 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iuser.dll

2011-04-22 15:02:58 323716 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\setup.dll

2011-04-22 15:02:58 192644 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iGdi.dll

2011-04-17 02:08:12 -------- d-----w- C:\c1acc805d4b8c5e07c11

.

==================== Find3M ====================

.

2011-05-04 20:59:23 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-05-04 20:59:23 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-05-02 17:26:54 1671596 -c--a-w- c:\docume~1\michael\applic~1\oggenc2.exe

2011-05-02 17:26:48 721275 -c--a-w- c:\docume~1\michael\applic~1\lame.exe

.

============= FINISH: 17:23:15.09 ===============

Attach.rar

ark.rar

Link to post
Share on other sites

Hello and :welcome:

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Elise,

Below is the Combofix log. Thanks very much for helping me.

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2574 [GMT 1:00]

Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\HelpAssistant\WINDOWS

c:\documents and settings\Michael\Application Data\inst.exe

c:\documents and settings\Michael\Application Data\lame.exe

c:\documents and settings\Michael\Application Data\Local

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\.ddr

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\0.ddi

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\1.ddi

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\Post_Install_RB_HiQ_en.divx.ddr

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\settings.ddi

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp

c:\documents and settings\Michael\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx

c:\documents and settings\Michael\Application Data\oggenc2.exe

c:\documents and settings\Michael\Application Data\Ugleu

c:\documents and settings\Michael\Application Data\Ugleu\eghey.tmp

c:\documents and settings\Michael\Application Data\Xeute

c:\documents and settings\Michael\Application Data\Xeute\valyi.ize

c:\documents and settings\Michael\Local Settings\Temporary Internet Files\00BjE7WD.jpg

c:\documents and settings\Michael\Local Settings\Temporary Internet Files\3vNOJpQd.jpg

c:\documents and settings\Michael\Local Settings\Temporary Internet Files\8bME2Qsj8.jpg

c:\documents and settings\Michael\Local Settings\Temporary Internet Files\qcuY0P.jpg

c:\documents and settings\Michael\WINDOWS

C:\input.txt

.

.

((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))

.

.

2011-05-12 18:11 . 2011-05-12 18:11 0 ---ha-w- c:\documents and settings\Michael\Local Settings\Application Data\BITF.tmp

2011-05-12 18:11 . 2011-05-12 18:11 0 ---ha-w- c:\documents and settings\Michael\Local Settings\Application Data\BITE.tmp

2011-05-08 19:47 . 2011-05-08 19:47 0 ---ha-w- c:\documents and settings\Michael\Local Settings\Application Data\BITA.tmp

2011-05-08 19:47 . 2011-05-08 19:47 0 ---ha-w- c:\documents and settings\Michael\Local Settings\Application Data\BIT9.tmp

2011-05-08 18:36 . 2011-05-08 18:36 195601 ----a-w- c:\program files\Windows Media Player\wmplayermgr.exe

2011-05-04 20:26 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe

2011-05-04 17:22 . 2011-05-04 17:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}

2011-05-04 17:22 . 2011-05-04 17:22 -------- d-----w- c:\program files\Lavasoft

2011-05-04 16:27 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\myexplorer.exe

2011-05-03 19:19 . 2011-05-03 19:19 -------- d-----w- C:\$AVG8.VAULT$

2011-05-02 14:48 . 2011-05-12 18:10 -------- d-----w- c:\program files\kpltalol

2011-04-28 17:40 . 2011-04-28 17:40 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-28 17:40 . 2011-04-28 17:40 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-28 17:40 . 2011-04-28 17:40 -------- d-----w- c:\program files\Java

2011-04-25 10:46 . 2007-01-25 10:12 22528 ----a-w- c:\windows\system32\deltasio.dll

2011-04-25 10:46 . 2007-01-25 10:12 19456 ----a-w- c:\windows\system32\DeltaCPL.cpl

2011-04-25 10:46 . 2007-01-25 10:12 302336 ----a-w- c:\windows\system32\drivers\delta.sys

2011-04-25 10:46 . 2007-01-25 10:11 1122304 ----a-w- c:\windows\system32\deltapnl.exe

2011-04-25 10:46 . 2007-01-25 10:11 46592 ----a-w- c:\windows\system32\deltapnl.dll

2011-04-25 10:46 . 2007-01-25 09:54 154112 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe

2011-04-23 12:23 . 2011-04-23 12:23 -------- d-----w- c:\documents and settings\Michael\Local Settings\Application Data\World in Conflict

2011-04-23 10:51 . 2011-05-02 17:26 262576 ----a-r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{458C07CB-75D4-4987-B46B-D9CD88583BF4}\New_Shortcut_S5846_D43F473F7E40495F971D19BD4DBED1BD.exe

2011-04-23 10:51 . 2011-05-02 17:26 262534 ----a-r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{458C07CB-75D4-4987-B46B-D9CD88583BF4}\NewShortcut2_458C07CB75D44987B46BD9CD88583BF4.exe

2011-04-23 10:51 . 2011-05-02 17:26 262500 ----a-r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{458C07CB-75D4-4987-B46B-D9CD88583BF4}\ARPPRODUCTICON.exe

2011-04-23 10:51 . 2011-04-23 10:52 -------- d-----w- c:\program files\Rising Software

2011-04-23 01:24 . 2011-04-23 01:24 -------- d-----w- c:\windows\system32\wbem\Repository

2011-04-22 15:02 . 2004-10-22 01:18 950746 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKernel.dll

2011-04-22 15:02 . 2004-10-22 01:17 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ctor.dll

2011-04-22 15:02 . 2004-10-22 01:17 475560 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iscript.dll

2011-04-22 15:02 . 2004-10-22 01:16 381378 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iuser.dll

2011-04-22 15:02 . 2004-10-22 01:16 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\DotNetInstaller.exe

2011-04-22 15:02 . 2011-04-22 15:02 323716 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll

2011-04-22 15:02 . 2011-04-22 15:02 192644 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll

2011-04-17 02:08 . 2011-04-18 18:55 -------- d-----w- C:\c1acc805d4b8c5e07c11

2011-04-13 20:24 . 2011-04-13 20:24 -------- d-----w- c:\documents and settings\Michael\Application Data\Gearbox Software

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-02 17:26 . 2009-11-07 13:03 246227 -c--a-r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{54A2CFDE-DC70-46E0-92AC-DC88F6303D39}\NewShortcut3_07FB580BF187437F9CBB930D0129A475.exe

2011-05-02 17:26 . 2009-11-07 13:03 246203 -c--a-r- c:\documents and settings\Michael\Application Data\Microsoft\Installer\{54A2CFDE-DC70-46E0-92AC-DC88F6303D39}\NewShortcut31_491CED7A0F134BE6957A59DCA69E8271.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 795086]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]

"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]

"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2010-10-28 294912]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]

"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]

"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2008-08-28 237568]

"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2008-08-28 131072]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]

"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-01-25 154112]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2006-10-04 53760]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"DisallowRun"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

"1"= firefox.exe

"2"= opera.exe

"3"= chrome.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\kpltalol\svermmbl.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"Midi1"=evolusbn.dll

.

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sibelius Software\\Sibelius 6\\RegTool.exe"=

"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4sp.exe"=

"c:\\Program Files\\Activision\\Modern Warfare 2\\iw4mp.exe"=

"c:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sibelius Software\\Sibelius 6\\Sibelius.exe"=

"c:\\Program Files\\Ubisoft\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Ubisoft\\World in Conflict\\wic_ds.exe"=

"c:\\Program Files\\Ubisoft\\World in Conflict\\wic_online.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"1820:TCP"= 1820:TCP:*:Disabled:Services

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/11/2010 21:30 64288]

R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [27/05/2009 18:29 7680]

R3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]

R3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [06/12/2010 21:01 22144]

S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\MAudioDelta.sys [03/04/2011 19:53 302472]

S3 EVOLUSB;Evolution MK-361C USB Driver;c:\windows\system32\drivers\evolusb.sys [13/02/2011 13:21 28956]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [02/12/2010 18:08 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 19:01 21248]

S3 jswmidin;jswmidin;\??\c:\docume~1\Michael\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\Michael\LOCALS~1\Temp\jswmidin.sys [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/09/2010 08:46 15008]

S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\Michael\LOCALS~1\Temp\ahfypjwx.sys --> c:\docume~1\Michael\LOCALS~1\Temp\ahfypjwx.sys [?]

S3 SaiK0836;SaiK0836;c:\windows\system32\drivers\SaiK0836.sys [28/12/2010 17:35 107008]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [29/05/2009 23:21 685816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 07:46]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 17:32]

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-30 17:32]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}

uInternet Settings,ProxyOverride = <local>

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-DeltTray - DeltTray.exe

Notify-dimsntfy - (no file)

AddRemove-Lame MP3 Codec (for the ACM) - c:\windows\IFinst26.exe

AddRemove-NeroBackItUp!UninstallKey - c:\windows\UNNeroBackItUp.exe

AddRemove-NeroMediaHome!UninstallKey - c:\windows\UNNeroMediaHome.exe

AddRemove-NeroRecode!UninstallKey - c:\windows\UNRecode.exe

AddRemove-NeroShowTime!UninstallKey - c:\windows\UNNeroShowTime.exe

AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-12 19:12

Windows 5.1.2600 Service Pack 2 NTFS

.

detected NTDLL code modification:

ZwQueryDirectoryFile

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\documents and settings\Michael\Start Menu\Programs\Startup\svermmbl.exe 195601 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2052111302-1935655697-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-2052111302-1935655697-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9BCA50EE-0F2B-F3A9-16E3-18EF1716178B}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"jafbipeigobkhdnjlebg"=hex:6b,61,70,6e,70,6e,66,6e,6a,68,6a,6d,68,6f,6c,6c,6d,

6b,63,6d,66,63,00,00

"ialbcbjlccpicnmjhk"=hex:6b,61,62,6d,65,6d,70,69,6a,6d,6f,6f,66,67,70,6b,68,70,

6a,61,6a,70,00,7c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3872)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Lexmark X1100 Series\lxbkbmon.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\ATKKBService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2011-05-12 19:26:38 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-12 18:26

.

Pre-Run: 3,552,956,416 bytes free

Post-Run: 13,768,753,152 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

Current=2 Default=2 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5

- - End Of File - - 1DE1736A3CFCCC7C912BB4262EDEB7FF

Link to post
Share on other sites

This machine is heavily infected. Besides rookit evidence and corrupted registry entreiis, I see different signs of a file infector, which unfortunately is really bad news.

Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a sm

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.