Jump to content

Recommended Posts

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM

mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 318481

Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-25 22:54:15

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0

Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys

Shortcut to attach.zip

ark.txt

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM

mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 318481

Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-25 22:54:15

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0

Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24

Run by dw at 15:12:03 on 2011-05-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.679 [GMT -6:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\msdtc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

c:\PROGRA~1\mcafee\msc\mcupdmgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.azulstar.com/

mWindow Title = scraps, jean, richard overfield

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110513172951.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [Google Update] "c:\documents and settings\dw\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-22 387480]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 84200]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-4-23 54776]

R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-2 57144]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]

R1 SASDIFSV;SASDIFSV;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-4-13 47640]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-26 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-22 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-22 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]

S2 gupdate1c982565c6b24b6;Google Update Service (gupdate1c982565c6b24b6);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 84488]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-05-24 20:46:36 388096 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-05-24 15:48:49 -------- d-----w- c:\documents and settings\dw\local settings\application data\WeatherBug

2011-05-24 15:48:38 -------- d-----w- c:\documents and settings\dw\application data\WeatherBug

2011-05-24 15:48:31 18944 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\IconBB6A16301.exe

2011-05-24 15:47:35 -------- d-----w- c:\program files\kikin

2011-05-24 15:47:35 -------- d-----w- c:\documents and settings\dw\application data\kikin

2011-05-24 15:46:57 -------- d-----w- c:\program files\Ploose

2011-05-18 18:07:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-13 23:28:16 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-05-12 22:18:21 102400 ----a-w- c:\windows\RegBootClean.exe

2011-05-12 14:08:03 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-28 20:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-04-14 20:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 20:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 20:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 20:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 20:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 20:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 20:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 20:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 20:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-04-08 15:38:00 0 ----a-w- c:\windows\Ppita.bin

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 15:14:01.92 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.