Jump to content

Recommended Posts

So, per the instructions in the "I'm infected - what do I do now" sticky. Here's what I've got. Thank you for any assistance!

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6779

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/5/2011 5:39:08 PM

mbam-log-2011-06-05 (17-39-07).txt

Scan type: Quick scan

Objects scanned: 167027

Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS scan

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Ostrowski's at 17:41:13 on 2011-06-05

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1133 [GMT -5:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

c:\progra~1\common~1\instal~1\update~1\isuspm.exe

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3070920

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uInternet Settings,ProxyOverride = *.local

BHO: {03a1143d-3dd4-4180-968d-a8e9ac8cb861} -

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: 5807fbf6: {270cefd5-da75-622d-26df-16faa2dff9ec} -

BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10q_ActiveX.exe -update activex

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [<NO NAME>]

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxp://www.mymesaba.com/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{50878460-83B6-46E1-B7DA-D57C1A1E2730} : DhcpNameServer = 192.168.0.1 205.171.3.25

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ostrowski's\application data\mozilla\firefox\profiles\vqq0z7l7.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-2 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-2 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-2 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-2 61960]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-9 366640]

S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]

S4 Dhcp32;DHCP Client ; [x]

.

=============== Created Last 30 ================

.

2011-06-04 20:26:34 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-04 20:26:34 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-04 20:26:33 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-04 20:26:33 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-04 20:26:33 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-04 20:26:32 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-06-04 20:26:31 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-06-04 20:26:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-02 17:02:48 -------- d-----w- c:\documents and settings\ostrowski's\application data\Avira

2011-06-02 16:51:23 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-02 16:42:06 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-02 16:42:05 -------- dc----w- c:\documents and settings\all users\application data\Avira

2011-06-02 16:42:05 -------- d-----w- c:\program files\Avira

2011-06-02 13:50:01 -------- dc----w- C:\tdsskiller

2011-05-28 03:28:05 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-28 03:28:05 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-17 13:25:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-06-02 16:50:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.

============= FINISH: 17:43:10.26 ===============

GMER Log

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-05 20:48:02

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Hitachi_HTS541680J9SA00 rev.SB2OC7KP

Running: us0ts4qu.exe; Driver: C:\DOCUME~1\OSTROW~1\LOCALS~1\Temp\fxryapow.sys

---- System - GMER 1.0.15 ----

SSDT B87596C6 ZwCreateKey

SSDT B87596BC ZwCreateThread

SSDT B87596CB ZwDeleteKey

SSDT B87596D5 ZwDeleteValueKey

SSDT B87596DA ZwLoadKey

SSDT B87596A8 ZwOpenProcess

SSDT B87596AD ZwOpenThread

SSDT B87596E4 ZwReplaceKey

SSDT B87596DF ZwRestoreKey

SSDT B87596D0 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys B80D3BD0 4 Bytes [b0, A5, 53, 80]

INITc VolSnap.sys B80D3BF8 4 Bytes [b8, A1, 4F, 80]

INITc VolSnap.sys B80D3C20 4 Bytes [b6, AE, 4F, 80]

INITc VolSnap.sys B80D3C48 4 Bytes [30, FF, 4F, 80]

INITc VolSnap.sys B80D3C70 4 Bytes [7A, A8, 4F, 80]

INITc ...

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6A583A0, 0x5C77B9, 0xE8000020]

? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

? C:\DOCUME~1\OSTROW~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0079000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0076000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0075000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0077000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[2000] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0078000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D1000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CE000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B4000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CF000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D0000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2116] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B2000A

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2876] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00D1000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CE000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00B4000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CF000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00D0000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B3000A

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 00B06B70

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4044] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A7ED1ED

Device \Driver\atapi \Device\Ide\IdePort1 8A7ED1ED

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A7ED1ED

Device \Driver\atapi \Device\Ide\IdePort0 8A7ED1ED

Device \FileSystem\Fastfat \Fat 9B0CFD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 8A7F1E7A

Thread System [4:124] 8A7F4008

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you for helping me out! I appreciate it.

Malwarebytes updated log

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6804

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2011 8:16:26 PM

mbam-log-2011-06-07 (20-16-26).txt

Scan type: Quick scan

Objects scanned: 167723

Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix log

ComboFix 11-06-06.07 - Ostrowski's 06/07/2011 20:27:49.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -5:00]

Running from: c:\documents and settings\Ostrowski's\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Ostrowski's\g2mdlhlpx.exe

c:\documents and settings\Ostrowski's\WINDOWS

c:\tdsskiller\tdsskiller.exe

.

Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))

.

.

2011-06-07 13:30 . 2011-06-07 13:30 -------- d-----w- c:\windows\system32\winrm

2011-06-07 13:30 . 2011-06-07 13:30 -------- d-----w- c:\windows\system32\GroupPolicy

2011-06-07 13:30 . 2011-06-07 13:31 -------- dc----w- c:\windows\$968930Uinstall_KB968930$

2011-06-07 13:08 . 2011-06-07 13:08 -------- d-----w- c:\program files\Microsoft.NET

2011-06-04 20:26 . 2011-06-04 20:26 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-06-04 20:26 . 2011-06-04 20:26 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-06-04 20:26 . 2011-06-04 20:26 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-06-04 20:26 . 2011-06-04 20:26 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-06-04 20:26 . 2011-06-04 20:26 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-06-04 20:26 . 2011-06-04 20:26 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-06-04 20:26 . 2011-06-04 20:26 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-06-04 20:26 . 2011-06-04 20:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-06-02 17:02 . 2011-06-02 17:02 -------- d-----w- c:\documents and settings\Ostrowski's\Application Data\Avira

2011-06-02 16:51 . 2011-06-02 16:50 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-02 16:42 . 2011-04-01 22:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-02 16:42 . 2011-04-01 22:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-02 16:42 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-06-02 16:42 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-06-02 16:42 . 2011-06-02 16:42 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira

2011-06-02 16:42 . 2011-06-02 16:42 -------- d-----w- c:\program files\Avira

2011-06-02 13:50 . 2011-06-08 01:31 -------- dc----w- C:\tdsskiller

2011-06-01 02:58 . 2011-06-01 02:58 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE

2011-05-28 03:28 . 2011-05-28 03:28 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-18 13:14 . 2011-05-18 13:14 -------- dc----w- c:\documents and settings\Administrator\Application Data\MSNInstaller

2011-05-18 13:14 . 2011-05-18 13:45 -------- dc----w- c:\documents and settings\Administrator\Application Data\MSN6

2011-05-17 13:25 . 2011-06-04 20:28 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-17 12:43 . 2011-05-17 12:43 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-02 16:50 . 2010-05-16 22:13 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-29 14:11 . 2010-10-10 00:40 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-11 14:10 . 2004-08-10 17:50 471552 ----a-w- c:\windows\apppatch\aclayers.dll

2011-06-04 20:26 . 2011-06-04 20:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-09-21 184320]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"NvMediaCenter"="NvMCTray.dll" [2010-10-08 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]

"NVHotkey"="nvHotkey.dll" [2010-10-08 178792]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-5-17 568176]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Roxio Shared\\9.0\\SharedCOM\\RoxWatchTray9.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\blizzard\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"c:\\Program Files\\blizzard\\World of Warcraft\\Launcher.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"6881:TCP"= 6881:TCP:Blizzard Downloader

"6882:TCP"= 6882:TCP:Blizzard Downloader

"6883:TCP"= 6883:TCP:Blizzard Downloader

"6884:TCP"= 6884:TCP:Blizzard Downloader

"6885:TCP"= 6885:TCP:Blizzard Downloader

"6886:TCP"= 6886:TCP:Blizzard Downloader

"6887:TCP"= 6887:TCP:Blizzard Downloader

"6888:TCP"= 6888:TCP:Blizzard Downloader

"6889:TCP"= 6889:TCP:Blizzard Downloader

"6890:TCP"= 6890:TCP:Blizzard Downloader

"6891:TCP"= 6891:TCP:Blizzard Downloader

"6892:TCP"= 6892:TCP:Blizzard Downloader

"6999:TCP"= 6999:TCP:Blizzard Downloader

"6998:TCP"= 6998:TCP:Blizzard Downloader

"6997:TCP"= 6997:TCP:Blizzard Downloader

"6996:TCP"= 6996:TCP:Blizzard Downloader

"6995:TCP"= 6995:TCP:Blizzard Downloader

"6994:TCP"= 6994:TCP:Blizzard Downloader

"6993:TCP"= 6993:TCP:Blizzard Downloader

"6992:TCP"= 6992:TCP:Blizzard Downloader

"6991:TCP"= 6991:TCP:Blizzard Downloader

"6990:TCP"= 6990:TCP:Blizzard Downloader

"6901:TCP"= 6901:TCP:Blizzard Downloader

"6902:TCP"= 6902:TCP:Blizzard Downloader

"6903:TCP"= 6903:TCP:Blizzard Downloader

"6904:TCP"= 6904:TCP:Blizzard Downloader

"6905:TCP"= 6905:TCP:Blizzard Downloader

"6906:TCP"= 6906:TCP:Blizzard Downloader

"6907:TCP"= 6907:TCP:Blizzard Downloader

"6908:TCP"= 6908:TCP:Blizzard Downloader

"6909:TCP"= 6909:TCP:Blizzard Downloader

"6910:TCP"= 6910:TCP:Blizzard Downloader

"6911:TCP"= 6911:TCP:Blizzard Downloader

"6912:TCP"= 6912:TCP:Blizzard Downloader

"6913:TCP"= 6913:TCP:Blizzard Downloader

"6914:TCP"= 6914:TCP:Blizzard Downloader

"6915:TCP"= 6915:TCP:Blizzard Downloader

"6916:TCP"= 6916:TCP:Blizzard Downloader

"6917:TCP"= 6917:TCP:Blizzard Downloader

"6918:TCP"= 6918:TCP:Blizzard Downloader

"6919:TCP"= 6919:TCP:Blizzard Downloader

"6920:TCP"= 6920:TCP:Blizzard Downloader

"6921:TCP"= 6921:TCP:Blizzard Downloader

"6922:TCP"= 6922:TCP:Blizzard Downloader

"6923:TCP"= 6923:TCP:Blizzard Downloader

"6924:TCP"= 6924:TCP:Blizzard Downloader

"6925:TCP"= 6925:TCP:Blizzard Downloader

"6926:TCP"= 6926:TCP:Blizzard Downloader

"6927:TCP"= 6927:TCP:Blizzard Downloader

"6928:TCP"= 6928:TCP:Blizzard Downloader

"6929:TCP"= 6929:TCP:Blizzard Downloader

"6930:TCP"= 6930:TCP:Blizzard Downloader

"6931:TCP"= 6931:TCP:Blizzard Downloader

"6932:TCP"= 6932:TCP:Blizzard Downloader

"6933:TCP"= 6933:TCP:Blizzard Downloader

"6934:TCP"= 6934:TCP:Blizzard Downloader

"6935:TCP"= 6935:TCP:Blizzard Downloader

"6936:TCP"= 6936:TCP:Blizzard Downloader

"6937:TCP"= 6937:TCP:Blizzard Downloader

"6938:TCP"= 6938:TCP:Blizzard Downloader

"6939:TCP"= 6939:TCP:Blizzard Downloader

"6940:TCP"= 6940:TCP:Blizzard Downloader

"6941:TCP"= 6941:TCP:Blizzard Downloader

"6942:TCP"= 6942:TCP:Blizzard Downloader

"6843:TCP"= 6843:TCP:Blizzard Downloader

"6944:TCP"= 6944:TCP:Blizzard Downloader

"6945:TCP"= 6945:TCP:Blizzard Downloader

"6946:TCP"= 6946:TCP:Blizzard Downloader

"6947:TCP"= 6947:TCP:Blizzard Downloader

"6948:TCP"= 6948:TCP:Blizzard Downloader

"6949:TCP"= 6949:TCP:Blizzard Downloader

"6950:TCP"= 6950:TCP:Blizzard Downloader

"6951:TCP"= 6951:TCP:Blizzard Downloader

"6952:TCP"= 6952:TCP:Blizzard Downloader

"6953:TCP"= 6953:TCP:Blizzard Downloader

"6954:TCP"= 6954:TCP:Blizzard Downloader

"6955:TCP"= 6955:TCP:Blizzard Downloader

"6956:TCP"= 6956:TCP:Blizzard Downloader

"6957:TCP"= 6957:TCP:Blizzard Downloader

"6958:TCP"= 6958:TCP:Blizzard Downloader

"6959:TCP"= 6959:TCP:Blizzard Downloader

"6960:TCP"= 6960:TCP:Blizzard Downloader

"6961:TCP"= 6961:TCP:Blizzard Downloader

"6962:TCP"= 6962:TCP:Blizzard Downloader

"6963:TCP"= 6963:TCP:Blizzard Downloader

"6964:TCP"= 6964:TCP:Blizzard Downloader

"6965:TCP"= 6965:TCP:Blizzard Downloader

"6966:TCP"= 6966:TCP:Blizzard Downloader

"6967:TCP"= 6967:TCP:Blizzard Downloader

"6968:TCP"= 6968:TCP:Blizzard Downloader

"6969:TCP"= 6969:TCP:Blizzard Downloader

"6970:TCP"= 6970:TCP:Blizzard Downloader

"6971:TCP"= 6971:TCP:Blizzard Downloader

"6972:TCP"= 6972:TCP:Blizzard Downloader

"6973:TCP"= 6973:TCP:Blizzard Downloader

"6974:TCP"= 6974:TCP:Blizzard Downloader

"6975:TCP"= 6975:TCP:Blizzard Downloader

"6976:TCP"= 6976:TCP:Blizzard Downloader

"6877:TCP"= 6877:TCP:Blizzard Downloader

"6977:TCP"= 6977:TCP:Blizzard Downloader

"6978:TCP"= 6978:TCP:Blizzard Downloader

"6979:TCP"= 6979:TCP:Blizzard Downloader

"6980:TCP"= 6980:TCP:Blizzard Downloader

"6981:TCP"= 6981:TCP:Blizzard Downloader

"6982:TCP"= 6982:TCP:Blizzard Downloader

"6983:TCP"= 6983:TCP:Blizzard Downloader

"6984:TCP"= 6984:TCP:Blizzard Downloader

"6985:TCP"= 6985:TCP:Blizzard Downloader

"6986:TCP"= 6986:TCP:Blizzard Downloader

"6987:TCP"= 6987:TCP:Blizzard Downloader

"6988:TCP"= 6988:TCP:Blizzard Downloader

"6989:TCP"= 6989:TCP:Blizzard Downloader

"6893:TCP"= 6893:TCP:Blizzard Downloader

"6894:TCP"= 6894:TCP:Blizzard Downloader

"6895:TCP"= 6895:TCP:Blizzard Downloader

"6896:TCP"= 6896:TCP:Blizzard Downloader

"6897:TCP"= 6897:TCP:Blizzard Downloader

"6700:TCP"= 6700:TCP:Blizzard Downloader

"6900:TCP"= 6900:TCP:Blizzard Downloader

"6943:TCP"= 6943:TCP:Blizzard Downloader

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/2/2011 11:42 AM 136360]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/9/2010 7:40 PM 366640]

S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 12:51 PM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

S4 Dhcp32;DHCP Client ; [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

2011-05-20 c:\windows\Tasks\defrag.job

- c:\i386\defrag.exe [2007-09-28 10:00]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxp://www.mymesaba.com/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB

FF - ProfilePath - c:\documents and settings\Ostrowski's\Application Data\Mozilla\Firefox\Profiles\vqq0z7l7.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: network.proxy.type - 4

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{03A1143D-3DD4-4180-968D-A8E9AC8CB861} - (no file)

BHO-{270CEFD5-DA75-622D-26DF-16FAA2DFF9EC} - (no file)

SafeBoot-mcmscsvc

SafeBoot-MCODS

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-07 20:33

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp32]

"ImagePath"=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(868)

c:\windows\System32\BCMLogon.dll

.

Completion time: 2011-06-07 20:35:54

ComboFix-quarantined-files.txt 2011-06-08 01:35

.

Pre-Run: 27,449,540,608 bytes free

Post-Run: 28,085,559,296 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 298678F1071DE5BB6EEF6616E6FDEC57

DDS Log

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Ostrowski's at 20:39:19 on 2011-06-07

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1269 [GMT -5:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"

mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} - hxxp://www.mymesaba.com/nps/portal/gadgets/com.novell.nps.gadgets.shortcut.ShortcutGadget/LocalExec.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{50878460-83B6-46E1-B7DA-D57C1A1E2730} : DhcpNameServer = 192.168.0.1 205.171.3.25

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ostrowski's\application data\mozilla\firefox\profiles\vqq0z7l7.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-2 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-2 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-2 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-2 61960]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-10-9 366640]

S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 Dhcp32;DHCP Client ; [x]

.

=============== Created Last 30 ================

.

2011-06-08 01:24:50 -------- dcsha-r- C:\cmdcons

2011-06-08 01:20:21 208896 ----a-w- c:\windows\MBR.exe

2011-06-08 01:20:20 98816 ----a-w- c:\windows\sed.exe

2011-06-08 01:20:20 518144 ----a-w- c:\windows\SWREG.exe

2011-06-08 01:20:20 256512 ----a-w- c:\windows\PEV.exe

2011-06-07 13:30:56 -------- d-----w- c:\windows\system32\winrm

2011-06-07 13:30:56 -------- d-----w- c:\windows\system32\GroupPolicy

2011-06-07 13:30:51 -------- dc----w- c:\windows\$968930Uinstall_KB968930$

2011-06-04 20:26:34 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-06-04 20:26:34 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-06-04 20:26:33 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-06-04 20:26:33 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-06-04 20:26:33 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-06-04 20:26:32 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-06-04 20:26:31 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-06-04 20:26:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-06-02 17:02:48 -------- d-----w- c:\documents and settings\ostrowski's\application data\Avira

2011-06-02 16:51:23 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-06-02 16:42:06 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-02 16:42:05 -------- dc----w- c:\documents and settings\all users\application data\Avira

2011-06-02 16:42:05 -------- d-----w- c:\program files\Avira

2011-06-02 13:50:01 -------- dc----w- C:\tdsskiller

2011-05-28 03:28:05 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-28 03:28:05 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-17 13:25:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-06-02 16:50:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll

.

============= FINISH: 20:39:46.82 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Here is the Security Scan results

Results of screen317's Security Check version 0.99.13

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 25

Out of date Java installed!

Adobe Flash Player 10.3.181.14

Adobe Reader X (10.0.1)

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

The Eset results:ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=f420d4f807cfeb4f83132c0826d0d46d

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-11 05:49:02

# local_time=2011-06-11 12:49:02 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775125 100 93 0 43400612 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=112094

# found=1

# cleaned=1

# scan_time=3682

C:\Documents and Settings\Ostrowski's\Local Settings\Application Data\Mozilla\Firefox\Profiles\vqq0z7l7.default\Cache\D\E3\F6E8Ad01 JS/Kryptik.AQ.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Thanks again for working with me on this. I've not really been using this a whole lot until I know if it's cleaned up. My greyed out icons on my desktop are back! I've not tried a google search but will do so.

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Java

Link to post
Share on other sites

Hello! I've done as indicated. My system seems to be running along just great! One thing I noticed is that my desktop icons got juggled about. i.e. my Recycle Bin is no longer on the top left but rather about 5 down on the left. They all seem to be there and they work, just out of the order they were in.

So after following your instructions I updated and ran both my Avira and Malwarebytes and both came back clean!

Thanks for all your assistance.

Nostrow

Link to post
Share on other sites

  • Staff

You can right-click the Desktop and arrange the icons how you wish.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.