Jump to content

reoccurring infection alerts - please assist.


Recommended Posts

Hello,

First sign was detection/waring regarding 'TrojanDownloader:Win32/Tracur.Y'

after running various anti adware/spyware that claimed successful cleaning/removal, Falsely; infection continued to rear its ugly head. even after Avira too.

Some infections identified are as follows:

VirTool:Win32/Obfuscator.OG

TrojanDownloader:Win32/Tracur.Y

Is the TR/Gendal.kdv.296714 Trojan

TR/Black.Gen2 Trojan

(should I paste in Avira log file also?)

Thanks

Robert

=======

here is pasted Malwarebytes log & DDS log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7287

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

7/26/2011 7:39:55 PM

mbam-log-2011-07-26 (19-39-55).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 348281

Time elapsed: 1 hour(s), 17 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{0E098DCF-B8C1-4754-86D3-03FCBF94692a} (IPH.GenericBHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E098DCF-B8C1-4754-86D3-03FCBF94692A} (IPH.GenericBHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\authz32.dll (IPH.GenericBHO) -> Quarantined and deleted successfully.

######################################### DDS:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22

Run by RAL at 19:58:00 on 2011-07-26

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1103 [GMT -7:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\ASUS\Speeding HDD\SteelVine.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Java\jre6\bin\jqs.exe

c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\InstallShield Installation Information\{EC6D5F08-1694-431F-8200-3B0A8A61AC5A}\AMBSPISyncService.exe

C:\Program Files\ASUS\Speeding HDD\DriveXpert.exe

C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe

C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\DOCUME~1\RAL\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Corel\Corel MediaOne\Corel Photo Downloader.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe

C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Outlook Express\msimn.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://startpage.com/

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [CTSyncService] c:\program files\installshield installation information\{ec6d5f08-1694-431f-8200-3b0a8a61ac5a}\AMBSPISyncService.exe /StartRunKey

mRun: [Drive Xpert] c:\program files\asus\speeding hdd\DriveXpert.exe

mRun: [ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe

mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"

mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [VolPanel] "c:\program files\creative\sb x-fi mb\volume panel\VolPanlu.exe" /r

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Corel Photo Downloader] "c:\program files\corel\corel mediaone\Corel Photo Downloader.exe" -startup

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\ral\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ral\application data\mozilla\firefox\profiles\0q5jmwr8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18776

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=18776

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=18776&q=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\ral\application data\move networks\plugins\npqmp071706000001.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-19 64288]

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-10 150568]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-7-24 11608]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]

R1 MpKsl4dc4a0d6;MpKsl4dc4a0d6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a5b644d-db66-41a1-9909-afd78748e9df}\MpKsl4dc4a0d6.sys [2011-7-26 28752]

R2 57xx SteelVine Manager;57xx SteelVine;c:\program files\asus\speeding hdd\SteelVine.exe [2008-5-22 1286144]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-24 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-24 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-24 66616]

R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2008-11-9 12672]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 2151640]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-12-13 88176]

R3 AmbFilt;AmbFilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-12 1683712]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\common files\creative labs shared\service\XMBLicensing.exe [2009-9-12 79360]

S1 MpKsl475090c2;MpKsl475090c2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd583fbe-e8eb-4d2b-a14b-e3b1fda36ba6}\mpksl475090c2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd583fbe-e8eb-4d2b-a14b-e3b1fda36ba6}\MpKsl475090c2.sys [?]

S1 MpKslb1bce2b0;MpKslb1bce2b0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b1972b72-ea9b-4f3b-94cc-7ab2992aaa33}\mpkslb1bce2b0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b1972b72-ea9b-4f3b-94cc-7ab2992aaa33}\MpKslb1bce2b0.sys [?]

S1 MpKslbbaa285c;MpKslbbaa285c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{029fe7af-bcb4-4c50-b3cf-89ff3290fbfd}\mpkslbbaa285c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{029fe7af-bcb4-4c50-b3cf-89ff3290fbfd}\MpKslbbaa285c.sys [?]

S2 0073141303325209mcinstcleanup;McAfee Application Installer Cleanup (0073141303325209);c:\windows\temp\007314~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\007314~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-8 136176]

S2 SysmonLog32;Performance Logs and Alerts ;c:\windows\system32\sccsccp32.exe [2011-7-26 833024]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2008-11-13 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-8 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15232]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-31 41272]

S3 RTCore32;RTCore32;c:\program files\evga precision\RTCore32.sys [2005-5-25 4608]

S3 SkLaggProtocol;Marvell Link Aggregation Protocol;c:\windows\system32\drivers\yk51x32l.sys [2007-12-14 57344]

S3 SkVlanProtocol;Marvell VLAN Protocol;c:\windows\system32\drivers\yk51x32v.sys [2007-11-23 20992]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\supercog\stress test kit\realtemp\WinRing0.sys [2008-7-26 14416]

.

=============== Created Last 30 ================

.

2011-07-27 02:54:13 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a5b644d-db66-41a1-9909-afd78748e9df}\MpKsl4dc4a0d6.sys

2011-07-26 22:16:29 833024 ----a-w- c:\windows\system32\authz32.exe

2011-07-26 22:16:26 833024 ----a-w- c:\windows\system32\sccsccp32.exe

2011-07-25 09:42:18 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0a5b644d-db66-41a1-9909-afd78748e9df}\mpengine.dll

2011-07-24 22:34:24 -------- d-----w- c:\documents and settings\ral\application data\Avira

2011-07-24 22:31:42 -------- d-----w- c:\windows\system32\NtmsData

2011-07-24 22:28:27 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-24 22:28:27 -------- d-----w- c:\program files\Avira

2011-07-24 22:28:27 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-07-24 22:16:44 -------- d-----w- c:\documents and settings\ral\application data\Sammsoft

2011-07-21 01:50:35 388096 ----a-r- c:\documents and settings\ral\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-21 01:50:34 -------- d-----w- c:\program files\Trend Micro

2011-07-20 03:11:09 0 ---ha-w- c:\documents and settings\ral\ajczdpqjtg.tmp

2011-07-13 11:33:35 21840 ----atw- c:\windows\system32\SIntfNT.dll

2011-07-13 11:33:35 17212 ----atw- c:\windows\system32\SIntf32.dll

2011-07-13 11:33:35 12067 ----atw- c:\windows\system32\SIntf16.dll

2011-07-13 11:22:47 -------- d-----w- c:\program files\Sierra On-Line

2011-07-13 11:22:45 -------- d-----w- C:\Sierra

2011-07-03 19:56:46 -------- d-----w- c:\documents and settings\ral\application data\HyperLobby

2011-06-30 12:33:20 -------- d-----w- c:\program files\GOG.com

2011-06-30 12:14:40 -------- d-----w- c:\program files\HyperLobby client

2011-06-30 06:17:03 -------- d-----w- c:\documents and settings\ral\local settings\application data\GOGDownloader

.

==================== Find3M ====================

.

2011-07-26 10:56:40 140024 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-07-26 10:56:33 280768 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-07-26 10:56:33 280768 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-07-25 04:43:21 280768 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-29 04:18:57 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-29 20:08:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-20 09:50:54 60 ----a-w- c:\windows\wpd99.drv

2011-05-20 09:40:17 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2011-05-20 09:40:17 249856 ----a-w- c:\windows\system32\pdfmona.dll

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 19:58:57.04 ===============

ark.zip

attach.zip

Link to post
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Microsoft, Antivir, and Lavasoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (Microsoft, Antivir, and Lavasoft). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please update MBAM, run a Quick Scan, and post its log.

===

Hello,

which anti-virus do you recommend I use?

(also btw, doesn't Lavasoft merely run on an incidental basis, rather than 'running' constantly / on-all-the-time?)

and / or, if I used either one of those 3 listed, does that mean I should not use MBAM, so as not to use more than one antivirus program?

Just try to better understand

Thank you very much

Robert

Link to post
Share on other sites

btw, while running MBAM, MS security essentials, popped up with warning/find: trojan tracur.y

anyways, here is the MBAM log, thanks:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7404

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

8/7/2011 6:28:44 PM

mbam-log-2011-08-07 (18-28-44).txt

Scan type: Quick scan

Objects scanned: 184340

Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

here ya go, my savior! ;-) thanks:

ComboFix log report:

===================================

ComboFix 11-08-07.03 - RAL 08/07/2011 19:52:52.2.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1413 [GMT -7:00]

Running from: c:\documents and settings\RAL\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\RAL\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0044\~de6248.tmp

c:\docume~1\RAL\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0044\~df394b.tmp

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\RAL\ajczdpqjtg.tmp

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome.manifest

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome\xulcache.jar

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\defaults\preferences\xulcache.js

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\install.rdf

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome.manifest

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome\xulcache.jar

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\defaults\preferences\xulcache.js

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\install.rdf

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome.manifest

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome\xulcache.jar

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\defaults\preferences\xulcache.js

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\install.rdf

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome.manifest

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome\xulcache.jar

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\defaults\preferences\xulcache.js

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\install.rdf

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome.manifest

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome\xulcache.jar

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\defaults\preferences\xulcache.js

c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\install.rdf

c:\documents and settings\RAL\Local Settings\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0044\~de6248.tmp

c:\documents and settings\RAL\Local Settings\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0044\~df394b.tmp

c:\program files\Steam\Steam.exe

c:\windows\system32\system

.

.

((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))

.

.

2011-08-08 02:27 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{576AA5CC-29A9-43FE-BDFD-6E42EDD1406E}\mpengine.dll

2011-07-31 08:59 . 2011-07-31 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\EA Core

2011-07-31 08:17 . 2011-07-31 08:17 -------- d--h--w- c:\program files\Common Files\EAInstaller

2011-07-31 07:40 . 2011-07-31 07:40 -------- d-----w- c:\documents and settings\RAL\Application Data\Origin

2011-07-31 07:40 . 2011-07-31 07:40 -------- d-----w- c:\documents and settings\RAL\Local Settings\Application Data\Origin

2011-07-31 07:39 . 2011-07-31 08:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Origin

2011-07-31 07:39 . 2011-07-31 07:49 -------- d-----w- c:\program files\Origin Games

2011-07-31 07:39 . 2011-07-31 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2011-07-31 07:39 . 2011-07-31 07:39 -------- d-----w- c:\program files\Origin

2011-07-29 08:57 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll

2011-07-24 22:31 . 2011-08-04 09:34 -------- d-----w- c:\windows\system32\NtmsData

2011-07-24 22:16 . 2011-07-24 22:25 -------- d-----w- c:\documents and settings\RAL\Application Data\Sammsoft

2011-07-21 01:50 . 2011-07-21 01:50 388096 ----a-r- c:\documents and settings\RAL\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-21 01:50 . 2011-07-21 01:50 -------- d-----w- c:\program files\Trend Micro

2011-07-13 11:33 . 2011-07-14 03:26 21840 ----atw- c:\windows\system32\SIntfNT.dll

2011-07-13 11:33 . 2011-07-14 03:26 17212 ----atw- c:\windows\system32\SIntf32.dll

2011-07-13 11:33 . 2011-07-14 03:26 12067 ----atw- c:\windows\system32\SIntf16.dll

2011-07-13 11:22 . 2011-07-14 03:32 -------- d-----w- c:\program files\Sierra On-Line

2011-07-13 11:22 . 2011-07-14 03:32 -------- d-----w- C:\Sierra

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-07 17:14 . 2009-09-13 05:45 140496 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-08-07 17:14 . 2009-09-13 05:45 280736 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-08-07 17:14 . 2009-09-13 05:44 280736 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-08-07 16:55 . 2009-09-13 05:45 280736 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-07-13 03:39 . 2010-06-15 09:11 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-07-07 02:52 . 2010-03-31 10:08 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52 . 2010-03-31 10:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-29 04:18 . 2010-10-23 05:10 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-29 20:08 . 2011-05-29 20:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-20 09:40 . 2011-05-20 09:40 51716 ----a-w- c:\windows\system32\pdf995mon.dll

2011-05-20 09:40 . 2011-05-20 09:40 249856 ----a-w- c:\windows\system32\pdfmona.dll

2011-06-22 14:58 . 2011-05-07 08:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-03-16 1040384]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"CTSyncService"="c:\program files\InstallShield Installation Information\{EC6D5F08-1694-431F-8200-3B0A8A61AC5A}\AMBSPISyncService.exe" [2008-08-12 1233199]

"Drive Xpert"="c:\program files\ASUS\Speeding HDD\DriveXpert.exe" [2008-05-22 10235904]

"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2006-11-29 90112]

"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]

"VolPanel"="c:\program files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2009-02-03 237693]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Corel Photo Downloader"="c:\program files\Corel\Corel MediaOne\Corel Photo Downloader.exe" [2007-08-17 483144]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\RAL\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-9-24 576000]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-2-12 394856]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Updater.exe"=

"c:\\Program Files\\Electronic Arts\\Battlefield Bad Company 2\\BFBC2Game.exe"=

"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=

"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\GOG.com\\IL-2 Sturmovik 1946\\il2fb.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/19/2010 9:25 PM 64288]

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [6/10/2008 3:33 AM 150568]

R2 57xx SteelVine Manager;57xx SteelVine;c:\program files\ASUS\Speeding HDD\SteelVine.exe [5/22/2008 4:32 PM 1286144]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [12/13/2010 6:53 AM 88176]

R3 AmbFilt;AmbFilt;c:\windows\system32\drivers\Ambfilt.sys [9/12/2009 3:17 PM 1683712]

R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [9/12/2009 3:22 PM 79360]

S1 arqtyznc;arqtyznc;\??\c:\windows\system32\drivers\arqtyznc.sys --> c:\windows\system32\drivers\arqtyznc.sys [?]

S1 cnzpzqxn;cnzpzqxn;\??\c:\windows\system32\drivers\cnzpzqxn.sys --> c:\windows\system32\drivers\cnzpzqxn.sys [?]

S1 dmdsdlbn;dmdsdlbn;\??\c:\windows\system32\drivers\dmdsdlbn.sys --> c:\windows\system32\drivers\dmdsdlbn.sys [?]

S1 ftqehwfe;ftqehwfe;\??\c:\windows\system32\drivers\ftqehwfe.sys --> c:\windows\system32\drivers\ftqehwfe.sys [?]

S1 gemqeoat;gemqeoat;\??\c:\windows\system32\drivers\gemqeoat.sys --> c:\windows\system32\drivers\gemqeoat.sys [?]

S1 jgmzvoxm;jgmzvoxm;\??\c:\windows\system32\drivers\jgmzvoxm.sys --> c:\windows\system32\drivers\jgmzvoxm.sys [?]

S1 kfqyowrt;kfqyowrt;\??\c:\windows\system32\drivers\kfqyowrt.sys --> c:\windows\system32\drivers\kfqyowrt.sys [?]

S1 lfydlhot;lfydlhot;\??\c:\windows\system32\drivers\lfydlhot.sys --> c:\windows\system32\drivers\lfydlhot.sys [?]

S1 mngrtgok;mngrtgok;\??\c:\windows\system32\drivers\mngrtgok.sys --> c:\windows\system32\drivers\mngrtgok.sys [?]

S1 MpKsl475090c2;MpKsl475090c2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DD583FBE-E8EB-4D2B-A14B-E3B1FDA36BA6}\MpKsl475090c2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DD583FBE-E8EB-4D2B-A14B-E3B1FDA36BA6}\MpKsl475090c2.sys [?]

S1 MpKslb1bce2b0;MpKslb1bce2b0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1972B72-EA9B-4F3B-94CC-7AB2992AAA33}\MpKslb1bce2b0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1972B72-EA9B-4F3B-94CC-7AB2992AAA33}\MpKslb1bce2b0.sys [?]

S1 MpKslbbaa285c;MpKslbbaa285c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{029FE7AF-BCB4-4C50-B3CF-89FF3290FBFD}\MpKslbbaa285c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{029FE7AF-BCB4-4C50-B3CF-89FF3290FBFD}\MpKslbbaa285c.sys [?]

S1 mxnljkqr;mxnljkqr;\??\c:\windows\system32\drivers\mxnljkqr.sys --> c:\windows\system32\drivers\mxnljkqr.sys [?]

S1 mzmwlnxz;mzmwlnxz;\??\c:\windows\system32\drivers\mzmwlnxz.sys --> c:\windows\system32\drivers\mzmwlnxz.sys [?]

S1 qcrfiofd;qcrfiofd;\??\c:\windows\system32\drivers\qcrfiofd.sys --> c:\windows\system32\drivers\qcrfiofd.sys [?]

S1 shcnknuo;shcnknuo;\??\c:\windows\system32\drivers\shcnknuo.sys --> c:\windows\system32\drivers\shcnknuo.sys [?]

S1 tdnzvczi;tdnzvczi;\??\c:\windows\system32\drivers\tdnzvczi.sys --> c:\windows\system32\drivers\tdnzvczi.sys [?]

S2 0073141303325209mcinstcleanup;McAfee Application Installer Cleanup (0073141303325209);c:\windows\TEMP\007314~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\007314~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2010 4:57 PM 136176]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/13/2008 9:25 PM 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2010 4:57 PM 136176]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/31/2010 3:08 AM 41272]

S3 RTCore32;RTCore32;c:\program files\EVGA Precision\RTCore32.sys [5/25/2005 11:39 AM 4608]

S3 SkLaggProtocol;Marvell Link Aggregation Protocol;c:\windows\system32\drivers\yk51x32l.sys [12/14/2007 10:10 AM 57344]

S3 SkVlanProtocol;Marvell VLAN Protocol;c:\windows\system32\drivers\yk51x32v.sys [11/23/2007 10:10 AM 20992]

S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\supercog\Stress Test Kit\RealTemp\WinRing0.sys [7/26/2008 11:30 PM 14416]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/23/2009 10:31 PM 691696]

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-01 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4269467192.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-10 00:56]

.

2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 23:57]

.

2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-08 23:57]

.

2011-08-08 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://startpage.com/

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm

TCP: DhcpNameServer = 68.87.69.150 68.87.85.102 68.87.69.146

FF - ProfilePath - c:\documents and settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18776

FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)

FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/home?AF=18776

FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&AF=18776&q=

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Steam - c:\program files\Steam\Steam.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-07 20:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1659004503-1592454029-839522115-1004\Software\SecuROM\License information*]

"datasecu"=hex:df,11,f0,6e,31,2d,d4,f5,18,ba,35,9a,df,f0,2e,92,05,89,51,4d,22,

d3,ae,3f,14,4a,1d,11,ed,d6,b1,81,1a,ed,2d,de,fa,28,76,cf,d5,e4,e7,c9,22,c1,\

"rkeysecu"=hex:7d,8b,5f,20,96,b4,c7,7c,03,28,80,50,c3,75,2e,c7

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2168)

c:\windows\system32\WININET.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\windows\system32\CTsvcCDA.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\docume~1\RAL\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001

c:\windows\system32\RUNDLL32.EXE

c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe

c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PSIService.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

c:\windows\system32\Rundll32.exe

.

**************************************************************************

.

Completion time: 2011-08-07 20:05:52 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-08 03:05

.

Pre-Run: 8,348,897,280 bytes free

Post-Run: 9,974,530,048 bytes free

.

- - End Of File - - 6C580CA5E30E7B57C7121D351F139759

Link to post
Share on other sites

  • Staff

hello, what about

spybot - search & destroy 1.6.2

does that present any problems?

----

also, what about leaving Lavasoft ad-ware installed on computer IF it is not the one that is left running, which I UNinstalled as you requested

thanks

You can keep them installed if you're actively updating and using them. If not, they're just taking up space..

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

ESET log.txt:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=43c7ff149b4c4547a2909ead2f590d0a

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-12 03:20:47

# local_time=2011-08-11 08:20:47 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 977529 977529 0 0

# compatibility_mode=5891 16776533 42 87 0 9867833 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=185714

# found=37

# cleaned=36

# scan_time=7085

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\ewcnsamoxr.exe Win32/Adware.LoudMo.D application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\rhc07151_1.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\wmxrcanoes.exe Win32/Adware.LoudMo.D application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\downloads\video\Sony Vegas Pro 8.0c (Build 260)\Sony Vegas Pro 8.0c (Build 260).zip a variant of Win32/Keygen.AR application (deleted - quarantined) 00000000000000000000000000000000 C

C:\downloads\WinKit\Nero 7 Premium\Nero-7.10.1.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Yontoo Layers Runtime\YontooIEClient_2.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP887\A0154597.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP888\A0154606.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP888\A0154628.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP892\A0157838.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP892\A0158832.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP901\A0159661.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162687.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162688.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162689.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162690.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162691.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163532.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163535.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163536.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$XNTUninstall643$\bgjhu.dll a variant of Win32/Adware.Lifze.U application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$XNTUninstall643$\fbtil.dll a variant of Win32/Adware.Lifze.R application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

${Memory} a variant of Win32/Adware.Yontoo.A application 00000000000000000000000000000000 I

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

DH Driver Cleaner Professional Edition

Java 6 Update 22

Out of date Java installed!

Adobe Flash Player 10.3.181.14

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Microsoft Security Essentials msseces.exe

ESET ESET Online Scanner OnlineCmdLineScanner.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

Link to post
Share on other sites

Howdy ;-)

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=43c7ff149b4c4547a2909ead2f590d0a

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-12 03:20:47

# local_time=2011-08-11 08:20:47 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 977529 977529 0 0

# compatibility_mode=5891 16776533 42 87 0 9867833 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=185714

# found=37

# cleaned=36

# scan_time=7085

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\ewcnsamoxr.exe Win32/Adware.LoudMo.D application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\rhc07151_1.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\wmxrcanoes.exe Win32/Adware.LoudMo.D application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\Local Settings\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\RAL\My Documents\Downloads\registrybooster.exe Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\downloads\video\Sony Vegas Pro 8.0c (Build 260)\Sony Vegas Pro 8.0c (Build 260).zip a variant of Win32/Keygen.AR application (deleted - quarantined) 00000000000000000000000000000000 C

C:\downloads\WinKit\Nero 7 Premium\Nero-7.10.1.0_eng_trial.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Yontoo Layers Runtime\YontooIEClient_2.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{08328d6d-01cf-4031-9890-3f71416c761d}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{a2310f74-e79d-49f9-b493-1bab207cef76}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{cfa42fc2-2761-4ae4-9b73-1f877b06260e}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{e6cb7f4e-7ff7-449d-a654-34a59c7dd745}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\RAL\Application Data\Mozilla\Firefox\Profiles\0q5jmwr8.default\extensions\{f4911c94-0a6f-4377-829d-bdef9d5e75ed}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP887\A0154597.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP888\A0154606.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP888\A0154628.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP892\A0157838.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP892\A0158832.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP901\A0159661.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162687.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162688.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162689.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162690.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP922\A0162691.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163532.dll a variant of Win32/Adware.Yontoo.B application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163535.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163536.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$XNTUninstall643$\bgjhu.dll a variant of Win32/Adware.Lifze.U application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\$XNTUninstall643$\fbtil.dll a variant of Win32/Adware.Lifze.R application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C

${Memory} a variant of Win32/Adware.Yontoo.A application 00000000000000000000000000000000 I

# version=7

# iexplore.exe=7.00.6000.17099 (vista_gdr.110617-1500)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=43c7ff149b4c4547a2909ead2f590d0a

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-08-19 01:19:14

# local_time=2011-08-18 06:19:14 (-0800, Pacific Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1574766 1574766 0 0

# compatibility_mode=5891 16776533 42 87 0 10465070 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=184665

# found=3

# cleaned=3

# scan_time=7355

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163538.dll a variant of Win32/Adware.Lifze.U application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP929\A0163539.dll a variant of Win32/Adware.Lifze.R application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{7E9E1C35-68C7-4F4F-B87E-1377EF9D6A24}\RP933\A0163819.dll a variant of Win32/Adware.Yontoo.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Delete this folder:

C:\Program Files\Yontoo Layers Runtime

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

ESET Online Scanner v3

Adobe Reader 9.0

Java™ 6 Update 22

Restart your computer.

Get the latest version of Java and Adobe Reader.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Howdy! follow-up running of ESET found Nothing.

Dear Sentinel, do you have any advise about this?:

Comcast Security Notice

Constant GuardT Alert Dear XFINITY Customer, Your immediate attention is

required. Constant Guard from XFINITY identified that one or more of your

computers may be infected with a bot. A bot is a malicious form of software

that is used to send spam, host a phishing site, or steal your identity by

monitoring your keystrokes without your knowledge. It may be possible you

are unaware that your computer is infected with a bot. We strongly recommend

you visit XFINITY.com/BotAssistance

http://xfinity.comcast.net/constantguard/botassistance/?CMP=EMC-Email1&utm_source=Notification&utm_medium=Email&utm_campaign=Email1

for important information on how to remove malicious software from your

computer(s). We appreciate your prompt attention to this important security

notice. Sincerely, Constant Guard from XFINITY

thanks

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.