Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

MalwareBytes Anti-Malware Download

> Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


DO NOT RUN ComboFix unless requested to.


Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages V  < 1 2  
Closed TopicStart new topic
> Google Search links redirecting to zn website, All my google search links keep redirecting to other infected websites
Shah123
post Nov 24 2009, 08:16 PM
Post #16


New Member
*

Group: Members
Posts: 13
Joined: 12-November 09
Member No.: 401,933
Hi Myrti,

I tried running the combo fix unsuccessfully. I removed my norton antivirus as it kept bringing up combofix errors. Once I removed it, combofix ran anmd then restarted but then it got the windows to crash. This happened twice so I ran the combofix in windows Safe Mode with Network. I got a message saying that rootkit activity was detected but then again it got windows to crash.

Not sure what is going as no log file happened and it keeps crashing windows.

What should i do now?

kind regards

Amit
Go to the top of the page
 
+Quote Post
myrti
post Nov 24 2009, 09:50 PM
Post #17


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,

ok, let's try to do this differently then. Do you have your Vista CD close by?

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
Shah123
post Nov 25 2009, 10:29 AM
Post #18


New Member
*

Group: Members
Posts: 13
Joined: 12-November 09
Member No.: 401,933
Hi Myrti,

My Vista came installed with my computer. didnt have any CD for them.

is there anywhere i can download it and use my product key which is stuck on the back of my laptop.

did you look at the post I sent you of thbytes as he had a guy who had a similar problem...

looking forward to hearing from you. thanks again for your patience in helping me.

Kind regards

Amit

This post has been edited by Shah123: Nov 25 2009, 10:31 AM
Go to the top of the page
 
+Quote Post
myrti
post Nov 25 2009, 06:13 PM
Post #19


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,

yes I had a look at the link you gave me to thcbytes and you have indeed the same infection.

I do not want you to reinstall your system just yet. I only wish to access the repair console, to perform the following steps:

Booting into the Windows Vista WinRE Environment using Windows Vista disk

Please insert your Windows Vista installation media into your CD-Rom/DVD drive and reboot your computer. During the reboot and at boot up you should see Press Any key to Boot from CD/DVD.... If you see that please press any key to continue and continue and follow the next set of instructions on "Using the Vista CD Disk to Access the Vista WinRE Environment". If not, please follow the next set of instructions on "How to Configure the System to Boot from CD/DVD" and then follow the steps to "Using the Vista CD Disk to Access the Vista WinRE Environment ".

How to Configure the system to boot from CD/DVD

Some machines will automatically attempt boot from the CD if a CD is inserted, if that is the case, please skip the instructions below...
  • Please reboot your machine or turn it on (Without the CD)
  • As soon as the BIOS is loaded begin tapping tapping the F2 or F12 or perhaps F9, F10 or F11 (try all of them if unsure, starting with F2)
  • Different Machines have different keys.
  • This will bring up the configuration options, please use your arrow keys to go to the Boot Tab.
  • In the Boot tab, there should be instructions on your right-hand side on how to move your CD/DVD as the top or First Priority
  • After you have moved CD/DVD at the top/first priority, please make sure you SAVE AND EXIT <- Important
  • It will now exit with Configuration settings saved.
Using the Vista CD Disk to Access the Vista WinRE Environment
  • Insert the Windows Vista disk in your computer.
  • Restart your computer so you are booting off of the CD.
  • During the reboot and boot up you will get a message saying: "Press any key to boot from CD", press Enter on your keyboard.
  • Select your language options, Time and Keyboard and press Next
  • At the next prompt press
  • Select your Operating System (Windows Vista; the main one) from the list, and then press Next
  • Now press the Command Prompt option.
  • Enter the following code line by line one at a time and pressing enter on your keyboard on each line.
  • Wait for each command to be completed before continuing with the next one.
    CODE
    copy C:\windows\system32\atapi.sys C:\atapi.bad
    copy C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys C:\windows\system32\atapi.sys
  • Press the Restart button and remove your Windows Vista disk from the DVD drive. Windows should now begin to load.

Since you do not have your CD handy, please download the Repair Environnement here: Link and burn it to CD. If you need help on how to burn a CD, please consult the following tutorial: How to write a CD image from ISO

Please reboot your PC and let me know how it is doing.

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
Shah123
post Nov 25 2009, 06:29 PM
Post #20


New Member
*

Group: Members
Posts: 13
Joined: 12-November 09
Member No.: 401,933
Hi Myrti,

My system gave me the option to "repair your computer" when windows crashed. I am just downloading the repair file you have told me about.

Will let you know once that is done. I am afraid it wont be today as I have left the laptop at work as it seemed useless.

Do i need to leave the laptop of our company network - basically the question can this virus spread or it shouldnt matter?

Kind regards


Amit
Go to the top of the page
 
+Quote Post
myrti
post Nov 25 2009, 07:06 PM
Post #21


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,

an infected PC should always be used as little as possible and be connected to the internet or network as little as possible. I am not aware of this infection spreading over networks. However I'm sure the malwarewriters won't limit themselves to what I am aware of and hence I would suggest keeping it offline as much as possible. wink.gif

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
Shah123
post Nov 26 2009, 06:40 PM
Post #22


New Member
*

Group: Members
Posts: 13
Joined: 12-November 09
Member No.: 401,933
Hi Myrti,

I tried doing the CD Rom fix you suggested but couldnt get the computer to boot from the CD Rom. I was getting frustrated so I tried running the script and Combifix that you had earlier supplied and guess what it ran.

I got the log below from Combifix. The errors seem to have gone but I am not sure if it is just hiding somewhere. Please see combifix file below:

ComboFix 09-11-24.02 - Amit 26/11/2009 10:11.8.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.3062.1792 [GMT 0:00]
Running from: c:\users\Amit\Desktop\ComboFix.exe
Command switches used :: c:\users\Amit\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\tosapins\Intel Matrix Storage Manager\Inf setup\iastor.sys --> c:\windows\system32\drivers\iastor.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Amit Shah\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Amanda\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Administrator.JUTE\AppData\Local\temp
2009-11-26 10:20 . 2009-11-26 10:20 -------- d-----w- c:\users\Administrator.AmitPC\AppData\Local\temp
2009-11-26 10:07 . 2009-11-26 10:08 24576 d-----w- C:\32788R22FWJFW
2009-11-25 17:51 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 17:40 . 2009-11-25 17:40 8192 d-----w- c:\windows\SQL9_KB970892_ENU
2009-11-25 03:01 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-11-25 03:01 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-11-25 03:01 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-11-25 03:01 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-11-25 03:01 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-11-25 03:01 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-11-25 03:01 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-11-25 03:01 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-11-25 03:01 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-11-25 03:01 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-11-25 01:43 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-11-25 01:43 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-11-25 01:43 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-11-25 01:43 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-11-25 01:43 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 01:43 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 01:43 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-11-25 01:43 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-11-25 01:43 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-11-25 01:43 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-11-25 01:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-11-25 01:40 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-11-25 01:40 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-11-25 01:40 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-11-25 01:40 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-25 01:40 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-11-25 01:40 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-11-25 01:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-11-25 01:40 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-25 01:30 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-11-25 01:18 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-25 01:15 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-25 01:15 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-25 01:15 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-25 01:15 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-25 01:15 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-25 01:15 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-25 01:15 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-25 01:15 . 2009-08-06 19:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-25 01:15 . 2009-08-06 18:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-25 01:14 . 2009-11-25 01:14 4096 d-----w- c:\program files\Microsoft Security Essentials
2009-11-24 23:00 . 2009-11-24 23:00 -------- d-----w- c:\program files\VS Revo Group
2009-11-24 22:06 . 2009-11-26 10:21 12288 d-----w- c:\users\Amit\AppData\Local\temp
2009-11-23 10:36 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-23 10:36 . 2009-11-23 10:36 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 10:36 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 12:38 . 2009-11-20 13:14 4096 d-----w- c:\users\Amit\AppData\Roaming\FileZilla
2009-11-20 12:20 . 2009-11-20 12:20 4096 d-----w- c:\program files\CA VMN Anti-Spyware
2009-11-20 10:07 . 2009-11-20 10:07 -------- d-----w- c:\users\Amit\AppData\Roaming\Zeon
2009-11-20 10:07 . 2009-11-20 10:07 -------- d-----w- c:\users\Amit\AppData\Roaming\ScanSoft
2009-11-20 09:57 . 2009-11-20 09:57 -------- d-----w- c:\users\Amit\AppData\Local\Scansoft
2009-11-20 09:29 . 2009-11-20 09:29 0 ----a-w- c:\program files\error.dat
2009-11-20 09:22 . 2009-11-20 09:22 -------- d-----w- c:\program files\Nuance
2009-11-20 09:21 . 2009-11-20 09:21 -------- d-----w- c:\programdata\InstallShield
2009-11-20 09:19 . 2009-11-20 09:19 4096 d-----w- c:\program files\Common Files\ScanSoft Shared
2009-11-20 09:19 . 2009-11-20 09:21 -------- d-----w- c:\programdata\ScanSoft
2009-11-20 09:19 . 2009-11-20 09:19 -------- d-----w- c:\program files\ScanSoft
2009-11-20 09:17 . 2009-11-20 09:17 -------- d-----w- c:\programdata\Brother
2009-11-12 09:44 . 2009-11-12 09:44 -------- d-----w- c:\program files\MSSOAP
2009-11-12 09:44 . 2009-11-12 09:44 -------- d-----w- c:\program files\Webroot
2009-11-12 09:37 . 2009-11-12 09:37 164 ----a-w- c:\windows\install.dat
2009-11-12 09:09 . 2009-11-20 10:39 -------- d-----w- c:\program files\Enigma Software Group
2009-11-10 09:12 . 2009-11-10 09:12 4096 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-07 18:04 . 2007-03-30 09:03 172032 ----a-w- c:\windows\system32\igfxres.dll
2009-11-03 00:51 . 2009-11-03 00:51 -------- d-----w- C:\!KillBox
2009-11-02 22:49 . 2009-11-02 22:49 -------- d-----w- c:\users\Amit\AppData\Roaming\Malwarebytes
2009-11-02 22:49 . 2009-11-02 22:49 -------- d-----w- c:\programdata\Malwarebytes
2009-11-01 22:42 . 2009-11-01 22:42 -------- d-----w- c:\users\Amit\AppData\Roaming\vlc
2009-11-01 22:39 . 2009-11-01 22:39 -------- d-----w- c:\users\Amit\AppData\Local\Graboid_Inc
2009-11-01 22:38 . 2009-11-01 22:39 -------- d-----w- c:\users\Amit\AppData\Roaming\MozillaControl
2009-11-01 22:38 . 2009-11-24 23:33 -------- d-----w- c:\users\Amit\AppData\Local\Graboid
2009-11-01 22:37 . 2009-11-01 22:37 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 09:13 . 2008-06-12 07:50 5648 ----a-w- c:\users\Amit\AppData\Local\d3d9caps.dat
2009-11-25 17:44 . 2008-09-24 22:33 4096 d-----w- c:\program files\Microsoft Silverlight
2009-11-25 17:42 . 2007-07-16 11:31 4096 d-----w- c:\program files\Microsoft SQL Server
2009-11-24 23:24 . 2007-07-16 11:36 4096 d-----w- c:\programdata\Symantec
2009-11-24 23:24 . 2007-07-16 11:35 12288 d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 17:55 . 2008-02-23 04:23 4096 d-----w- c:\users\Amit\AppData\Roaming\Corel
2009-11-24 10:38 . 2008-02-23 04:23 2984 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-11-20 13:15 . 2008-03-03 02:30 4096 d-----w- c:\users\Amit\AppData\Roaming\Skype
2009-11-20 12:37 . 2008-04-28 11:56 -------- d-----w- c:\users\Amit\AppData\Roaming\SiteClasses
2009-11-20 12:06 . 2008-03-05 11:32 8192 d-----w- c:\users\Amit\AppData\Roaming\skypePM
2009-11-20 09:58 . 2008-02-22 16:52 105312 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-11-20 09:29 . 2009-11-20 09:23 4096 d-----w- c:\program files\Brother
2009-11-20 09:29 . 2007-07-16 10:22 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 09:24 . 2009-11-20 09:24 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-11-20 09:19 . 2007-07-16 10:29 4096 d-----w- c:\program files\Common Files\InstallShield
2009-11-11 17:52 . 2009-03-26 11:26 4096 d-----w- c:\programdata\inFlow Inventory
2009-11-11 10:54 . 2009-01-24 13:03 4096 d-----w- c:\programdata\Lx_cats
2009-11-11 10:54 . 2009-11-11 10:54 20236344 ----a-w- c:\programdata\SPLCE13.tmp
2009-11-11 08:31 . 2009-06-18 11:27 -------- d-----w- c:\program files\Nokia
2009-11-10 09:11 . 2008-03-02 23:46 4096 d-----w- c:\program files\Windows Live
2009-11-10 09:10 . 2009-03-19 12:07 4096 d-----w- c:\program files\Microsoft
2009-11-07 17:42 . 2008-02-23 00:03 400152 ----a-w- c:\windows\system32\igxpun.exe
2009-11-07 17:42 . 2008-02-23 00:03 319456 ----a-w- c:\windows\system32\difxapi.dll
2009-11-03 00:45 . 2008-02-29 23:10 8192 d-----w- c:\users\Amit\AppData\Roaming\LimeWire
2009-10-29 13:25 . 2009-10-12 08:28 -------- d-----w- c:\users\Amit\AppData\Roaming\Nitro PDF
2009-10-26 22:30 . 2008-03-15 14:52 24576 d-----w- c:\program files\Sage Payroll
2009-10-26 11:55 . 2009-10-26 11:55 -------- d-----w- c:\program files\Trend Micro
2009-10-26 08:43 . 2009-10-26 08:38 691 ----a-w- c:\users\Amit\AppData\Roaming\GetValue.vbs
2009-10-26 08:43 . 2009-10-26 08:38 35 ----a-w- c:\users\Amit\AppData\Roaming\SetValue.bat
2009-10-26 08:43 . 2009-10-26 08:38 35 ----a-w- c:\users\Amit\AppData\Roaming\SetValue.bat
2009-10-12 08:23 . 2009-10-12 08:23 -------- d-----w- c:\programdata\Nitro PDF
2009-10-12 08:11 . 2009-10-12 08:11 -------- d-----w- c:\users\Amit\AppData\Roaming\Downloaded Installations
2009-09-15 09:17 . 2009-09-15 09:17 61760 ----a-w- c:\windows\system32\ASTSRV.EXE
2009-09-15 09:16 . 2009-10-12 08:23 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2009-09-15 09:15 . 2009-10-12 08:23 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2009-09-10 17:30 . 2009-11-25 01:42 213504 ----a-w- c:\windows\system32\msv1_0.dll
2008-04-23 16:31 . 2008-02-23 04:23 88 --sh--r- c:\windows\System32\1DA51FC317.sys
2002-04-16 11:27 . 2002-04-16 11:27 5 --sha-w- c:\windows\System32\CdI5T.drv
1998-03-20 01:00 . 1998-03-20 01:00 1048 --sha-w- c:\windows\System32\flfnlf.sys
1998-03-20 01:00 . 1998-03-20 01:00 1048 --sha-w- c:\windows\System32\rlfnlf.sys
1998-03-20 01:00 . 1998-03-20 01:00 1048 --sha-w- c:\windows\System32\TMail3FL.SYS
1998-03-20 01:00 . 1998-03-20 01:00 1048 --sha-w- c:\windows\System32\TMailRL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-11-26_09.32.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-16 10:20 . 2009-11-26 10:04 75568 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-26 10:04 95754 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-02-22 17:02 . 2009-11-26 10:04 16332 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3893172770-3419665954-1935258406-1137_UserData.bin
- 2009-11-26 09:12 . 2009-11-26 09:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-26 10:01 . 2009-11-26 10:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-26 09:12 . 2009-11-26 09:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-26 10:01 . 2009-11-26 10:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-07 17:09 . 2009-11-26 09:59 492696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-11-07 17:09 . 2009-11-26 09:10 492696 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2006-11-02 10:22 . 2009-11-26 09:06 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-11-26 10:05 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-11-26 10:09 . 2009-11-26 10:09 6336512 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2008-02-23 18:08 . 2009-11-26 10:05 144028672 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 16:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 16:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-13 413696]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-13 39408]
"Google Update"="c:\users\Amit\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-11-13 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"NcpPopup"="c:\program files\WatchGuard\Mobile VPN\ncppopup.exe noerrmsg" [X]
"NcpMonitor"="c:\program files\WatchGuard\Mobile VPN\ncpmon.exe autorun" [X]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe " [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TOSDCR"="c:\program files\TOSHIBA\PasswordUtility\TOSDCR.exe" [2007-01-10 174200]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-04-26 538744]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-11 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"TosAutLk"="c:\program files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe" [2007-06-13 116304]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TOSUSBSvr"="c:\program files\TOSHIBA\dynadock Utility\TOSUSBSvr.exe" [2007-12-28 274432]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-05-16 509496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-04 413696]
"NcpBudget"="c:\program files\WatchGuard\Mobile VPN\ncpbudgt.exe" [2008-01-17 401920]
"NcpRsuGui"="c:\program files\WatchGuard\Mobile VPN\rwsrsu.exe" [2008-02-08 266240]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"lxdomon.exe"="c:\program files\Lexmark 9500 Series\lxdomon.exe" [2007-09-06 450560]
"lxdoamon"="c:\program files\Lexmark 9500 Series\lxdoamon.exe" [2007-08-10 20480]
"Lexmark 9500 Series Fax Server"="c:\program files\Lexmark 9500 Series\fm3032.exe" [2007-09-18 307200]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-06 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-06 133912]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-09 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-09 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-05-13 6139904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 15:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Amit^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\users\Amit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 dlkmdldr;dlkmdldr;c:\windows\System32\drivers\dlkmdldr.sys [13/12/2007 09:08 6656]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\System32\drivers\thpdrv.sys [27/04/2007 09:22 21504]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\System32\drivers\Thpevm.sys [07/02/2007 16:29 6528]
R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [13/12/2007 09:28 439656]
R2 dlkmd;dlkmd;c:\windows\System32\drivers\dlkmd.sys [13/12/2007 09:08 224768]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [21/10/2008 16:30 47640]
R2 lxdo_device;lxdo_device;c:\windows\system32\lxdocoms.exe -service --> c:\windows\system32\lxdocoms.exe -service [?]
R2 lxdoCATSCustConnectService;lxdoCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdoserv.exe [17/07/2007 12:26 94208]
R2 MSSQL$ACT7;SQL Server (ACT7);e:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe [10/02/2007 04:29 29178224]
R2 MSSQL$INFLOWSQL;SQL Server (INFLOWSQL);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [27/05/2009 03:27 29262680]
R2 ncpclcfg;ncpclcfg;c:\program files\WatchGuard\Mobile VPN\ncpclcfg.exe [18/12/2008 00:43 81920]
R2 ncprwsnt;ncprwsnt;c:\program files\WatchGuard\Mobile VPN\NCPRWSNT.EXE [18/12/2008 00:43 1036296]
R3 CM1063264;C-Media CM106 Like Sound UDAX Interface;c:\windows\System32\drivers\CM106.sys [02/06/2008 09:18 1298944]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\System32\drivers\DisplayLinkUsbPort.sys [26/11/2007 10:21 20992]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [18/06/2009 18:48 42480]
R3 ncplelhp;WatchGuard Secure Client NDIS6 Driver;c:\windows\System32\drivers\ncplelhp.sys [18/12/2008 00:43 72520]
S1 ncpfilt;WatchGuard Filter;c:\windows\System32\drivers\ncplelhp.sys [18/12/2008 00:43 72520]
S2 NcpSec;NcpSec;c:\program files\WatchGuard\Mobile VPN\NCPSEC.EXE [18/12/2008 00:43 45056]
S2 rwsrsu;RwsRsu;c:\program files\WatchGuard\Mobile VPN\rwsrsu.exe [18/12/2008 00:43 266240]
S2 sugarApache;sugarApache;"e:\progra~1\SUGARC~1.0G\apache2\bin\Apache.exe" -k runservice --> e:\progra~1\SUGARC~1.0G\apache2\bin\Apache.exe [?]
S2 sugarMysql;sugarMysql;e:\progra~1\SUGARC~1.0G\mysql\bin\mysqld.exe --defaults-file=e:\progra~1\SUGARC~1.0G\mysql\my.ini sugarMysql --> e:\progra~1\SUGARC~1.0G\mysql\bin\mysqld.exe --defaults-file=e:\progra~1\SUGARC~1.0G\mysql\my.ini sugarMysql [?]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\System32\drivers\ewusbmdm.sys [10/12/2008 16:08 101376]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\System32\drivers\ewusbser.sys [07/10/2008 05:18 65152]
S3 MSSQL$CRM;MSSQL$CRM;c:\program files\Microsoft SQL Server\MSSQL$CRM\Binn\sqlservr.exe [04/05/2005 00:04 9150464]
S3 SQLAgent$CRM;SQLAgent$CRM;c:\program files\Microsoft SQL Server\MSSQL$CRM\Binn\sqlagent.EXE [03/05/2005 21:42 323584]
S3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\System32\drivers\TEUSBMU.sys [24/03/2008 23:59 20992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3893172770-3419665954-1935258406-1137Core.job
- c:\users\Amit\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-13 15:38]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3893172770-3419665954-1935258406-1137UA.job
- c:\users\Amit\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-13 15:38]

2009-11-25 c:\windows\Tasks\User_Feed_Synchronization-{04075EE5-038B-4472-98C1-101EED117DEA}.job
- c:\windows\system32\msfeedssync.exe [2008-07-25 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/ig
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {{76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {{8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 10:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'Explorer.exe'(5920)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-11-26 10:25
ComboFix-quarantined-files.txt 2009-11-26 10:24
ComboFix2.txt 2009-11-26 09:36
ComboFix3.txt 2009-11-24 22:21
ComboFix4.txt 2009-11-24 09:54

Pre-Run: 3,638,931,456 bytes free
Post-Run: 3,641,425,920 bytes free

- - End Of File - - 69C039BFB798777A96338F29597B1771

Awaiting your next instructions.

Kind regards


Amit
Go to the top of the page
 
+Quote Post
myrti
post Nov 27 2009, 08:15 AM
Post #23


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,


this is looking good. smile.gif How is your PC doing? Still redirecting?

Please provide a new log from gmer:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
myrti
post Dec 1 2009, 10:13 AM
Post #24


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
myrti
post Dec 1 2009, 12:07 PM
Post #25


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,

topic reopened.

From the PM:
QUOTE
GMER Log;
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-30 12:39:00
Windows 6.0.6001 Service Pack 1
Running: 3p5eieme.exe; Driver: C:\Users\Amit\AppData\Local\Temp\kfldrpow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxIndirectParamW 7759BD25 5 Bytes JMP 6C060696 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxParamW 775B1FD5 5 Bytes JMP 6C060620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxParamA 775D80B2 5 Bytes JMP 6C06065B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!DialogBoxIndirectParamA 775D83DD 5 Bytes JMP 6C0606D1 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxIndirectA 775ED471 5 Bytes JMP 6C0605DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxIndirectW 775ED56B 5 Bytes JMP 6C060598 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxExA 775ED5D1 5 Bytes JMP 6C06055E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] USER32.dll!MessageBoxExW 775ED5F5 5 Bytes JMP 6C060524 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4124] ole32.dll!OleLoadFromStream 77B69726 5 Bytes JMP 6C060893 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [753988B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [753D98A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7539B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7538FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [75397A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7538EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [753CB17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7539BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7539074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [753906B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [753871B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7541D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [753B7379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7538E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7538697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [753869A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [75392465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54
c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


The log is looking fine.
I would like to see an additional online scan to be sure that nothing is left:
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
Shah123
post Dec 1 2009, 03:34 PM
Post #26


New Member
*

Group: Members
Posts: 13
Joined: 12-November 09
Member No.: 401,933
Hi Myrti,

Another virus seemed to have sprung up but have done the scan as asked. Please see details below:

C:\Users\Amit\Downloads\vlc.uk02.exe probably a variant of Win32/Adware.DoubleD.AB application deleted - quarantined


Kind regards

Amit
Go to the top of the page
 
+Quote Post
myrti
post Dec 2 2009, 04:02 PM
Post #27


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Hi,

where did you download vlc? It is always the most secure option to download files from the producer. In this case that would be videolan.org.

The file is not part of a current infection and I believe this means that your logs are clean! smile.gif How is your PC doing?

Please do the following to update your software and make your PC more secure:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Your Adobe Reader is also out of date. Please uninstall it and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

Please let me know if you had any problems with that.

regards myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
myrti
post Dec 21 2009, 08:32 AM
Post #28


bleepin' _temp_
******

Group: Malware Response Instructor
Posts: 13,121
Joined: 25-January 08
From: At home
Member No.: 186,120
Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti


--------------------

Help request via PM will be ignored, unless I am already helping you. Please use the forums!


If I have helped you please consider to to help me continue the malware fight! Thank you!


I'll be gone from 30th July - 5th August. Sorry for any incovenience caused.
Go to the top of the page
 
+Quote Post
« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »
 

2 Pages V  < 1 2
Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 29th July 2010 - 09:36 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2010 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2010  IPS, Inc.