Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Juan (Malware.Trace) / MS Track System (Trojan.Vundo)


  • This topic is locked This topic is locked
4 replies to this topic

#1 BBMN

BBMN

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 22 December 2008 - 05:56 PM

First off, thank you guys so much for helping me out just a short while ago. I'm pretty good at keeping safe online, but somehow got hit with my second virus in just a few weeks. I appreciate what you guys do and do plan on donating to you.

Okay, on with this. I have run Malwarebytes Anti-Malware and ComboFix and attached the logs. It seems that its two files that just won't go away. They have latched onto Acrobat.

Malwarebytes' Anti-Malware 1.31
Database version: 1528
Windows 5.1.2600 Service Pack 2

12/22/2008 3:56:36 PM
mbam-log-2008-12-22 (15-56-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 187912
Time elapsed: 41 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
___________________________________________________________________________________________

ComboFix 08-12-21.04 - Kienzle 2008-12-22 17:43:13.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1462 [GMT -5:00]
Running from: c:\downloaded apps\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-16 14:14 . 2008-12-16 14:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\ScanSoft
2008-12-16 14:08 . 2008-12-21 03:07 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-16 14:08 . 2008-12-16 14:30 <DIR> d-------- c:\program files\Avi2Dvd
2008-12-15 20:02 . 2008-12-15 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-15 19:23 . 2008-12-15 19:23 <DIR> d-------- c:\program files\VSO
2008-12-15 19:23 . 2008-12-16 14:06 <DIR> d-------- c:\documents and settings\Kienzle\Application Data\Vso
2008-12-15 19:23 . 2004-05-04 12:53 1,645,320 --a------ c:\windows\gdiplus.dll
2008-12-15 19:23 . 2006-05-20 17:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-15 19:23 . 2006-05-11 20:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-15 19:23 . 2006-09-29 13:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-15 19:23 . 2006-09-29 13:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-15 19:23 . 2006-09-29 13:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-15 19:23 . 2007-03-18 21:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-15 19:23 . 2008-12-15 19:23 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys
2008-12-15 19:23 . 2008-12-15 19:23 47,360 --a------ c:\documents and settings\Kienzle\Application Data\pcouffin.sys
2008-12-11 21:16 . 2008-12-11 21:49 <DIR> d-------- c:\program files\DupeEliminator
2008-12-11 21:13 . 2008-12-11 21:13 56 --a------ C:\error
2008-12-11 21:13 . 2008-12-11 21:13 0 --a------ C:\stdout
2008-12-11 01:42 . 2008-12-11 01:42 <DIR> d-------- c:\documents and settings\Kienzle\Application Data\GlarySoft
2008-12-11 01:41 . 2008-12-14 13:53 <DIR> d-------- c:\program files\Glary Utilities
2008-12-11 01:27 . 2008-12-11 21:49 <DIR> d-------- c:\program files\Duplicate Music Files Finder
2008-12-11 01:01 . 2008-12-11 01:01 <DIR> d-------- c:\program files\iTunes
2008-12-11 01:01 . 2008-12-11 01:01 <DIR> d-------- c:\program files\iPod
2008-12-11 01:01 . 2008-12-11 01:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-11 01:01 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-12-11 01:01 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-10 20:50 . 2008-10-16 15:38 6,066,176 --------- c:\windows\system32\dllcache\ieframe.dll
2008-12-10 20:50 . 2007-04-17 04:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-10 20:50 . 2007-03-08 00:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-10 20:50 . 2008-10-16 15:38 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-10 20:50 . 2008-10-16 15:38 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-10 20:50 . 2008-10-16 15:38 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2008-12-10 20:50 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2008-12-10 20:50 . 2008-10-16 15:38 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-10 20:50 . 2007-08-13 18:54 33,792 --a------ c:\windows\system32\dllcache\custsat.dll
2008-12-10 20:50 . 2008-10-16 08:11 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-09 13:12 . 2008-12-09 13:12 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-09 00:48 . 2008-12-09 00:58 <DIR> d-------- C:\FALL
2008-12-08 18:52 . 2007-06-13 05:23 1,033,216 --a------ c:\windows\system32\dllcache\explorer.exe
2008-12-08 18:52 . 2007-06-13 05:23 1,033,216 --a------ c:\windows\explorer.exe
2008-12-06 12:20 . 2008-12-06 12:55 <DIR> d-------- C:\rsit
2008-12-06 12:20 . 2008-12-22 16:03 <DIR> d-------- c:\program files\trend micro
2008-12-04 15:10 . 2008-12-04 15:10 <DIR> d-------- c:\program files\Lavasoft
2008-12-04 15:09 . 2008-12-04 15:09 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 21:16 . 2008-12-22 00:50 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 21:16 . 2008-12-01 21:16 <DIR> d-------- c:\documents and settings\Kienzle\Application Data\Malwarebytes
2008-12-01 21:16 . 2008-12-01 21:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 21:16 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 21:16 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 19:37 . 2008-12-07 15:54 <DIR> d-------- C:\Temp
2008-11-29 20:49 . 2008-12-09 13:12 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 19:31 --------- d-----w c:\documents and settings\Kienzle\Application Data\Azureus
2008-12-17 03:24 --------- d-----w c:\program files\AAALOGO2008
2008-12-17 03:16 --------- d-----w c:\program files\GemMaster
2008-12-16 03:48 --------- d-----w c:\documents and settings\Kienzle\Application Data\dvdcss
2008-12-14 20:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-14 20:33 --------- d-----w c:\program files\NetWaiting
2008-12-14 18:54 --------- d-----w c:\program files\QuickTime
2008-12-14 18:53 --------- d-----w c:\program files\MINITAB 14 Student
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 02:27 --------- d-----w c:\documents and settings\Kienzle\Application Data\OpenOffice.org2
2008-12-11 06:01 --------- d-----w c:\program files\Common Files\Apple
2008-12-09 18:08 --------- d-----w c:\program files\Java
2008-12-09 05:45 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-05 03:07 140,288 ----a-w c:\windows\system32\sfc_os.dll
2008-12-05 03:07 14,336 ----a-w c:\windows\system32\svchost.exe
2008-12-05 03:07 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2008-11-21 08:49 --------- d-----w c:\program files\Azureus
2008-11-12 04:39 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 10:20 474,112 ------w c:\windows\system32\dllcache\shlwapi.dll
2008-10-16 10:20 151,040 ------w c:\windows\system32\dllcache\cdfview.dll
2008-10-16 10:20 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-16 10:20 1,054,208 ------w c:\windows\system32\dllcache\danim.dll
2008-10-16 10:20 1,024,000 ------w c:\windows\system32\dllcache\browseui.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-01-27 19:12 60,968 ----a-w c:\documents and settings\Kienzle\GoToAssistDownloadHelper.exe
2008-12-22 04:44 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-22 04:44 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-22 04:44 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-22 04:44 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-22 04:44 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-22_16.51.39.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 22:34:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_534.dat
+ 2008-12-22 22:34:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_688.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2004-02-13 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-01-27 14:12 10792 c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=aiwiwr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Omnipage"=c:\program files\ScanSoft\OmniPageSE\opware32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE\\EregEng\\NAVBrowser.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-01 38496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kienzle\Application Data\Mozilla\Firefox\Profiles\jon45giy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 17:44:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
.
Completion time: 2008-12-22 17:44:52
ComboFix-quarantined-files.txt 2008-12-22 22:44:38
ComboFix2.txt 2008-12-22 21:52:02
ComboFix3.txt 2008-12-08 19:39:07

Pre-Run: 25,491,140,608 bytes free
Post-Run: 25,476,874,240 bytes free

222 --- E O F --- 2008-12-18 08:00:33

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 PM

Posted 23 December 2008 - 05:26 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


First we want to remove Combofix. It's a powerful program and there is no room for error if you make a mistake.

Follow this process to uninstall Combofix. It will also restore a few settings and remove quarantined items.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image





Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • A second report, Attach.txt will open next.
  • Save both reports to your desktop.
Please copy and paste both logs into your next reply.


=============


The next log will show us any hidden files that are present.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 BBMN

BBMN
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 29 December 2008 - 09:05 PM

Here are my dds logs. Also, I ran the gmer program but somehow failed to copy the text. I tried recreating the log by running it again, but couldn't get the same message. It basically said it found no system modifications... so I assume that means everything is good. I have attached what I could from the second time I ran gmer.

Also I ran Kaspersky and it found nothing on my entire C drive.

For whatever reason I think the issue I had has already been resolved. I am getting no spam and things seem to be normal.


DDS (Version 1.1.0) - NTFSx86
[/size="4"][/b]Run by Kienzle at 18:54:10.54 on Sat 12/27/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1396 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kienzle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
AppInit_DLLs: aiwiwr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kienzle\applic~1\mozilla\firefox\profiles\jon45giy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com/
FF - HiddenExtension: XUL Cache: {389EB97F-A830-4335-BD46-C8A6073A932F} - c:\documents and settings\kienzle\local settings\application data\{389eb97f-a830-4335-bd46-c8a6073a932f}\

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-10-20 96256]

=============== Created Last 30 ================

2008-12-27 13:04 <DIR> --d----- C:\ComboFix
2008-12-16 14:08 <DIR> --d----- c:\program files\AviSynth 2.5
2008-12-16 14:08 <DIR> --d----- c:\program files\Avi2Dvd
2008-12-15 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-12-15 19:23 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2008-12-15 19:23 47,360 a------- c:\docume~1\kienzle\applic~1\pcouffin.sys
2008-12-15 19:23 1,645,320 a------- c:\windows\gdiplus.dll
2008-12-15 19:23 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2008-12-15 19:23 626,688 a------- c:\windows\system32\vp7vfw.dll
2008-12-15 19:23 217,127 a------- c:\windows\system32\drv43260.dll
2008-12-15 19:23 208,935 a------- c:\windows\system32\drv33260.dll
2008-12-15 19:23 176,165 a------- c:\windows\system32\drv23260.dll
2008-12-15 19:23 65,602 a------- c:\windows\system32\cook3260.dll
2008-12-15 19:23 <DIR> --d----- c:\program files\VSO
2008-12-11 21:16 <DIR> --d----- c:\program files\DupeEliminator
2008-12-11 21:13 56 a------- C:\error
2008-12-11 21:13 0 a------- C:\stdout
2008-12-11 01:42 <DIR> --d----- c:\docume~1\kienzle\applic~1\GlarySoft
2008-12-11 01:41 <DIR> --d----- c:\program files\Glary Utilities
2008-12-11 01:27 <DIR> --d----- c:\program files\Duplicate Music Files Finder
2008-12-11 01:01 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-11 01:01 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-11 01:01 <DIR> --d----- c:\program files\iPod
2008-12-11 01:01 <DIR> --d----- c:\program files\iTunes
2008-12-11 01:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 20:50 <DIR> --d----- c:\windows\network diagnostic
2008-12-10 20:50 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2008-12-10 20:50 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-10 20:50 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2008-12-10 20:50 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2008-12-10 20:50 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-10 20:50 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-10 20:50 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-10 20:50 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-10 20:50 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-12-10 20:50 33,792 a------- c:\windows\system32\dllcache\custsat.dll
2008-12-09 13:12 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-09 00:48 <DIR> --d----- C:\FALL
2008-12-08 18:52 1,033,216 a------- c:\windows\system32\dllcache\explorer.exe
2008-12-08 18:52 1,033,216 a------- c:\windows\explorer.exe
2008-12-07 15:53 <DIR> a-dshr-- C:\cmdcons
2008-12-06 12:20 <DIR> --d----- c:\program files\trend micro
2008-12-04 15:10 <DIR> --d----- c:\program files\Lavasoft
2008-12-04 15:09 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-01 21:16 <DIR> --d----- c:\docume~1\kienzle\applic~1\Malwarebytes
2008-12-01 21:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-01 21:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 21:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-01 21:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 19:37 <DIR> --d----- C:\Temp
2008-11-29 20:49 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-04 22:07 140,288 a------- c:\windows\system32\sfc_os.dll
2008-12-04 22:07 14,336 a------- c:\windows\system32\svchost.exe
2008-12-04 22:07 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:20 1,024,000 -------- c:\windows\system32\dllcache\browseui.dll
2008-10-16 05:20 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll
2008-10-16 05:20 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-16 05:20 1,054,208 -------- c:\windows\system32\dllcache\danim.dll
2008-10-16 05:20 151,040 -------- c:\windows\system32\dllcache\cdfview.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-01-27 14:12 60,968 a------- c:\documents and settings\kienzle\GoToAssistDownloadHelper.exe

============= FINISH: 18:54:19.50 ===============




DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/26/2008 10:10:50 PM
System Uptime: 12/23/2008 3:04:03 PM (99 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 28.426 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AAA Logo 2008 2.10
Ad-Aware
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat 8.1.2 Professional
Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 7.0.8
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Apple Mobile Device Support
Apple Software Update
Avi2Dvd 0.4.5 beta
Azureus Vuze
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon CanoScan Toolbox 4.1
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon S820
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CanoScan LiDE20,30 Manual
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
ConvertXtoDVD 3.0.0.13
Dell Driver Reset Tool
Dell Support 3.2.1
Dell System Restore
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
DVD Shrink 3.2
ESPNMotion
ExtractNow
Games, Music, & Photos Launcher
Glary Utilities 2.8.0.366
GoToAssist 8.0.0.480
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel® Matrix Storage Manager
Intel® PRO Network Connections
Internet Service Offers Launcher
iTunes
Java™ 6 Update 11
Malwarebytes' Anti-Malware
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MINITAB 14 Student
Mirar
MobileMe Control Panel
Modem Helper
Mozilla Firefox (2.0.0.20)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Nero OEM
NVIDIA Drivers
OmniPage SE
OpenOffice.org 2.4
PDF Settings
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Search Assistant Mysidesearch
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
The Rosetta Stone
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoLAN VLC media player 0.8.6f
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/21/2008 3:06:29 AM, error: Service Control Manager [7023] - The Windows Media Player Network Sharing Service service terminated with the following error: The RPC server is unavailable.
12/21/2008 3:06:29 AM, error: WMPNetworkSvc [14317] - Service 'WMPNetworkSvc' was not initialized because CoInitializeSecurity encountered error 1722. Restart your computer, and then try to restart the service.
12/21/2008 3:05:59 AM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12/21/2008 3:05:26 AM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
12/21/2008 3:05:14 AM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
12/21/2008 3:04:38 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2008 3:04:34 AM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2008 3:02:31 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/21/2008 2:55:23 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully. .
12/21/2008 2:55:23 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
12/21/2008 2:55:23 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
12/21/2008 3:22:28 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/21/2008 3:24:06 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/21/2008 2:48:10 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/22/2008 12:04:32 AM, error: Service Control Manager [7034] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s).
12/22/2008 12:05:30 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:11:56 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:18:17 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:19:30 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:20:35 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 6 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:22:34 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:24:16 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 8 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:25:27 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 9 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:30:34 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 10 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/22/2008 12:31:35 AM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The system cannot find the file specified.
12/22/2008 4:03:42 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WMPNetworkSvc service.

==== End Of File ===========================



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-29 21:04:06
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.14 ----

Edited by BBMN, 29 December 2008 - 09:12 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 PM

Posted 30 December 2008 - 10:43 AM

Looks good to me!


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:31 PM

Posted 05 January 2009 - 08:58 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users