Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VBS:Malware-gen..


  • This topic is locked This topic is locked
29 replies to this topic

#1 DottieR

DottieR

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 13 April 2009 - 08:53 PM

Did everything Rigel said, thought it was gone. This was the thread.
http://www.bleepingcomputer.com/forums/top...ml#entry1222234

Ran full scan with Avast today and it is back or still there.
Here is my DDS log.


DDS (Ver_09-03-16.01) - FAT32x86
Run by Me at 18:44:52.26 on Mon 04/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.112 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ChronosXP\ChronosXP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lunabar\Lunabar.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Me.DOROTHY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://mail.google.com/mail/?ui=1
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ChronosXP] "c:\program files\chronosxp\ChronosXP.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\me67e5~1.dor\startm~1\programs\startup\lunaba~1.lnk - c:\program files\lunabar\Lunabar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{9944aa9e-362d-11d3-81ab-00c04fb932ba}\1960F8A9.exe
uPolicies-explorer: NoActiveDesktop = 00000000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185235554345
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38928.6993981482
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me67e5~1.dor\nethood\applic~1\mozilla\firefox\profiles\b8u2lef0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-12 138680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-12 352920]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2006-12-18 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2006-12-18 17700]
S2 PV8630;PV8630 WDM Device Driver;System\PV8630.sys --> System\PV8630.sys [?]
S2 Symantec Core LC;Symantec Core LC; [x]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2006-12-18 76260]
S3 PhoneTrayDriver;PhoneTrayDriver;c:\windows\system32\drivers\ptdrv.sys [2007-12-20 30032]
S3 VQ21FIL;ViewQuest USB Filter Driver (FILTER);c:\windows\system32\drivers\VQ2101XP.SYS [2006-12-14 5593]

=============== Created Last 30 ================

2009-04-13 09:33 <DIR> --d----- C:\fb12aedfd438316c3b439f71
2009-04-11 11:35 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-04-09 18:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-09 18:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-09 18:52 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\SUPERAntiSpyware.com
2009-04-08 18:57 <DIR> --d----- c:\documents and settings\me.dorothy\DoctorWeb
2009-04-08 15:57 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\GetRightToGo
2009-04-06 15:17 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\GlarySoft
2009-04-06 15:13 <DIR> --d----- c:\program files\Glary Utilities
2009-04-06 14:50 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\IObit
2009-04-06 14:50 <DIR> --d----- c:\program files\IObit
2009-03-18 19:01 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-18 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-04-11 11:35 262,144 a------- C:\ntuser.dat
2009-04-11 11:28 4,014 a------- c:\program files\JkDefrag.log
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-17 13:55 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-13 17:33 7,518,520 a------- c:\program files\Firefox Setup 3.0.5.exe
2008-08-31 21:47 222,208 a------- c:\program files\JkDefrag.exe
2008-08-02 12:40 1,012,800 a------- c:\program files\Google Updater.exe
2008-05-07 09:03 4,098,010 a------- c:\program files\lunabar6.zip
2007-07-31 17:50 23,402,288 a------- c:\program files\AdbeRdr810_en_US.exe
2007-07-31 11:32 20,539,017 a------- c:\program files\AdbeRdr810_en_US.exe.part
2007-07-30 15:14 15,505,200 a------- c:\program files\IE7-WindowsXP-x86-enu.exe
2007-07-06 10:47 422 a------- c:\program files\Shortcut to Internet Explorer.lnk
2006-08-10 21:24 16,706,160 a------- c:\program files\AdbeRdr60_enu_full.exe
2006-07-29 21:10 266 ---sh--- c:\program files\desktop.ini
2006-07-29 21:10 11,079 ----h--- c:\program files\folder.htt
2008-11-03 09:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat

============= FINISH: 18:45:53.65 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:15 PM

Posted 27 April 2009 - 11:29 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 27 April 2009 - 06:31 PM

I am attaching the DDS file, but I have not seen the problem item on the last couple Avast or MBAM runs.

Dorothy


DDS (Ver_09-03-16.01) - FAT32x86
Run by Me at 16:25:02.48 on Mon 04/27/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.130 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ChronosXP\ChronosXP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Lunabar\Lunabar.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Me.DOROTHY\Desktop\dds.scr
C:\Documents and Settings\Me.DOROTHY\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://mail.google.com/mail/?ui=1
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ChronosXP] "c:\program files\chronosxp\ChronosXP.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\me67e5~1.dor\startm~1\programs\startup\lunaba~1.lnk - c:\program files\lunabar\Lunabar.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{9944aa9e-362d-11d3-81ab-00c04fb932ba}\1960F8A9.exe
uPolicies-explorer: NoActiveDesktop = 00000000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185235554345
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38928.6993981482
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me67e5~1.dor\nethood\applic~1\mozilla\firefox\profiles\b8u2lef0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-8-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-8-12 138680]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2006-12-18 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2006-12-18 17700]
S2 PV8630;PV8630 WDM Device Driver;System\PV8630.sys --> System\PV8630.sys [?]
S2 Symantec Core LC;Symantec Core LC; [x]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2006-12-18 76260]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-8-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-8-12 352920]
S3 PhoneTrayDriver;PhoneTrayDriver;c:\windows\system32\drivers\ptdrv.sys [2007-12-20 30032]
S3 VQ21FIL;ViewQuest USB Filter Driver (FILTER);c:\windows\system32\drivers\VQ2101XP.SYS [2006-12-14 5593]

=============== Created Last 30 ================

2009-04-15 08:44 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:44 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:44 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:44 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:44 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 08:44 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:44 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:44 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:44 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:40 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 08:40 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 08:40 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-13 09:33 <DIR> --d----- C:\fb12aedfd438316c3b439f71
2009-04-11 11:35 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-04-09 18:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-09 18:52 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-09 18:52 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\SUPERAntiSpyware.com
2009-04-08 18:57 <DIR> --d----- c:\documents and settings\me.dorothy\DoctorWeb
2009-04-08 15:57 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\GetRightToGo
2009-04-06 15:17 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\GlarySoft
2009-04-06 15:13 <DIR> --d----- c:\program files\Glary Utilities
2009-04-06 14:50 <DIR> --d----- c:\docume~1\me67e5~1.dor\nethood\applic~1\IObit
2009-04-06 14:50 <DIR> --d----- c:\program files\IObit

==================== Find3M ====================

2009-04-11 11:35 262,144 a------- C:\ntuser.dat
2009-04-11 11:28 4,014 a------- c:\program files\JkDefrag.log
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 04:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 03:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 12:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-01-13 17:33 7,518,520 a------- c:\program files\Firefox Setup 3.0.5.exe
2008-08-31 21:47 222,208 a------- c:\program files\JkDefrag.exe
2008-08-02 12:40 1,012,800 a------- c:\program files\Google Updater.exe
2008-05-07 09:03 4,098,010 a------- c:\program files\lunabar6.zip
2007-07-31 17:50 23,402,288 a------- c:\program files\AdbeRdr810_en_US.exe
2007-07-31 11:32 20,539,017 a------- c:\program files\AdbeRdr810_en_US.exe.part
2007-07-30 15:14 15,505,200 a------- c:\program files\IE7-WindowsXP-x86-enu.exe
2007-07-06 10:47 422 a------- c:\program files\Shortcut to Internet Explorer.lnk
2006-08-10 21:24 16,706,160 a------- c:\program files\AdbeRdr60_enu_full.exe
2006-07-29 21:10 266 ---sh--- c:\program files\desktop.ini
2006-07-29 21:10 11,079 ----h--- c:\program files\folder.htt
2008-11-03 09:28 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110320081104\index.dat

============= FINISH: 16:25:46.67 ===============

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:15 PM

Posted 28 April 2009 - 02:44 PM

Hi DottieR

Let's have a look and see if we can uncover anything:

Step 1
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

BBPP6nz.png


#5 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 April 2009 - 05:09 PM

Thanks. Here is ComboFix report.

ComboFix 09-04-28.02 - Me 04/28/2009 15:00.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.149 [GMT -7:00]
Running from: c:\documents and settings\Me.DOROTHY\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Outdated)
* Created a new restore point
.
/wow section - STAGE 1
'PV' is not recognized as an internal or external command


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\start.exe
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-15 15:44 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 15:44 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 15:44 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 15:44 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 15:44 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 15:44 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 15:44 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 15:44 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 15:44 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 15:40 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 15:40 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:33 . 2009-04-13 16:33 -------- d-----w C:\fb12aedfd438316c3b439f71
2009-04-11 18:35 . 2009-04-11 18:35 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-11 18:35 . 2009-04-11 18:35 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-10 01:53 . 2009-04-10 01:53 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 01:52 . 2009-04-10 01:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 01:52 . 2009-04-10 01:52 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\SUPERAntiSpyware.com
2009-04-09 01:57 . 2009-04-09 01:57 -------- d-----w c:\documents and settings\Me.DOROTHY\DoctorWeb
2009-04-08 22:57 . 2009-04-08 22:57 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\GetRightToGo
2009-04-06 22:17 . 2009-04-06 22:17 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\GlarySoft
2009-04-06 22:13 . 2009-04-06 22:13 -------- d-----w c:\program files\Glary Utilities
2009-04-06 21:50 . 2009-04-06 21:50 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\IObit
2009-04-06 21:50 . 2009-04-06 21:50 -------- d-----w c:\program files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 18:35 . 2009-01-03 22:28 262144 ----a-w C:\ntuser.dat
2009-04-11 18:28 . 2009-04-11 02:37 4014 ----a-w c:\program files\JkDefrag.log
2009-04-06 22:32 . 2008-11-30 22:33 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-11-30 22:33 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 23:39 . 2007-07-06 21:13 98168 ----a-w c:\documents and settings\Me.DOROTHY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2006-02-28 19:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 19:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 19:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-02-28 19:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 19:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 19:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 19:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 19:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-02-28 19:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-02-28 19:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 19:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-02-28 19:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-14 00:33 . 2009-01-14 00:33 7518520 ----a-w c:\program files\Firefox Setup 3.0.5.exe
2008-09-01 04:47 . 2008-09-01 04:47 222208 ----a-w c:\program files\JkDefrag.exe
2008-08-02 19:40 . 2008-08-02 19:32 1012800 ----a-w c:\program files\Google Updater.exe
2008-05-07 16:03 . 2008-05-07 16:03 4098010 ----a-w c:\program files\lunabar6.zip
2007-08-01 00:50 . 2007-07-31 23:49 23402288 ----a-w c:\program files\AdbeRdr810_en_US.exe
2007-07-31 18:32 . 2007-07-31 20:28 20539017 ----a-w c:\program files\AdbeRdr810_en_US.exe.part
2007-07-30 22:14 . 2007-07-30 22:13 15505200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2007-07-06 17:47 . 2007-07-06 17:47 422 ----a-w c:\program files\Shortcut to Internet Explorer.lnk
2006-08-11 04:24 . 2006-08-11 04:24 16706160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2006-07-30 04:10 . 2006-07-30 04:10 266 --sh--w c:\program files\desktop.ini
2006-07-30 04:10 . 2006-07-30 04:10 11079 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 19:58 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ChronosXP"="c:\program files\ChronosXP\ChronosXP.exe" [2005-03-26 1208320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

c:\documents and settings\Me.DOROTHY\Start Menu\Programs\Startup\
Lunabar Taskbar Icon.lnk - c:\program files\Lunabar\Lunabar.exe [2008-5-8 369664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{9944AA9E-362D-11D3-81AB-00C04FB932BA}\1960F8A9.exe [2006-12-17 29184]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Me.DOROTHY\My Documents\My Pictures\NASA\globe_west_540.jpg
FriendlyName=

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Me.DOROTHY^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSnD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTSysVol"=c:\program files\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\SYSTEM32\nvmctray.dll,NvTaskbarInit
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
"ADUserMon"=c:\program files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AEC671X;AEC671X;c:\windows\System32\drivers\AEC671X.SYS [1998-05-05 12128]
R1 DMX3191;DMX3191;c:\windows\System32\drivers\DMX3191.SYS [1999-02-23 17700]
R2 PV8630;PV8630 WDM Device Driver; [x]
R2 UDNT;UDNT; [x]
R3 PhoneTrayDriver;PhoneTrayDriver;c:\windows\system32\Drivers\ptdrv.sys [2007-12-20 30032]
R3 VQ21FIL;ViewQuest USB Filter Driver (FILTER);c:\windows\system32\DRIVERS\VQ2101XP.SYS [2002-07-27 5593]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-01-11 c:\windows\Tasks\avast! Antivirus.job
- c:\progra~1\ALWILS~1\Avast4\ashAvast.exe [2008-08-13 21:03]

2009-01-11 c:\windows\Tasks\Windows Defender.job
- c:\progra~1\WINDOW~4\MSASCui.exe [2006-11-04 01:20]

2009-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-10 22:13]

2009-04-28 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-04-06 18:08]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://mail.google.com/mail/?ui=1
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Me.DOROTHY\NetHood\Application Data\Mozilla\Firefox\Profiles\b8u2lef0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1078145449-1202660629-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.wll\PersistentHandler]
@DACL=(02 0000)
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup]
@DACL=(02 0000)
.
Completion time: 2009-04-28 15:05
ComboFix-quarantined-files.txt 2009-04-28 22:05

Pre-Run: 8,778,465,280 bytes free
Post-Run: 8,817,393,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

222 --- E O F --- 2009-04-27 23:04

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:15 PM

Posted 28 April 2009 - 05:57 PM

Hi DottieR

A couple of things to do:

Step 1
The 'ask toolbar' is classed as 'open to debate'.
Please read this and decide if you want to keep it:
http://www.benedelman.org/spyware/ask-toolbars/
if you want to remove it go to your add/remove and uninstall it from there.
If you have any problems, let me know.

Step 2
Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
DirLook::
C:\fb12aedfd438316c3b439f71
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.
Posted Image

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 3
Please do an online scan with Kaspersky WebScanner.
Notes
Java must be installed and enabled for the scan to work.
Disable your computer's antivirus program as leaving it active will cause conflicts
  • Close ALL programs and windows except for your browser
    Please go to Online Kaspersky Scan and perform an online antivirus scan.
  • Read through the Requirements and limitations statement and click on the Accept button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, the scrolling window will show 'Database is updated. Ready to scan'. Click on the Settings button at the bottom left.
  • Make sure these boxes are checked/ticked. If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan on the left. OK any warnings from your protection programs.
  • Go for a long walk. Please be patient and let the scanner finish. It is better that you do NOT use the computer while the scan is running. Keep all other programs/windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan-ddmmyy before clicking on the Save button. Save the report to a convenient place - for example the Desktop.
  • Please post this log in your next reply.
Note - enable your antivirus program before browsing away from the Kaspersky site.

Go to the Desktop and double-click on the Kaspersky report KAVScan-ddmmyy.txt, it will open in Notepad
Click Edit > Select all then Edit > Copy
Reply to this thread and paste (Ctrl+V) the report.

In your next reply, please submit:
new Combofix.txt
and the Kaspersky scan report


Thanks.

BBPP6nz.png


#7 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 April 2009 - 09:30 PM

I think I uninstalled 'ask toolbar'. I did a search on that and found nothing.
Here are the other two reports.

ComboFix 09-04-28.02 - Me 04/28/2009 16:13.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.512.88 [GMT -7:00]
Running from: c:\documents and settings\Me.DOROTHY\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me.DOROTHY\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090306-0] *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-15 15:44 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 15:44 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 15:44 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 15:44 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 15:44 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 15:44 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 15:44 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 15:44 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 15:44 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 15:40 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 15:40 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 16:33 . 2009-04-13 16:33 -------- d-----w C:\fb12aedfd438316c3b439f71
2009-04-11 18:35 . 2009-04-11 18:35 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-11 18:35 . 2009-04-11 18:35 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-10 01:53 . 2009-04-10 01:53 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 01:52 . 2009-04-10 01:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 01:52 . 2009-04-10 01:52 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\SUPERAntiSpyware.com
2009-04-09 01:57 . 2009-04-09 01:57 -------- d-----w c:\documents and settings\Me.DOROTHY\DoctorWeb
2009-04-08 22:57 . 2009-04-08 22:57 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\GetRightToGo
2009-04-06 22:17 . 2009-04-06 22:17 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\GlarySoft
2009-04-06 22:13 . 2009-04-06 22:13 -------- d-----w c:\program files\Glary Utilities
2009-04-06 21:50 . 2009-04-06 21:50 -------- d-----w c:\documents and settings\Me.DOROTHY\NetHood\Application Data\IObit
2009-04-06 21:50 . 2009-04-06 21:50 -------- d-----w c:\program files\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 18:35 . 2009-01-03 22:28 262144 ----a-w C:\ntuser.dat
2009-04-11 18:28 . 2009-04-11 02:37 4014 ----a-w c:\program files\JkDefrag.log
2009-04-06 22:32 . 2008-11-30 22:33 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-11-30 22:33 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 23:39 . 2007-07-06 21:13 98168 ----a-w c:\documents and settings\Me.DOROTHY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2006-02-28 19:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-28 19:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 19:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-02-28 19:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 19:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 19:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 19:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 19:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2006-02-28 19:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2006-02-28 19:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 19:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2006-02-28 19:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-14 00:33 . 2009-01-14 00:33 7518520 ----a-w c:\program files\Firefox Setup 3.0.5.exe
2008-09-01 04:47 . 2008-09-01 04:47 222208 ----a-w c:\program files\JkDefrag.exe
2008-08-02 19:40 . 2008-08-02 19:32 1012800 ----a-w c:\program files\Google Updater.exe
2008-05-07 16:03 . 2008-05-07 16:03 4098010 ----a-w c:\program files\lunabar6.zip
2007-08-01 00:50 . 2007-07-31 23:49 23402288 ----a-w c:\program files\AdbeRdr810_en_US.exe
2007-07-31 18:32 . 2007-07-31 20:28 20539017 ----a-w c:\program files\AdbeRdr810_en_US.exe.part
2007-07-30 22:14 . 2007-07-30 22:13 15505200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2007-07-06 17:47 . 2007-07-06 17:47 422 ----a-w c:\program files\Shortcut to Internet Explorer.lnk
2006-08-11 04:24 . 2006-08-11 04:24 16706160 ----a-w c:\program files\AdbeRdr60_enu_full.exe
2006-07-30 04:10 . 2006-07-30 04:10 266 --sh--w c:\program files\desktop.ini
2006-07-30 04:10 . 2006-07-30 04:10 11079 ---h--w c:\program files\folder.htt
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\fb12aedfd438316c3b439f71 ----

2009-04-13 16:41 . 2009-04-13 16:41 162 ---ha-w c:\fb12aedfd438316c3b439f71\~$eula.1033.rtf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 19:58 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ChronosXP"="c:\program files\ChronosXP\ChronosXP.exe" [2005-03-26 1208320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-15 34880]

c:\documents and settings\Me.DOROTHY\Start Menu\Programs\Startup\
Lunabar Taskbar Icon.lnk - c:\program files\Lunabar\Lunabar.exe [2008-5-8 369664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{9944AA9E-362D-11D3-81AB-00C04FB932BA}\1960F8A9.exe [2006-12-17 29184]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Me.DOROTHY\My Documents\My Pictures\NASA\globe_west_540.jpg
FriendlyName=

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.2.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Me.DOROTHY^Start Menu^Programs^Startup^UMAX VistaAccess.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AudioHQ"=c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE
"CTSysVol"=c:\program files\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE c:\windows\SYSTEM32\nvmctray.dll,NvTaskbarInit
"KodakCCS"=c:\program files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "c:\program files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
"ADUserMon"=c:\program files\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"SchedulingAgent"=mstask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AEC671X;AEC671X;c:\windows\System32\drivers\AEC671X.SYS [1998-05-05 12128]
R1 DMX3191;DMX3191;c:\windows\System32\drivers\DMX3191.SYS [1999-02-23 17700]
R2 PV8630;PV8630 WDM Device Driver; [x]
R2 UDNT;UDNT; [x]
R3 PhoneTrayDriver;PhoneTrayDriver;c:\windows\system32\Drivers\ptdrv.sys [2007-12-20 30032]
R3 VQ21FIL;ViewQuest USB Filter Driver (FILTER);c:\windows\system32\DRIVERS\VQ2101XP.SYS [2002-07-27 5593]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-01-11 c:\windows\Tasks\avast! Antivirus.job
- c:\progra~1\ALWILS~1\Avast4\ashAvast.exe [2008-08-13 21:03]

2009-01-11 c:\windows\Tasks\Windows Defender.job
- c:\progra~1\WINDOW~4\MSASCui.exe [2006-11-04 01:20]

2009-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-10 22:13]

2009-04-28 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-04-06 18:08]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://mail.google.com/mail/?ui=1
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: microsoft.com\www.update
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Me.DOROTHY\NetHood\Application Data\Mozilla\Firefox\Profiles\b8u2lef0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?ui=1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 16:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1078145449-1202660629-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.wll\PersistentHandler]
@DACL=(02 0000)
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup]
@DACL=(02 0000)
.
Completion time: 2009-04-28 16:19
ComboFix-quarantined-files.txt 2009-04-28 23:19
ComboFix2.txt 2009-04-28 22:06

Pre-Run: 8,764,162,048 bytes free
Post-Run: 8,755,462,144 bytes free

203 --- E O F --- 2009-04-27 23:04



------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 28, 2009 23:49:07
Records in database: 2088190
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 54337
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:05:07


File name / Threat name / Threats count
C:\Documents and Settings\Me.DOROTHY\DoctorWeb\Quarantine\465A6949d01 Infected: Backdoor.IRC.Zapchast.zwrc 1
C:\Documents and Settings\Me.DOROTHY\DoctorWeb\Quarantine\465A6949d01 Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1

The selected area was scanned.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 28, 2009 23:49:07
Records in database: 2088190
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 54337
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:05:07


File name / Threat name / Threats count
C:\Documents and Settings\Me.DOROTHY\DoctorWeb\Quarantine\465A6949d01 Infected: Backdoor.IRC.Zapchast.zwrc 1
C:\Documents and Settings\Me.DOROTHY\DoctorWeb\Quarantine\465A6949d01 Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1

The selected area was scanned.

#8 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 April 2009 - 09:31 PM

I meant I already uninstalled 'ask toolbar'. Don't know why you found it.

#9 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:15 PM

Posted 29 April 2009 - 02:55 AM

Hi DottieR

I meant I already uninstalled 'ask toolbar'. Don't know why you found it.

It obviously didn't remove everything, there's still traces of it laying around.
We can easily sort these out.

Although the results from Kaspersky didn't find anything new, it did throw up what Dr Web had already removed:
http://www.emsisoft.com/en/malware/?Adware...or.IRC.Zapchast

because backdoor trojans have the capability to steal passwords etc, i have to warn you your security may well have been compromised.

This is what i normally say:
It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....Here
If you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

Let me know what you want to do before we carry on.

Thanks.

BBPP6nz.png


#10 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 29 April 2009 - 05:46 PM

I am willing to reformat if I can save my documents. Do you means just the OS needs to be wiped?

#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:15 PM

Posted 30 April 2009 - 10:49 AM

Hi DottieR

if I can save my documents

Saving your documents isn't a problem.
Just stick to ordinary documents, pics etc.... but best not to save any .exe files.
save then to a disc or a usb stick.

Do you means just the OS needs to be wiped?

With this type of infection, it's best to do a reformat and re-install ( a clean install) this will remove everything.

If you have any questions before starting the re-install.... just ask.

BBPP6nz.png


#12 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 April 2009 - 10:58 AM

I upgraded to XP from 98. Do I uninstall both, XP first or just 98?

#13 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 April 2009 - 11:47 AM

So I back up what I need to save. I made another boot floppy. The one that came with the computer says it is not formatted when I try to read it. I could not make the boot disk from control panel. I put it in, right clicked on a: in My computer and chose "create a MS-DOS start-up disk."

But the instructions stop there. I don't remember how to wipe the C: disk.

#14 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 April 2009 - 12:29 PM

These are the .exe files I found in "My documents". Some of them are possible problems. Should I just delete them all before I backup? I am not sure how they are linked to any of the documents I would be backing up.

#15 DottieR

DottieR
  • Topic Starter

  • Members
  • 275 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 April 2009 - 12:42 PM

Forgot to add the files I found in My Documents. Sorry.
Most seem to be bad news.

ASPCOMP
CONVERT
DT PATCH
PCEDIT
PCINSTAL
PCKEYMAP
PCMAIL
PCPLUS
PCSETUP
GMEM
shortcut to "Beginner needing to fix NHUpdater.exe pop up - Tech Support Guy Forums




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users