Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another case of the Google redirect - pp10.exe running.


  • This topic is locked This topic is locked
4 replies to this topic

#1 cephron

cephron

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 16 June 2009 - 01:23 AM

The problem:

-Virus/Trojan/Spyware/Malware (not certain which is the proper term, I'll just call it malware) which redirects my browser (IE) whenever I click on a Google search result link.
-Redirect seems to always take me to: lo-find (dot) com
-When my computer is connected to the internet, windows will open spontaneously, claiming my hard drive is full of trojans/etc., prompting me to run checks from the security center.
-task manager is frequently disabled. (I am unsure as to whether this is caused by the malware, or my computer's response to it...)

Some context and history:

Ever since my norton subscription ran out, I have been protecting my computer - or attempting to - with Spybot S&D alone. (TeaTimer thing running).
It asks me to manually allow or deny registry changes, which I habitually allow when installing updates and deny when browsing the web.
My computer caught this malware when I was simultaneously installing a microsoft-provided IDE for C++ (Microsoft Visual C++ 2008 Express Edition) and browsing the web. When a bunch of registry change requests came up, I assumed they were involved in the installation and allowed them.

Shortly afterwards, the problems began. So I disabled my internet connection and ran spybot. Spybot found two entries (something about "WindowsSecurityCenter") and claimed that it had fixed them.
I had my task manager back, as well.
But whenever I reconnected my internet, the problems would return and spybot would find the same two entries again.
So I left my computer offline, and have been using the family computer for research and downloads, and shuttling stuff between the two computers on a memory stick.

A friend of mine advised me to download Process Moniter and use it to identify the malicious processes. I found pp10.exe, which seems to fit the bill.
I have not manually deleted any files or terminated any processes in an attempt to weed this out.

Help would be very much appreciated, thank you.

DDS Log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Chris at 1:30:02.59 on 16/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.556 [GMT -8:00]

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
AV: Norton AntiVirus 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\Program Files\X3watch\x3watch.exe
svchost
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\SYSDLL.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\windows\pp10.exe
C:\WINDOWS\system32\svchost.exe -k podmena
C:\Documents and Settings\Chris\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~2\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PowerBar]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SYSDLL] SYSDLL
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [x3watch] "c:\program files\x3watch\x3watch.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [CatalystRegistration] "c:\program files\ati\catalystregistration\dolce.exe"
mRun: [ImageItEncrypt] c:\windows\system32\ImageItEncrypt.exe
mRun: [c:\windows\system32\kdnjd.exe] c:\windows\system32\kdnjd.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link D-Link Xtreme N Dual Band DWA-160] c:\program files\d-link\d-link xtreme n dual band dwa-160\AirNCFG.exe
mRun: [pp] c:\windows\pp10.exe
mRun: [sysldtray] c:\windows\ld09.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~2\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WRNotifier - WRLogonNTF.dll

============= SERVICES / DRIVERS ===============

R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2004-12-15 76544]
R1 podmenadrv;podmenadrv;c:\program files\podmena\podmena.sys [2009-6-16 9472]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2006-1-11 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2006-1-11 169576]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2006-2-5 139936]
R2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-10 14336]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-26 1174152]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2006-8-26 3376704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-7-30 106808]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-5-8 57440]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070728.005\NAVENG.Sys [2007-7-29 81232]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070728.005\NavEx15.Sys [2007-7-29 865904]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-12-19 337592]
S0 Glx60;Glx60; [x]
S3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-5-8 434688]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link xtreme n dual band dwa-160\jswutil\jswpsapi.exe [2009-5-8 356434]
S3 SAVScan;Symantec AVScan;c:\program files\norton antivirus\SAVScan.exe [2005-12-19 198416]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-06-16 00:20 <DIR> --d----- c:\program files\podmena
2009-06-16 00:20 2 ----h--- c:\windows\zaponce53575.dat
2009-06-16 00:20 2 ----h--- c:\windows\zaponce53652.dat
2009-06-16 00:20 15,872 ----h--- c:\windows\ld09.exe
2009-05-30 00:10 50,200 a------- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-05-30 00:10 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-05-30 00:09 <DIR> --d----- c:\windows\system32\RsFx
2009-05-29 23:58 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-05-29 23:53 <DIR> --d----- c:\program files\common files\Merge Modules
2009-05-29 23:50 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-29 23:49 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-29 23:49 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-29 23:49 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-29 23:49 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-29 23:49 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-29 23:49 <DIR> --d----- C:\03c0e6004aa354d24826c5c5
2009-05-29 23:49 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-29 23:49 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-29 23:48 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-29 23:46 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-29 23:46 13,824 ----h--- c:\windows\pp10.exe
2009-05-29 23:46 17,408 a------- c:\windows\system32\SYSDLL.exe
2009-05-29 23:46 2 ----h--- c:\windows\sonce122730.dat
2009-05-29 23:45 <DIR> --d----- c:\windows\system32\sysloc
2009-05-29 23:45 77,698 a------- c:\windows\system32\pmx
2009-05-29 23:45 44,544 a------- c:\windows\system32\inform.dat
2009-05-29 23:45 33,280 a------- c:\windows\system32\xagkf32.dll
2009-05-29 23:41 <DIR> --d----- c:\program files\MSXML 6.0
2009-05-21 20:37 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-21 20:14 <DIR> --d----- c:\documents and settings\chris\workspace
2009-05-20 23:08 7 a------- c:\windows\system32\ANIWZCSUSERNAME

==================== Find3M ====================

2009-03-27 21:05 78,613 a------- c:\windows\War3Unin.dat
2009-03-21 06:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2007-09-25 11:40 251 a------- c:\program files\wt3d.ini
2007-04-28 10:22 1,367,553 a------- c:\program files\mIRC621.exe
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe

============= FINISH: 1:31:02.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:47 PM

Posted 16 June 2009 - 08:09 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cephron

cephron
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 18 June 2009 - 10:33 PM

I ran the quicksearch twice: The first time, it found 39 infections and asked me to reboot. The second time, it found one and removed it without reboot.

FIRST LOG:

Malwarebytes' Anti-Malware 1.38
Database version: 2306
Windows 5.1.2600 Service Pack 2

18/06/2009 9:01:56 PM
mbam-log-2009-06-18 (21-01-56).txt

Scan type: Quick Scan
Objects scanned: 102530
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c7efe99-c71f-48b8-8cc8-ba506ca76a33} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3f5a62e2-51f2-11d3-a075-cc7364cae42a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\podmena (Trojan.Downloader) -> Delete on reboot.

Files Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\xagkf32.dll (Password.Stealer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wpx11.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\temporary internet files\Content.IE5\5O10CPIS\nfr[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\temporary internet files\Content.IE5\6JKC9E01\pdrv[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\temporary internet files\Content.IE5\FJALLV8R\6244[1].exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\local settings\temporary internet files\Content.IE5\PGLH5F07\pp.10[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\program files\podmena\podmena.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msauc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wpx12.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wpx98.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\temp\wpv011244797190.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lich.dat (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\sonce122730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Chris\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53575.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53652.dat (Worm.Koobface) -> Quarantined and deleted successfully.



SECOND LOG:

Malwarebytes' Anti-Malware 1.38
Database version: 2306
Windows 5.1.2600 Service Pack 2

18/06/2009 9:16:23 PM
mbam-log-2009-06-18 (21-16-23).txt

Scan type: Quick Scan
Objects scanned: 102402
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by cephron, 18 June 2009 - 10:34 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:47 PM

Posted 19 June 2009 - 01:35 AM

Hi,

It looks like your userinit is most probably infected...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:47 PM

Posted 07 July 2009 - 07:28 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users