Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Antivirus


  • Please log in to reply
10 replies to this topic

#1 pseudonym

pseudonym

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 12 August 2009 - 11:50 AM

I have a rogue antivirus called Personal Antivirus (Personal AV) installed on my PC. I tried the steps of removal on this site but whenever I try to run Malwarebytes, it never does. I can see it open in task manager but that is as far as it gets. It will not let me run any other malware removal software either. It is also redirecting searches in my browser. I tried uninstalling the Personal Antivirus through the uninstall command through the program's start menu but to no avail. I am posting the logs so that someone could hopefully help me remove this. Thank you very much for your assistance.

Attached Files

  • Attached File  log.txt   49.16KB   6 downloads
  • Attached File  log.txt   49.16KB   14 downloads


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:16 AM

Posted 23 August 2009 - 04:06 PM

hi pseudonym,

Sorry for delay, no shortage of posters. Your log is several days old. If you still need some help, reply to my post and give me a update on anything you have tried to do to remove the malware from your machine.

How Can I Reduce My Risk to Malware?


#3 pseudonym

pseudonym
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 24 August 2009 - 09:26 AM

Hi shelf life,

I am still having problems. I tried removing the malware using Malwarebytes, but whenever I try running it it never opens. I can see the process running in the task manager but the application itself never runs. This is the same for any other software I try running such as Spybot. I tried uninstalling the Personal Antivirus but that does not work either. The only thing I could get to run was the DDS logs, which I attached. I would appreciate any help you could give me!

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:16 AM

Posted 24 August 2009 - 04:58 PM

ok try this first: Navigate to the C:Program Files using explorer. (right click on Start>Explore) Find the Malwarebytes Antimalware folder. Find the MBAM.exe icon inside the folder. Right click on it and chose rename. Change the name to scanner.exe and close the window. last: double click the icon on your desktop and see if it runs.

If this dosnt work we will use Combofix. There is a guide to read first. If you can read it on another computer do so. Once you are ready to download you can use the infected computer. Download combofix to the computer, but before you save it rename it to combofix1.exe then save it to your desktop. Double click the icon on your desktop and follow the prompts. Post the combofix log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 pseudonym

pseudonym
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 24 August 2009 - 09:49 PM

I changed the filename as requested and Malwarebytes ran and detected 14 items. It deleted all of them. I then ran Combofix. It detected and deleted several rootkit files. Everything seems to be working fine now. Here is the Combofix log:



ComboFix 09-08-24.05 - Dr. Lucero 08/24/2009 21:07.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2009.1549 [GMT -5:00]
Running from: c:\documents and settings\Dr. Lucero\Desktop\ComboFix.exe
AV: AVG Internet Security Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\UACmbadsrduxk.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\UACepbbdgfwnl.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqjhnubbplr.dll
c:\windows\system32\UACrcxailbufd.dll
c:\windows\system32\UACycxsulrmld.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NDISRD
-------\Legacy_NWCWORKSTATION
-------\Service_NDISRD
-------\Service_NWCWorkstation


((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.

2009-08-25 00:39 . 2009-08-25 00:39 -------- d-----w- c:\documents and settings\Dr. Lucero\Application Data\Malwarebytes
2009-08-20 10:53 . 2009-08-20 10:53 69632 ----a-w- c:\windows\system32\drivers\ivpdmcrspmkaftew.sys
2009-08-20 09:49 . 2009-08-20 09:49 28692 ----a-w- c:\windows\system32\DLLSetup2.exe
2009-08-19 21:52 . 2009-08-19 21:52 32276 ----a-w- c:\windows\system32\DLLSetup.exe
2009-08-14 18:00 . 2009-07-31 04:10 2061592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-08-14 18:00 . 2009-07-31 04:10 2000152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-08-14 18:00 . 2009-07-31 04:10 1213720 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-08-14 17:59 . 2009-07-31 04:07 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-14 17:59 . 2009-07-31 04:07 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-14 17:59 . 2009-07-31 04:07 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-12 16:40 . 2009-08-12 16:41 -------- d-----w- C:\rsit
2009-08-12 16:40 . 2009-08-12 16:41 -------- d-----w- c:\program files\trend micro
2009-08-12 16:30 . 2009-08-12 16:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 15:36 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 15:36 . 2009-08-25 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 15:36 . 2009-08-12 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 15:36 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 01:17 . 2009-08-19 01:16 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 20:54 . 2009-08-25 00:45 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-04 22:32 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-04 22:32 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-04 22:30 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-08-04 22:30 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-08-04 22:21 . 2009-08-04 22:24 5621840 ----a-w- c:\temp\office2007-kb971933-fullfile-x86-glb.exe
2009-08-04 22:08 . 2009-08-04 22:17 21272472 ----a-w- c:\temp\office2007-kb963678-fullfile-x86-en-us.exe
2009-08-04 22:07 . 2009-08-04 22:08 2121360 ----a-w- c:\temp\office2007-kb963673-fullfile-x86-en-us.exe
2009-08-04 21:59 . 2009-08-04 22:05 16089240 ----a-w- c:\temp\office2007-kb963669-fullfile-x86-en-us.exe
2009-07-30 19:39 . 2006-02-21 02:27 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
2009-07-30 19:38 . 2009-07-30 19:40 -------- d-----w- c:\program files\Canon
2009-07-30 19:37 . 2009-07-30 19:37 -------- d-----w- c:\temp\x32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 21:06 . 2009-08-10 21:06 32276 ----a-w- c:\windows\system32\PSetup.exe.tmp
2009-08-05 09:31 . 2009-06-07 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-04 22:32 . 2009-06-07 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-31 04:10 . 2009-06-18 03:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 04:10 . 2009-06-18 03:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-31 04:10 . 2009-06-18 03:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-31 04:10 . 2009-07-07 14:17 3476760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-13 15:22 . 2009-07-13 15:19 103167 ----a-w- c:\windows\hpoins08.dat
2009-07-13 15:22 . 2009-07-13 15:22 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-07-13 15:20 . 2009-07-13 15:20 -------- d-----w- c:\program files\HP
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-22 16:41 . 2009-06-07 00:54 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 03:06 . 2009-06-18 03:06 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-18 03:02 . 2009-06-18 03:02 82432 ----a-w- c:\windows\system32\msxml4r.dll
2009-06-18 03:02 . 2009-06-18 03:02 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-06-17 16:36 . 2009-06-17 16:36 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-17 16:03 . 2009-06-17 16:03 152576 ----a-w- c:\documents and settings\Dr. Lucero\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-07 00:59 . 2009-06-17 15:51 68456 ----a-w- c:\documents and settings\Dr. Lucero\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 00:50 . 2009-06-07 00:50 75 --sh--r- c:\windows\CT4CET.bin
2009-06-07 00:47 . 2008-04-25 21:28 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-03 19:09 . 2008-04-25 16:16 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2009-01-19 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Kaseya Agent Service Helper"="c:\program files\TeamLogic IT\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 04:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/17/2009 10:06 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 10:06 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 10:06 PM 297752]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2/20/2009 9:46 AM 30312]
R2 KaseyaAgent;Kaseya Agent;c:\program files\TeamLogic IT\Agent\AgentMon.exe [6/17/2009 11:01 AM 610304]
R2 KaseyaAVService;Kaseya Security Service;c:\program files\TeamLogic IT\Agent\KasAVSrv.exe [6/17/2009 10:02 PM 200704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/6/2009 10:40 PM 112512]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [6/17/2009 11:01 AM 20792]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [6/6/2009 10:40 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [6/6/2009 10:40 PM 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [6/6/2009 10:40 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [6/6/2009 10:40 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [6/6/2009 10:40 PM 235840]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 10:07 PM 113152]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\User_Feed_Synchronization-{EEA1C1D3-44DE-46D0-8643-8D3C7D93A785}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\DR9412~1.LUC\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\RealVNC\VNC4\wm_hooks.dll

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\program files\RealVNC\VNC4\wm_hooks.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\bmnet.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\drivers\audio\R211990\stacsv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\o2flash.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\searchindexer.exe
c:\temp\KRlyCLis.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\DellTPad\hidfind.exe
.
**************************************************************************
.
Completion time: 2009-08-25 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-25 02:34

Pre-Run: 236,962,406,400 bytes free
Post-Run: 237,366,083,584 bytes free

233

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:16 AM

Posted 26 August 2009 - 05:38 PM

hi,

ok good. sorry for delay. can you post the last malwarebytes log:

The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply, the one that found the 14 items. (08/24/2009 )?

How Can I Reduce My Risk to Malware?


#7 pseudonym

pseudonym
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 27 August 2009 - 09:36 AM

No problem. I really appreciate your help. Here is the Malwarebytes log:



Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 5.1.2600 Service Pack 3

8/24/2009 7:45:46 PM
mbam-log-2009-08-24 (19-45-46).txt

Scan type: Quick Scan
Objects scanned: 103360
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 4
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
C:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACrcxailbufd.dll (Rogue.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\UACycxsulrmld.dll (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\Dr. Lucero\Application Data\htopgsnx.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Dr. Lucero\Application Data\sttmfhcb.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\htopgsnx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sttmfhcb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACrcxailbufd.dll (Rogue.Agent) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\UACycxsulrmld.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1250758520.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Lucero\Local Settings\Temp\horcioriwq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Lucero\Local Settings\Temporary Internet Files\Content.IE5\7PC0M7L2\setup[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Lucero\Application Data\htopgsnx.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Dr. Lucero\Application Data\sttmfhcb.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Dr. Lucero\Desktop\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:16 AM

Posted 27 August 2009 - 07:15 PM

ok we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\drivers\ivpdmcrspmkaftew.sys

Driver::
ivpdmcrspmkaftew.sys

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.


After combofix has finished check Malwarebytes for any updates and post its log:

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer most likely will be required to remove some items.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?


#9 pseudonym

pseudonym
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 27 August 2009 - 09:36 PM

I ran the file in Combofix like you said. I also ran Malwarebytes after, but it did not find anything. Here are both of the logs:



ComboFix 09-08-27.02 - Dr. Lucero 08/27/2009 20:35.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2009.1287 [GMT -5:00]
Running from: c:\documents and settings\Dr. Lucero\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dr. Lucero\Desktop\CFScript.txt
AV: AVG Internet Security Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\drivers\ivpdmcrspmkaftew.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ivpdmcrspmkaftew.sys

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-25 02:53 . 2009-08-25 02:53 152576 ----a-w- c:\documents and settings\Dr. Lucero\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-25 00:39 . 2009-08-25 00:39 -------- d-----w- c:\documents and settings\Dr. Lucero\Application Data\Malwarebytes
2009-08-14 18:00 . 2009-07-31 04:10 2061592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-08-14 18:00 . 2009-07-31 04:10 2000152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-08-14 18:00 . 2009-07-31 04:10 1213720 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-08-14 17:59 . 2009-07-31 04:07 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-14 17:59 . 2009-07-31 04:07 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-14 17:59 . 2009-07-31 04:07 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-12 16:40 . 2009-08-12 16:41 -------- d-----w- C:\rsit
2009-08-12 16:40 . 2009-08-12 16:41 -------- d-----w- c:\program files\trend micro
2009-08-12 16:30 . 2009-08-12 16:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 15:36 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 15:36 . 2009-08-25 00:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 15:36 . 2009-08-12 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 15:36 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 01:17 . 2009-08-26 01:11 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 20:54 . 2009-08-25 00:45 -------- d-----w- c:\program files\Common Files\Uninstall
2009-08-04 22:32 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-04 22:32 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-04 22:30 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-08-04 22:30 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-08-04 22:21 . 2009-08-04 22:24 5621840 ----a-w- c:\temp\office2007-kb971933-fullfile-x86-glb.exe
2009-08-04 22:08 . 2009-08-04 22:17 21272472 ----a-w- c:\temp\office2007-kb963678-fullfile-x86-en-us.exe
2009-08-04 22:07 . 2009-08-04 22:08 2121360 ----a-w- c:\temp\office2007-kb963673-fullfile-x86-en-us.exe
2009-08-04 21:59 . 2009-08-04 22:05 16089240 ----a-w- c:\temp\office2007-kb963669-fullfile-x86-en-us.exe
2009-07-30 19:39 . 2006-02-21 02:27 81987 ----a-w- c:\windows\system32\AUCPLMNT.DLL
2009-07-30 19:38 . 2009-07-30 19:40 -------- d-----w- c:\program files\Canon
2009-07-30 19:37 . 2009-07-30 19:37 -------- d-----w- c:\temp\x32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 02:53 . 2009-06-07 00:49 -------- d-----w- c:\program files\Java
2009-08-10 21:06 . 2009-08-10 21:06 32276 ----a-w- c:\windows\system32\PSetup.exe.tmp
2009-08-05 09:31 . 2009-06-07 00:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-04 22:32 . 2009-06-07 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-31 04:10 . 2009-06-18 03:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 04:10 . 2009-06-18 03:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-31 04:10 . 2009-06-18 03:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-31 04:10 . 2009-07-07 14:17 3476760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-25 10:23 . 2009-06-07 00:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-13 15:22 . 2009-07-13 15:19 103167 ----a-w- c:\windows\hpoins08.dat
2009-07-13 15:22 . 2009-07-13 15:22 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-07-13 15:20 . 2009-07-13 15:20 -------- d-----w- c:\program files\HP
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-22 16:41 . 2009-06-07 00:54 68456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-18 03:06 . 2009-06-18 03:06 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-18 03:02 . 2009-06-18 03:02 82432 ----a-w- c:\windows\system32\msxml4r.dll
2009-06-18 03:02 . 2009-06-18 03:02 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-06-17 16:36 . 2009-06-17 16:36 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-17 16:03 . 2009-06-17 16:03 152576 ----a-w- c:\documents and settings\Dr. Lucero\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-16 14:36 . 2008-04-25 16:16 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-07 00:59 . 2009-06-17 15:51 68456 ----a-w- c:\documents and settings\Dr. Lucero\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 00:50 . 2009-06-07 00:50 75 --sh--r- c:\windows\CT4CET.bin
2009-06-07 00:47 . 2008-04-25 21:28 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-03 19:09 . 2008-04-25 16:16 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-02-22 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-22 729088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-22 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-22 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-22 150040]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2009-01-19 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-12 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"Kaseya Agent Service Helper"="c:\program files\TeamLogic IT\Agent\KaUsrTsk.exe" [2008-09-04 229376]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 04:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/17/2009 10:06 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 10:06 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 10:06 PM 297752]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2/20/2009 9:46 AM 30312]
R2 KaseyaAgent;Kaseya Agent;c:\program files\TeamLogic IT\Agent\AgentMon.exe [6/17/2009 11:01 AM 610304]
R2 KaseyaAVService;Kaseya Security Service;c:\program files\TeamLogic IT\Agent\KasAVSrv.exe [6/17/2009 10:02 PM 200704]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/6/2009 10:40 PM 112512]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [6/17/2009 11:01 AM 20792]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [6/6/2009 10:40 PM 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [6/6/2009 10:40 PM 41760]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [6/6/2009 10:40 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [6/6/2009 10:40 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [6/6/2009 10:40 PM 235840]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 10:07 PM 113152]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 1:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 1:36 PM 142976]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\User_Feed_Synchronization-{EEA1C1D3-44DE-46D0-8643-8D3C7D93A785}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-27 20:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-08-28 20:38
ComboFix-quarantined-files.txt 2009-08-28 01:38
ComboFix2.txt 2009-08-25 02:34

Pre-Run: 239,061,954,560 bytes free
Post-Run: 239,059,656,704 bytes free

181







Malwarebytes' Anti-Malware 1.40
Database version: 2708
Windows 5.1.2600 Service Pack 3

8/27/2009 9:01:27 PM
mbam-log-2009-08-27 (21-01-27).txt

Scan type: Quick Scan
Objects scanned: 98386
Time elapsed: 2 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:10:16 AM

Posted 28 August 2009 - 05:46 PM

ok good. You can remove combofix like this:

start>run and type in combofix /u
click ok or enter
Note: there is a space after the x and before the /

Always check Malwarebytes for updates before a scan.

As a last step you can make a new restore point. The how and the why:

One of the features of Windows ME, XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.( creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If all is good, some tips for you:

10 Tips for Reducing/Preventing Your Risk To Malware:


1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits. If you frequently have malware then you should review your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. All browsers can have vulnerabilities but statistically it is the most commonly used browser that will tend to be targeted the most. See also: Hardening or Securing Internet Explorer.

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source of the file? Do you really need another potential malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?


#11 pseudonym

pseudonym
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:16 AM

Posted 31 August 2009 - 08:53 AM

Uninstalled Combofix and deleted and created a new restore point. Thank you very much for your help. I really appreciate it!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users