Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 consigliere

consigliere

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 03 September 2009 - 08:31 PM

I am new to bleepingcomputer.com forums and appreciate any feedback. I own a Vaio PCV-RZ50CG that uses Windows XP. I've had it for 5 years. Rarely do I have a problem but I've had this problem before and can't remember how I resolved it. Last week I was doing some googling and noticed that when I selected a google result, instead of taking me to the results website address it redirected to ads (*.info, etc.) I also noticed my system performance had degraded and the task manager always showed the CPU at over 50% usage. Normal CPU usage would average 5% when using day-to-day applications. I also noticed a considerable increase in Memory usage for processes in Task Manager. What I have tried so far is to format the drive and start clean but I get an error msg ("Vaio cannot find the recovery partition. Please restart your computer") after repeatedly rebooting with no improvement.

Something else I have noticed is that a new local disk has emerged which I have never seen before. Seems to be related to the Vaio System Recovery Wizard. It has many .exe files and a folder labeled "Createcd". To add insult to injury, my dvd burner has stopped working. It attempts to read a disc but ejects immediately whether a disk is present or not. As a matter of fact, the dvd burner tray remains permanently open--cannot be closed. The drive attempts to read a disc but rejects and prompts to insert a disc when a disc is already inserted.

I have run Malwarebytes Anti-malware. It initally found 105 infected files which it cleaned. Subsequent scans have resulted in no infected files. I also ran CCleaner and fixed whatever it suggested be fixed in the registry editor.

The computer also crashes and reboots abruptly when I run McAfee virusscan or when I attempt to transfer my data to a USB drive. In other words, the computer is not letting me transfer my personal data to an external drive because it keeps crashing with unexpected abrupt restarts. When Windows restarts, a windows msg states the "system has recovered from a serious error" and gives the option to send data to Microsoft.

In MSconfig, I am now running only essential services but the crashes persist when I attempt to recoup my personal data to an external drive.

I am following the Spyware removal preparation guide but as soon as I download DDS.scr, it only opens as a txt file and the default file type for DDS.scr is shown as Adobe Autocad. Usually I would be able to right-click and choose "open with..." but this option is not available on the right-click menu. How can I run DDS.scr successfully?

I renamed DDS.scr to DDS.exe and it did work. The DDs.txt log follows as well as attach.zip attachment...

DDS (Ver_09-07-30.01) - NTFSx86
Run by Juan E de la Fuente at 19:43:19.18 on Thu 09/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.632 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Juan E de la Fuente\Desktop\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Shell=Explorer.exe
BHO: {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft WFC for Developers - file://c:\progra~1\miaf9d~1\vj98\wfcdev.cab
DPF: Microsoft WFC Forms Designer - file://c:\progra~1\miaf9d~1\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - file://e:\win\setup\iaieplay.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\juaned~1\applic~1\mozilla\firefox\profiles\caumpui0.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2004-9-13 4736]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-10-23 214024]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-10-23 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-10-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-10-23 40552]
S0 sqidc69;sqidc69;\SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys --> \SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys [?]
S1 741450c1.sys;741450c1.sys;\??\c:\windows\system32\drivers\741450c1.sys --> c:\windows\system32\drivers\741450c1.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-8-25 466880]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys --> c:\windows\system32\drivers\dalwdm.sys [?]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2007-11-18 19034]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-10-23 34248]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2004-12-21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2004-12-21 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2004-12-21 21081]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USR;U.S. Robotics Wireless Access 802.11b Driver;c:\windows\system32\drivers\USRNDS.sys [2002-4-25 51712]

=============== Created Last 30 ================

2009-09-01 21:12 1,322 ac------ C:\cc_20090901_211244.reg
2009-09-01 21:09 19,594 ac------ C:\cc_20090901_210909.reg
2009-09-01 15:47 <DIR> --d----- c:\program files\Western Digital
2009-08-30 11:50 <DIR> -cd----- C:\Inetpub
2009-08-29 17:29 <DIR> --d----- c:\program files\2BrightSparks
2009-08-29 16:25 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 16:14 <DIR> --d----- c:\program files\Trend Micro
2009-08-29 12:08 <DIR> --d----- c:\docume~1\juaned~1\applic~1\Malwarebytes
2009-08-29 12:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 12:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-29 12:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-29 12:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 03:38 <DIR> --d----- c:\program files\AVG
2009-08-29 03:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-29 03:23 957,676 ac------ C:\cc_20090829_032322.reg
2009-08-29 03:17 <DIR> --d----- c:\program files\CCleaner
2009-08-27 22:45 283,648 -c------ c:\windows\system32\dllcache\pdh.dll
2009-08-27 22:45 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-08-27 22:45 60,416 -c------ c:\windows\system32\dllcache\colbact.dll
2009-08-26 18:25 45,344 a------- c:\windows\system32\drivers\sqidc69.sys

==================== Find3M ====================

2009-08-27 22:33 8,416 ac------ c:\windows\system32\drivers\61883.sys
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-16 12:32 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-08 13:44 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 13:44 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 13:44 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 13:44 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 13:43 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-07-05 10:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-22 07:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 07:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-12 07:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll
2008-12-14 19:39 83,872 ac------ c:\docume~1\juaned~1\applic~1\GDIPFONTCACHEV1.DAT
2006-09-19 21:00 532 ac--h--- c:\documents and settings\juan e de la fuente\hpothb07.dat
2005-05-08 02:52 56 -c-shr-- c:\windows\system32\A84B1FD262.sys
2008-07-07 13:36 10,856 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:45:53.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:18 PM

Posted 20 September 2009 - 09:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 23 September 2009 - 12:48 PM

I seem to be infected with Windows Police Pro and kbiwkm rootkit. Since my last post, my computer has been behaving erratically by crashing or locking up. My symptoms were similar to the user in topic http://www.bleepingcomputer.com/forums/t/252033/likely-rootkit-infection-kbiwkmtmp-and-apqtmp-files-cant-load-windows-correctly/ so I downloaded Sophos and GMER but didn't know what else to do so I left it at that and nothing further has been done since.

At some point, however, I did run Rootrepeal as per the Preparation Guide and will post the log to that as well. The DDS log follows and thank you for your assistance.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Juan E de la Fuente at 13:35:04.22 on Wed 09/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.536 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Documents and Settings\Juan E de la Fuente\Desktop\dds.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Shell=Explorer.exe
BHO: {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - No File
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft WFC for Developers - file://c:\progra~1\miaf9d~1\vj98\wfcdev.cab
DPF: Microsoft WFC Forms Designer - file://c:\progra~1\miaf9d~1\vj98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} - file://e:\win\setup\iaieplay.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\juaned~1\applic~1\mozilla\firefox\profiles\caumpui0.default\
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2004-9-13 4736]
R2 avp;avp;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-7-3 303376]
S0 sqidc69;sqidc69;\SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys --> \SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys [?]
S1 741450c1.sys;741450c1.sys;\??\c:\windows\system32\drivers\741450c1.sys --> c:\windows\system32\drivers\741450c1.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-8-25 466880]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys --> c:\windows\system32\drivers\dalwdm.sys [?]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [2007-11-18 19034]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2004-12-21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2004-12-21 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2004-12-21 21081]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USR;U.S. Robotics Wireless Access 802.11b Driver;c:\windows\system32\drivers\USRNDS.sys [2002-4-25 51712]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]

=============== Created Last 30 ================

2009-09-18 23:24 --d----- c:\program files\Sophos
2009-09-17 17:53 19,472 a------- c:\windows\system32\drivers\klmouflt.sys
2009-09-17 17:53 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-09-17 16:33 107,547 a------- c:\windows\system32\drivers\klin.dat
2009-09-17 16:33 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-09-17 16:32 --d----- c:\program files\Kaspersky Lab
2009-09-17 16:32 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-09-17 16:26 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-09-08 19:38 163,840 a------- c:\windows\svchasts.exe
2009-09-08 19:37 --d----- c:\program files\Windows Police Pro
2009-09-01 21:12 1,322 ac------ C:\cc_20090901_211244.reg
2009-09-01 21:09 19,594 ac------ C:\cc_20090901_210909.reg
2009-09-01 15:47 --d----- c:\program files\Western Digital
2009-08-30 11:50 -cd----- C:\Inetpub
2009-08-29 17:29 --d----- c:\program files\2BrightSparks
2009-08-29 16:25 -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 16:14 --d----- c:\program files\Trend Micro
2009-08-29 12:08 --d----- c:\docume~1\juaned~1\applic~1\Malwarebytes
2009-08-29 12:08 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 12:08 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-29 12:08 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-29 12:08 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 03:38 --d----- c:\program files\AVG
2009-08-29 03:38 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-29 03:23 957,676 ac------ C:\cc_20090829_032322.reg
2009-08-29 03:17 --d----- c:\program files\CCleaner
2009-08-27 22:45 283,648 -c------ c:\windows\system32\dllcache\pdh.dll
2009-08-27 22:45 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-08-27 22:45 60,416 -c------ c:\windows\system32\dllcache\colbact.dll
2009-08-26 18:25 45,344 a------- c:\windows\system32\drivers\sqidc69.sys

==================== Find3M ====================

2009-09-07 14:52 78,960 ac------ c:\docume~1\juaned~1\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 10:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 14:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 14:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 14:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 14:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 14:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 14:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 14:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 14:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 14:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 14:36 16,896 a------- c:\windows\system32\mqise.dll
2006-09-19 21:00 532 ac--h--- c:\documents and settings\juan e de la fuente\hpothb07.dat
2005-05-08 02:52 56 -c-shr-- c:\windows\system32\A84B1FD262.sys
2008-07-07 13:36 10,856 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:36:30.53 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/23 14:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB10B3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D8B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB0C12000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmblmsftjh.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmjrwakypr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmlog.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmmnkjkymb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmpyllrmmv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmxmvbqqpc.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmxvalklld.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmgowpcwkidx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmrxevadhhca.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmpyrowkop.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$41333346.dat
Status: Allocation size mismatch (API: 3014656, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$41335446.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$4f63524149333836.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$4f63524f49333836.dat
Status: Allocation size mismatch (API: 196608, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$4f63525449333836.dat
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\av1e.tmp
Status: Allocation size mismatch (API: 16236544, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$41333146.dat
Status: Allocation size mismatch (API: 1048576, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp9\bases\cache\kdb$kavbase$124cf9d4$41333246.dat
Status: Allocation size mismatch (API: 2031616, Raw: 0)

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\DotNetMagic2005.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\DotNetMagic2005.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\ForexTrader.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\ForexTrader.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\nsoftware.IPWorks.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Apps\2.0\GTBT7MWP.17W\B14JJR2Z.1W8\manifests\nsoftware.IPWorks.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Application Data\Microsoft\Messenger\castillomili@hotmail.com\SharingMetadata\id92@hotmail.com\DFSR\Staging\CS{CDFB17F9-39FD-970D-5D6B-C158C51164FC}\45\45-{4C~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Juan E de la Fuente\Local Settings\Application Data\Microsoft\Messenger\consigliere1975@hotmail.com\SharingMetadata\id92@hotmail.com\DFSR\Staging\CS{187B922B-A4C9-B37E-38DB-4F764A3DC6A0}\67\67-{4C~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmxmvbqqpc.dll]
Process: svchost.exe (PID: 1012) Address: 0x10000000 Size: 53248

Hidden Services
-------------------
Service Name: kbiwkmtalqbuwc
Image Path: C:\WINDOWS\system32\drivers\kbiwkmpyrowkop.sys

==EOF==

Attached Files


Edited by consigliere, 23 September 2009 - 01:28 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 26 September 2009 - 12:46 PM

Hi consigliere,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

This is indeed the rootkit that you mentioned. There may be more malware that hasn't been found yet.,

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If this doesn't run then let me know what happens. Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 26 September 2009 - 05:25 PM

Combolog.txt follows. Thanks for your assistance.

ComboFix 09-09-25.01 - Juan E de la Fuente 09/26/2009 17:47.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.638 [GMT -4:00]
Running from: c:\documents and settings\Juan E de la Fuente\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\Installer\189484.msi
c:\windows\system32\Data
c:\windows\system32\drivers\kbiwkmpyrowkop.sys
c:\windows\system32\kbiwkmblmsftjh.dat
c:\windows\system32\kbiwkmjrwakypr.dat
c:\windows\system32\kbiwkmlog.dat
c:\windows\system32\kbiwkmmnkjkymb.dll
c:\windows\system32\kbiwkmpyllrmmv.dll
c:\windows\system32\kbiwkmxmvbqqpc.dll
c:\windows\system32\kbiwkmxvalklld.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmtalqbuwc
-------\Legacy_kbiwkmtalqbuwc


((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-19 03:24 . 2009-09-19 03:24 -------- d-----w- c:\program files\Sophos
2009-09-17 21:53 . 2009-05-17 00:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-09-17 21:53 . 2008-12-16 00:41 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-09-17 20:33 . 2009-09-23 17:33 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-17 20:33 . 2009-09-23 17:33 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-17 20:32 . 2009-09-26 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-17 20:32 . 2009-09-17 20:32 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-17 20:26 . 2009-09-17 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-08 23:38 . 2009-09-08 23:38 440320 ----a-w- c:\windows\system32\desote.exe
2009-09-08 23:38 . 2009-09-08 23:38 58 ----a-w- c:\windows\ppp4.dat
2009-09-08 23:38 . 2009-09-08 23:38 2 ----a-w- c:\windows\ppp3.dat
2009-09-08 23:38 . 2009-09-08 23:38 487936 ----a-w- c:\windows\system32\dddesot.dll
2009-09-08 23:38 . 2009-09-08 23:38 163840 ----a-w- c:\windows\svchasts.exe
2009-09-02 01:12 . 2009-09-02 01:12 1322 -c--a-w- C:\cc_20090901_211244.reg
2009-09-02 01:09 . 2009-09-02 01:09 19594 -c--a-w- C:\cc_20090901_210909.reg
2009-09-01 19:47 . 2009-09-01 19:47 -------- d-----w- c:\program files\Western Digital
2009-08-30 15:50 . 2009-08-30 15:50 -------- dc----w- C:\Inetpub
2009-08-29 21:29 . 2009-08-29 21:29 -------- d-----w- c:\program files\2BrightSparks
2009-08-29 20:25 . 2009-08-29 20:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 20:14 . 2009-08-29 20:14 -------- d-----w- c:\program files\Trend Micro
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 07:38 . 2009-08-30 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-29 07:38 . 2009-08-29 07:38 -------- d-----w- c:\program files\AVG
2009-08-29 07:23 . 2009-08-29 07:23 957676 -c--a-w- C:\cc_20090829_032322.reg
2009-08-29 07:17 . 2009-08-29 07:17 -------- d-----w- c:\program files\CCleaner
2009-08-28 02:45 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-28 02:45 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-28 02:45 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 22:58 . 2004-09-14 01:53 -------- d-----w- c:\program files\Plaxo
2009-09-19 04:45 . 2009-08-26 22:25 45344 ----a-w- c:\windows\system32\drivers\sqidc69.sys
2009-09-17 20:31 . 2006-10-22 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-03 22:47 . 2004-09-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-03 22:47 . 2003-12-04 19:01 -------- d-----w- c:\program files\Viewpoint
2009-08-31 05:11 . 2003-12-03 18:37 78960 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 03:55 . 2005-01-20 07:16 -------- d-----w- c:\program files\stt3
2009-08-31 03:54 . 2005-01-20 07:16 108 -c--a-w- c:\windows\st32sys.sys
2009-08-30 21:42 . 2008-08-10 18:03 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\ChessBase
2009-08-30 15:52 . 2005-01-20 07:23 -------- d-----w- c:\program files\LimeWire
2009-08-15 04:53 . 2009-02-13 04:20 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Skype
2009-08-15 03:37 . 2009-02-13 04:22 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\skypePM
2009-08-05 09:11 . 2003-12-03 18:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2003-12-03 17:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2003-12-03 17:23 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2003-12-03 17:23 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2003-12-03 18:38 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 14:47 . 2009-07-05 14:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-29 16:12 . 2003-12-03 17:23 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-12-03 17:23 17408 ----a-w- c:\windows\system32\corpol.dll
2005-05-08 06:52 . 2004-11-10 18:32 56 -csh--r- c:\windows\system32\A84B1FD262.sys
2008-07-07 17:36 . 2004-11-10 18:32 10856 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-02 39408]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Juan E de la Fuente^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Juan E de la Fuente\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0298781221261082mcinstcleanup"=2 (0x2)
"avg8wd"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"usnjsvc"=3 (0x3)
"TOSHIBA Bluetooth Service"=2 (0x2)
"Sony TVTA Manager"=2 (0x2)
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"SonicStageMonitoring"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"NVSvc"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DigiRefresh"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\Vc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\VmpClient.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\VMConsole.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/13/2004 4:40 AM 4736]
S0 sqidc69;sqidc69;\SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys --> \SystemRoot\\SystemRoot\System32\drivers\sqidc69.sys [?]
S1 741450c1.sys;741450c1.sys;\??\c:\windows\System32\drivers\741450c1.sys --> c:\windows\System32\drivers\741450c1.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/25/2005 3:00 PM 466880]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys --> c:\windows\system32\drivers\dalwdm.sys [?]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [11/18/2007 11:47 PM 19034]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [12/21/2004 10:47 PM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [12/21/2004 10:48 PM 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [12/21/2004 10:47 PM 21081]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USR;U.S. Robotics Wireless Access 802.11b Driver;c:\windows\system32\drivers\USRNDS.sys [4/25/2002 10:43 PM 51712]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:00 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2004-09-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]

2004-09-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft WFC for Developers - file://c:\progra~1\MIAF9D~1\VJ98\wfcdev.cab
DPF: Microsoft WFC Forms Designer - file://c:\progra~1\MIAF9D~1\VJ98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll
FF - ProfilePath - c:\documents and settings\Juan E de la Fuente\Application Data\Mozilla\Firefox\Profiles\caumpui0.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 - c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\18.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2794602960-3981694414-2288104126-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-26 18:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 22:11

Pre-Run: 569,704,448 bytes free
Post-Run: 705,941,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
280 --- E O F --- 2009-09-26 20:43

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 26 September 2009 - 07:16 PM

Now we run Combofix again.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\desote.exe
c:\windows\ppp4.dat
c:\windows\ppp3.dat
c:\windows\system32\dddesot.dll
c:\windows\svchasts.exe
C:\cc_20090901_211244.reg
C:\cc_20090901_210909.reg
C:\cc_20090829_032322.reg
c:\windows\system32\drivers\sqidc69.sys
c:\windows\st32sys.sys
c:\windows\system32\A84B1FD262.sys
c:\windows\System32\drivers\741450c1.sys
c:\windows\system32\18.tmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

Driver::
sqidc69
741450c1
MEMSWEEP2


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 26 September 2009 - 09:54 PM

New Combofix log.txt follows. Thanks again.

ComboFix 09-09-25.01 - Juan E de la Fuente 09/26/2009 22:06.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.602 [GMT -4:00]
Running from: c:\documents and settings\Juan E de la Fuente\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Juan E de la Fuente\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"C:\cc_20090829_032322.reg"
"C:\cc_20090901_210909.reg"
"C:\cc_20090901_211244.reg"
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\st32sys.sys"
"c:\windows\svchasts.exe"
"c:\windows\system32\18.tmp"
"c:\windows\system32\A84B1FD262.sys"
"c:\windows\system32\dddesot.dll"
"c:\windows\system32\desote.exe"
"c:\windows\System32\drivers\741450c1.sys"
"c:\windows\system32\drivers\sqidc69.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cc_20090829_032322.reg
C:\cc_20090901_210909.reg
C:\cc_20090901_211244.reg
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\st32sys.sys
c:\windows\svchasts.exe
c:\windows\system32\A84B1FD262.sys
c:\windows\system32\bennuar.old
c:\windows\system32\dddesot.dll
c:\windows\system32\desote.exe
c:\windows\system32\drivers\sqidc69.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_sqidc69


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-19 03:24 . 2009-09-19 03:24 -------- d-----w- c:\program files\Sophos
2009-09-17 21:53 . 2009-05-17 00:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-09-17 21:53 . 2008-12-16 00:41 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-09-17 20:33 . 2009-09-23 17:33 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-17 20:33 . 2009-09-23 17:33 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-17 20:32 . 2009-09-26 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-17 20:32 . 2009-09-17 20:32 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-17 20:26 . 2009-09-17 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-01 19:47 . 2009-09-01 19:47 -------- d-----w- c:\program files\Western Digital
2009-08-30 15:50 . 2009-08-30 15:50 -------- dc----w- C:\Inetpub
2009-08-29 21:29 . 2009-08-29 21:29 -------- d-----w- c:\program files\2BrightSparks
2009-08-29 20:25 . 2009-08-29 20:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 20:14 . 2009-08-29 20:14 -------- d-----w- c:\program files\Trend Micro
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 07:38 . 2009-08-30 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-29 07:38 . 2009-08-29 07:38 -------- d-----w- c:\program files\AVG
2009-08-29 07:17 . 2009-08-29 07:17 -------- d-----w- c:\program files\CCleaner
2009-08-28 02:45 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-08-28 02:45 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-08-28 02:45 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 22:58 . 2004-09-14 01:53 -------- d-----w- c:\program files\Plaxo
2009-09-17 20:31 . 2006-10-22 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-03 22:47 . 2004-09-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-03 22:47 . 2003-12-04 19:01 -------- d-----w- c:\program files\Viewpoint
2009-08-31 05:11 . 2003-12-03 18:37 78960 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 03:55 . 2005-01-20 07:16 -------- d-----w- c:\program files\stt3
2009-08-30 21:42 . 2008-08-10 18:03 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\ChessBase
2009-08-30 15:52 . 2005-01-20 07:23 -------- d-----w- c:\program files\LimeWire
2009-08-15 04:53 . 2009-02-13 04:20 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Skype
2009-08-15 03:37 . 2009-02-13 04:22 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\skypePM
2009-08-05 09:11 . 2003-12-03 18:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2003-12-03 17:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2003-12-03 17:23 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2003-12-03 17:23 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2003-12-03 18:38 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 14:47 . 2009-07-05 14:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-06-29 16:12 . 2003-12-03 17:23 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-12-03 17:23 17408 ----a-w- c:\windows\system32\corpol.dll
2008-07-07 17:36 . 2004-11-10 18:32 10856 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-02 39408]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Juan E de la Fuente^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Juan E de la Fuente\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0298781221261082mcinstcleanup"=2 (0x2)
"avg8wd"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"usnjsvc"=3 (0x3)
"TOSHIBA Bluetooth Service"=2 (0x2)
"Sony TVTA Manager"=2 (0x2)
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"SonicStageMonitoring"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"NVSvc"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DigiRefresh"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\Vc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\VmpClient.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\VMConsole.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/13/2004 4:40 AM 4736]
S1 741450c1.sys;741450c1.sys;\??\c:\windows\System32\drivers\741450c1.sys --> c:\windows\System32\drivers\741450c1.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/25/2005 3:00 PM 466880]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys --> c:\windows\system32\drivers\dalwdm.sys [?]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [11/18/2007 11:47 PM 19034]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [12/21/2004 10:47 PM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [12/21/2004 10:48 PM 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [12/21/2004 10:47 PM 21081]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USR;U.S. Robotics Wireless Access 802.11b Driver;c:\windows\system32\drivers\USRNDS.sys [4/25/2002 10:43 PM 51712]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:00 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2004-09-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]

2004-09-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft WFC for Developers - file://c:\progra~1\MIAF9D~1\VJ98\wfcdev.cab
DPF: Microsoft WFC Forms Designer - file://c:\progra~1\MIAF9D~1\VJ98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll
FF - ProfilePath - c:\documents and settings\Juan E de la Fuente\Application Data\Mozilla\Firefox\Profiles\caumpui0.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2794602960-3981694414-2288104126-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-27 22:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 02:27
ComboFix2.txt 2009-09-26 22:11

Pre-Run: 620,937,216 bytes free
Post-Run: 670,859,264 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
262 --- E O F --- 2009-09-26 20:43

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 27 September 2009 - 10:20 AM

One more run should complete the job.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\System32\drivers\741450c1.sys

Driver::
741450c1.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Next please run MBAM as below.

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 27 September 2009 - 01:40 PM

Note: Although MBAM reports that infected files have been deleted successfully, upon review of C:\Qoobox\Quarantine\C\WINDOWS\system32 I still see some files with the kbiwkm prefix but with an additional extension to their original file type ie instead of kbiwkmblmsftjh.dat i see kbiwkmblmsftjh.dat.vir; is this a normal outcome of the malware removal process? What should I do with the C:\Qoobox\Quarantine\ folder? What is Qoobox? The computer did seem to behave normally before your last post so I was surprised MBAM found 12 infected files. After executing your last instructions, the computer continues to behave normally. Thanks.

Combofix and MBAM log follows:

ComboFix 09-09-25.01 - Juan E de la Fuente 09/27/2009 12:25.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.460 [GMT -4:00]
Running from: c:\documents and settings\Juan E de la Fuente\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Juan E de la Fuente\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\System32\drivers\741450c1.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_741450c1.sys


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-19 03:24 . 2009-09-19 03:24 -------- d-----w- c:\program files\Sophos
2009-09-17 21:53 . 2009-05-17 00:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-09-17 21:53 . 2008-12-16 00:41 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-09-17 20:33 . 2009-09-23 17:33 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-17 20:33 . 2009-09-23 17:33 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-17 20:32 . 2009-09-26 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-17 20:32 . 2009-09-17 20:32 -------- d-----w- c:\program files\Kaspersky Lab
2009-09-17 20:26 . 2009-09-17 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-01 19:47 . 2009-09-01 19:47 -------- d-----w- c:\program files\Western Digital
2009-08-30 15:50 . 2009-08-30 15:50 -------- dc----w- C:\Inetpub
2009-08-29 21:29 . 2009-08-29 21:29 -------- d-----w- c:\program files\2BrightSparks
2009-08-29 20:25 . 2009-08-29 20:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-29 20:14 . 2009-08-29 20:14 -------- d-----w- c:\program files\Trend Micro
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 16:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 07:38 . 2009-08-30 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-29 07:38 . 2009-08-29 07:38 -------- d-----w- c:\program files\AVG
2009-08-29 07:17 . 2009-08-29 07:17 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 16:34 . 2009-02-18 00:59 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-27 16:34 . 2009-02-18 00:58 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-09-27 16:20 . 2009-02-13 04:20 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\Skype
2009-09-27 12:04 . 2009-02-13 04:22 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\skypePM
2009-09-23 22:58 . 2004-09-14 01:53 -------- d-----w- c:\program files\Plaxo
2009-09-17 20:31 . 2006-10-22 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-03 22:47 . 2004-09-20 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-03 22:47 . 2003-12-04 19:01 -------- d-----w- c:\program files\Viewpoint
2009-08-31 05:11 . 2003-12-03 18:37 78960 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 03:55 . 2005-01-20 07:16 -------- d-----w- c:\program files\stt3
2009-08-30 21:42 . 2008-08-10 18:03 -------- d-----w- c:\documents and settings\Juan E de la Fuente\Application Data\ChessBase
2009-08-30 15:52 . 2005-01-20 07:23 -------- d-----w- c:\program files\LimeWire
2009-08-05 09:11 . 2003-12-03 18:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2003-12-03 17:23 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2003-12-03 17:23 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2003-12-03 17:23 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2003-12-03 18:38 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 14:47 . 2009-07-05 14:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2008-07-07 17:36 . 2004-11-10 18:32 10856 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-02 39408]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=usbmn1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Juan E de la Fuente^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Juan E de la Fuente\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0298781221261082mcinstcleanup"=2 (0x2)
"avg8wd"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-PhotoServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-PhotoServer-AppServer"=3 (0x3)
"VAIOMediaPlatform-MusicServer-UPnP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-HTTP"=3 (0x3)
"VAIOMediaPlatform-MusicServer-AppServer"=3 (0x3)
"usnjsvc"=3 (0x3)
"TOSHIBA Bluetooth Service"=2 (0x2)
"Sony TVTA Manager"=2 (0x2)
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"SonicStageMonitoring"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"NVSvc"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"DigiRefresh"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\Vc.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\VmpClient.exe"=
"c:\\Program Files\\Sony\\VAIO Media Integrated Server\\Platform\\VMConsole.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\Binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [9/13/2004 4:40 AM 4736]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [8/25/2005 3:00 PM 466880]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys --> c:\windows\system32\drivers\dalwdm.sys [?]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [11/18/2007 11:47 PM 19034]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [12/21/2004 10:47 PM 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [12/21/2004 10:48 PM 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [12/21/2004 10:47 PM 21081]
S3 USB22LDR;M-Audio USB MidiSport 2x2 Loader;c:\windows\system32\drivers\usb22ldr.sys --> c:\windows\system32\drivers\usb22ldr.sys [?]
S3 USR;U.S. Robotics Wireless Access 802.11b Driver;c:\windows\system32\drivers\USRNDS.sys [4/25/2002 10:43 PM 51712]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 8:00 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2004-09-19 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]

2004-09-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-12-03 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ameritrade.com
Trusted Zone: tdameritrade.com
DPF: Microsoft WFC for Developers - file://c:\progra~1\MIAF9D~1\VJ98\wfcdev.cab
DPF: Microsoft WFC Forms Designer - file://c:\progra~1\MIAF9D~1\VJ98\wfcforms.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {8B67B37E-1AE2-4B99-B8CF-55AF4D58DF0D} - file://e:\win\setup\iamce.dll
FF - ProfilePath - c:\documents and settings\Juan E de la Fuente\Application Data\Mozilla\Firefox\Profiles\caumpui0.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 12:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2794602960-3981694414-2288104126-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-27 12:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 16:42
ComboFix2.txt 2009-09-27 02:27
ComboFix3.txt 2009-09-26 22:11

Pre-Run: 489,664,512 bytes free
Post-Run: 533,561,344 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
233 --- E O F --- 2009-09-27 07:00

Malwarebytes' Anti-Malware 1.41
Database version: 2865
Windows 5.1.2600 Service Pack 2

9/27/2009 2:12:54 PM
mbam-log-2009-09-27 (14-12-54).txt

Scan type: Full Scan (C:\|D:\|E:\|I:\|)
Objects scanned: 237609
Time elapsed: 1 hour(s), 24 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Antivirus2009) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmmnkjkymb.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmpyllrmmv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxmvbqqpc.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmxvalklld.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmpyrowkop.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP0\A0000001.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP0\A0000002.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP0\A0000003.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP0\A0000004.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP1\A0000040.exe (Antivirus2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP1\A0000042.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 27 September 2009 - 07:27 PM

MBAM did find some files but most were tucked away in Qoobox (Combofix's quarantine folder).

The rest we will deal with near the end of the fix.

As for the rootkit names, most of them use a set start such as ESQUL and then random characters afterwards. It's quite normal to see lots of these types of files after a clean up.

Anyway, we now need to have a look at possible infected files and other stuff that may still be present.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If this is clean we can move to the final steps which, particularly in your case, you must carry out to avoid reinfection. :(
Posted Image
m0le is a proud member of UNITE

#11 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 28 September 2009 - 05:59 AM

Hello, ESET scan follows:

C:\Qoobox\Quarantine\[4]-Submit_2009-09-26_22.06.15.zip multiple threats deleted - quarantined
D:\My Downloads\Applications\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined

Thank you.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 28 September 2009 - 01:05 PM

Hi consigliere,

The ESET scan was what we wanted.

Your PC is clean.

Good stuff! :(

Let's do some clearing up


Delete ComboFix and Clean Up

Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it consigliere, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 consigliere

consigliere
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:18 AM

Posted 29 September 2009 - 06:34 PM

m0le, thank you for your assistance. My computer seems malware free. I have made a small donation to your cause. Thanks again. Peace!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 29 September 2009 - 06:58 PM

Thank you :(

I'm glad that you're enjoying your PC again.

m0le
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:18 AM

Posted 02 October 2009 - 08:03 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users