Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirection


  • This topic is locked This topic is locked
24 replies to this topic

#1 superqaz

superqaz

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 27 October 2009 - 11:52 AM

hi

someone on ur other forum suggested i post this here and a pop up msg after running the script said post a zipped version of log.txt [which i cannot find how to zip]

any help would be appreciated with my browser redirection problem

thanx
mark


DDS (Ver_09-10-26.01) - NTFSx86
Run by m at 16:32:58.65 on 27/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1024.527 [GMT 0:00]

AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\PhraseExpress\phraseexpress.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\check 4 virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/search?hl=en&source=hp&q=oiiuoiu&meta=cr%3DcountryUK%7CcountryGB&aq=f&oq=
uSearch Bar =
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: TBSB00982 Class: {da3d342f-ff20-4e31-9e82-22334155730c} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302010008.dll
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search - home\DesktopSearchService.exe" /tray
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Ginipic] "c:\program files\ginipic\Ginipic.Bootstrapper.exe" -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SPAMfighter Agent] "c:\program files\spamfighter\SFAgent.exe" update delay 60
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\docume~1\m\startm~1\programs\startup\shrink~1.lnk - c:\program files\shrink pic\shrink_pic.exe
StartupFolder: c:\docume~1\m\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\phrase~1.lnk - c:\program files\phraseexpress\phraseexpress.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249919318546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {D2558D33-24AB-4AFB-9FB3-CC40E1ABC66E} = 208.67.222.222 208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\m\applic~1\mozilla\firefox\profiles\e7c6t0c7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\e7c6t0c7.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\e7c6t0c7.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-23 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-23 59664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-16 108289]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2009-3-31 1023488]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\spamfighter\sfus.exe [2009-8-27 189064]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-23 33552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-10-26 12:29:58 0 d-----w- c:\program files\Antbar
2009-10-21 20:53:25 0 d-----w- c:\program files\SAGEM
2009-10-21 20:32:53 143360 ----a-w- c:\windows\autoclk.exe
2009-10-19 17:10:44 0 d-----w- c:\program files\CamStudio
2009-10-17 19:08:49 0 d-----w- c:\program files\a-squared Anti-Malware
2009-10-17 10:33:18 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 10:32:44 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-17 10:29:43 120 ----a-w- c:\windows\CIS_Setup_3.12.111745.560_XP_Vista_x32.INI
2009-10-16 23:50:55 0 d-----w- c:\program files\Avira
2009-10-16 23:50:55 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira
2009-10-16 22:45:25 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-16 17:37:41 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-16 17:21:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-16 17:21:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-16 17:18:35 0 d-----w- c:\program files\Kaspersky Lab
2009-10-16 17:18:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab
2009-10-16 17:08:01 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files
2009-10-16 13:04:12 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 12:50:31 0 d-----w- c:\documents and settings\m\.housecall6.6
2009-10-16 12:08:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 17:01:51 0 d-----w- c:\program files\Replay Music 3
2009-10-09 19:04:38 0 d-----w- c:\docume~1\alluse~1.win\applic~1\FreeDownloadManager.ORG

==================== Find3M ====================

2009-10-21 20:53:49 23 ----a-w- c:\windows\system32\drivers\adidsl.cfg
2009-10-12 17:17:59 0 ---h--w- c:\docume~1\alluse~1.win\applic~1\PKP_DLbx.DAT
2009-09-23 14:07:48 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 14:07:47 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 14:07:46 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-10 13:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 16:51:27 3074621440 --sha-w- C:\gobackio.bin
2009-07-31 14:23:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-02-15 22:01:15 271 --sh--w- c:\program files\desktop.ini
2009-02-15 22:01:15 21952 ---ha-w- c:\program files\folder.htt

============= FINISH: 16:37:55.43 ===============

Pasting in other logs posted in other topic. ~ OB

Volume in drive C has no label.
Volume Serial Number is 5008-7757

Directory of C:\WINDOWS\system32

04/08/2004 07:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32

04/08/2004 07:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/08/2004 07:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 07:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 07:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/08/2004 07:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
6 File(s) 1,286,144 bytes
0 Dir(s) 7,664,640,000 bytes free


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/26 11:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FAA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D3E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9772000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\m\application data\spamfighter\logs\tbclient.log.txt
Status: Size mismatch (API: 777220, Raw: 775048)

Path: c:\documents and settings\m\local settings\application data\mozilla\firefox\profiles\e7c6t0c7.default\cache\_cache_001_
Status: Size mismatch (API: 586073, Raw: 585341)

Path: C:\Documents and Settings\m\Local Settings\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\Cache\169D0564d01
Status: Visible to the Windows API, but not on disk.

SSDT

#: 025 Function Name: NtClose
Status: Hooked by "GoBack2K.sys" at address 0xf7717ec0

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xab3fa10e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xab3fa104

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xab3fa113

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xab3fa11d

#: 084 Function Name: NtFsControlFile
Status: Hooked by "GoBack2K.sys" at address 0xf7717f50

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xab3fa122

#: 119 Function Name: NtOpenKey
Status: Hooked by "TfSysMon.sys" at address 0xf770990c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xab3fa0f0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xab3fa0f5

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xab3fa12c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xab3fa127

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xab3fa118

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xab3fa0ff

Stealth Objects

Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 696) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]
Process: Explorer.EXE (PID: 1104) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: tdlwsp.dll]
Process: firefox.exe (PID: 1632) Address: 0x01790000 Size: 28672

==EOF==



Running from: C:\Documents and Settings\m\desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\m\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

Edited by Orange Blossom, 27 October 2009 - 06:36 PM.


BC AdBot (Login to Remove)

 


#2 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 02 November 2009 - 03:29 PM

hi

i know there is suppose to be a wait before getting help but i'm new to forums and notice that Orange Blossom has modified my post, am i missing something, like noticing an answer from someone. id hate to sit here for ever waiting
thanx

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 03 November 2009 - 04:10 AM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log
  • GMER log


Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 03 November 2009 - 05:42 AM

hi

i dont think i /you need those logs, ur post seems to be very general. how do i message you as suggested?

thanx

#5 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 03 November 2009 - 05:48 AM

pls disregard above post its for a another thread

#6 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 03 November 2009 - 05:54 AM

i just looked above and one file is # DDS.scr and the other may be# DDS.pif, your info/message seem very general so i dont know which part of iy aplies to this problem

#7 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 03 November 2009 - 06:08 AM

have decided to run another [both] scan as some programs have been changed since posting the problem. i cant download one of them [dds pif] , i get this [sample] when clicking on it. thanx

MZ����������������@��������������������������������������� !L!This program cannot be run in DOS mode.

$�������PE��L�+I��������� 2�n�������������������@����������������������p����K�������������������������������W�����P�����������������������������������������������������������������������������������������������������������.code����@���������PEC2FO������ ��.rsrc���� ���P������������������ ����������������������������������������������������������dR�Pd5����d%����3PECompact2�VK ўoTN<N<T#=L34w
lTS`M6lՍ[NPHr_0)a ؾ,f)|Bţ3]ˣoKjvh-Pw4l4` \3nfwp"nseXcDgϨ|0 O�E��J\#2\bN\Mk(^EK]�m
<_@tHw,K{YwCdAEj]vWbڰ.ϓcF�(C&{;y U2)[)g*uŊ0ʫ䜁M呎s
PKڟ}Cb{/p=

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 03 November 2009 - 06:21 AM

Try to download DDS from here http://download.bleepingcomputer.com/sUBs/dds.com

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 04 November 2009 - 01:07 PM

hi

here are the 2 new logs [as programs were added/removed to my pc] and one zipped file

pls let me know if this is incorrect or zipped file is missing as cant see it, ok i see it seems im not allowd to upload this zipped file so i am posting the text

. i am not allowed to post the text...its too big, can someone assist me pls
thanx
-------------------------------------------------------------------

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 04 November 2009 - 01:24 PM

You can attach the files to your post (its below the box where you type your reply). If you need help with that, please let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 04 November 2009 - 01:25 PM

sorry for the inability to do this before, this should be everything needed

thanx

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit quick scan 2009-11-04 18:17:14
Windows 5.1.2600 Service Pack 2
Running: 9p53jz79.exe; Driver: C:\DOCUME~1\m\LOCALS~1\Temp\uxnyrkow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp TfNetMon.sys (ThreatFire Network Monitor/PC Tools)

---- EOF - GMER 1.0.15 ----
============================


DDS (Ver_09-10-26.01) - NTFSx86
Run by m at 11:01:00.96 on 04/11/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1024.542 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Copernic Desktop Search - Home\DesktopSearchService.exe
C:\Program Files\Monitor Calibration Wizard\MCW.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\PhraseExpress\phraseexpress.exe
C:\Program Files\Shrink Pic\shrink_pic.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\m\desktop\run these\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/search?hl=en&source=hp&q=oiiuoiu&meta=cr%3DcountryUK%7CcountryGB&aq=f&oq=
uSearch Bar =
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: TBSB00982 Class: {da3d342f-ff20-4e31-9e82-22334155730c} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbcore3.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302010008.dll
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search - home\DesktopSearchService.exe" /tray
uRun: [MCW Startup] "c:\program files\monitor calibration wizard\MCW.exe" /s /p
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Ginipic] "c:\program files\ginipic\Ginipic.Bootstrapper.exe" -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SPAMfighter Agent] "c:\program files\spamfighter\SFAgent.exe" update delay 60
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\m\startm~1\programs\startup\shrink~1.lnk - c:\program files\shrink pic\shrink_pic.exe
StartupFolder: c:\docume~1\m\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\phrase~1.lnk - c:\program files\phraseexpress\phraseexpress.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download web site with Free Download Manager - file://c:\program files\free download manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249919318546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\m\applic~1\mozilla\firefox\profiles\e7c6t0c7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\e7c6t0c7.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\e7c6t0c7.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\java\j2re1.4.1_07\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-9-23 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-9-23 59664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2009-3-31 1023488]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\spamfighter\sfus.exe [2009-8-27 189064]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-9-23 33552]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-16 108289]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-11-02 20:17:11 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-02 18:00:48 0 d-----w- c:\program files\XnView
2009-10-27 20:45:33 0 d-----w- c:\program files\Monitor Calibration Wizard
2009-10-27 19:49:35 7 ----a-w- c:\windows\INI2=No
2009-10-27 19:49:35 7 ----a-w- c:\windows\INI1=No
2009-10-26 12:29:58 0 d-----w- c:\program files\Antbar
2009-10-21 20:53:25 0 d-----w- c:\program files\SAGEM
2009-10-21 20:32:53 143360 ----a-w- c:\windows\autoclk.exe
2009-10-17 10:33:18 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 10:32:44 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-17 10:29:43 120 ----a-w- c:\windows\CIS_Setup_3.12.111745.560_XP_Vista_x32.INI
2009-10-16 23:50:55 0 d-----w- c:\program files\Avira
2009-10-16 23:50:55 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira
2009-10-16 17:37:41 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-16 17:21:09 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-16 17:21:09 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-16 17:18:35 0 d-----w- c:\program files\Kaspersky Lab
2009-10-16 17:18:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab
2009-10-16 17:08:01 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files
2009-10-16 13:04:12 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 12:50:31 0 d-----w- c:\documents and settings\m\.housecall6.6
2009-10-16 12:08:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 17:01:51 0 d-----w- c:\program files\Replay Music 3
2009-10-09 19:04:38 0 d-----w- c:\docume~1\alluse~1.win\applic~1\FreeDownloadManager.ORG

==================== Find3M ====================

2009-10-21 20:53:49 23 ----a-w- c:\windows\system32\drivers\adidsl.cfg
2009-10-12 17:17:59 0 ---h--w- c:\docume~1\alluse~1.win\applic~1\PKP_DLbx.DAT
2009-09-23 14:07:48 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 14:07:47 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 14:07:46 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-10 13:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-02-15 22:01:15 271 --sh--w- c:\program files\desktop.ini
2009-02-15 22:01:15 21952 ---ha-w- c:\program files\folder.htt

============= FINISH: 11:04:27.32 ===============

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 04 November 2009 - 01:38 PM

Hello supergaz,

I see evidence of a new rootkit variant in your logs, we should be able to take that out with Combofix.

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 05 November 2009 - 04:44 PM

here's the log

thanx

ComboFix 09-11-05.01 - m 05/11/2009 19:23.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1024.721 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\check 4 virus\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\m\Application Data\.#
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-02 20:17 . 2009-11-02 20:17 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-02 18:00 . 2009-11-02 20:16 -------- d-----w- c:\program files\XnView
2009-10-27 20:45 . 2009-10-27 20:56 -------- d-----w- c:\program files\Monitor Calibration Wizard
2009-10-26 12:39 . 2009-11-01 17:22 -------- d-----w- c:\documents and settings\m\Local Settings\Application Data\ant.com
2009-10-26 12:29 . 2009-10-26 12:29 -------- d-----w- c:\program files\Antbar
2009-10-23 19:34 . 2009-10-23 19:48 -------- d-----w- c:\documents and settings\Administrator.M-34F56A33A4BC4.000\Application Data\Free Download Manager
2009-10-21 20:53 . 2005-03-03 12:42 1531904 ----a-w- c:\windows\adiras.exe
2009-10-21 20:53 . 2002-05-09 14:12 155648 ----a-w- c:\windows\system32\adadix32.dll
2009-10-21 20:53 . 2004-03-02 07:24 127065 ----a-w- c:\windows\system32\drivers\adiusbaw.sys
2009-10-21 20:53 . 2001-07-27 12:25 127456 ----a-w- c:\windows\system32\ipdetect.exe
2009-10-21 20:53 . 2004-09-21 07:46 106496 ----a-w- c:\windows\system32\coclassfast.dll
2009-10-21 20:53 . 2004-06-28 09:59 114688 ----a-w- c:\windows\system32\unaddrv.exe
2009-10-21 20:53 . 2004-03-02 07:26 50007 ----a-w- c:\windows\system32\drivers\adildr.sys
2009-10-21 20:53 . 2001-02-09 06:43 4981 ----a-w- c:\windows\system32\adadix2k.dll
2009-10-21 20:53 . 2001-02-08 07:05 46892 ----a-w- c:\windows\system32\adadix16.dll
2009-10-21 20:53 . 2001-05-24 15:24 22395 ----a-w- c:\windows\system32\drivers\fpga.bin
2009-10-21 20:53 . 2009-10-21 20:53 -------- d-----w- c:\program files\SAGEM
2009-10-21 20:32 . 2003-01-30 04:48 143360 ----a-w- c:\windows\autoclk.exe
2009-10-17 10:36 . 2009-10-17 10:36 117760 ----a-w- c:\documents and settings\m\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-17 10:33 . 2009-10-17 10:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-17 10:32 . 2009-10-17 10:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-16 23:51 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-16 23:51 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-16 23:51 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-16 23:50 . 2009-10-16 23:50 -------- d-----w- c:\program files\Avira
2009-10-16 23:50 . 2009-10-16 23:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-10-16 17:37 . 2009-10-16 17:37 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-10-16 17:21 . 2009-10-16 17:26 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-16 17:21 . 2009-10-16 17:26 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-16 17:18 . 2009-10-16 22:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-10-16 17:18 . 2009-10-16 17:18 -------- d-----w- c:\program files\Kaspersky Lab
2009-10-16 17:08 . 2009-10-16 17:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-10-16 14:17 . 2009-10-16 16:31 -------- d-----w- c:\documents and settings\Administrator.M-34F56A33A4BC4.000\Local Settings\Application Data\Microsoft
2009-10-16 14:17 . 2009-11-02 20:17 -------- d-----w- c:\documents and settings\Administrator.M-34F56A33A4BC4.000
2009-10-16 13:27 . 2009-10-16 16:31 -------- d-----w- c:\documents and settings\Administrator.M-34F56A33A4BC4
2009-10-16 13:04 . 2009-10-16 12:50 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 12:50 . 2009-10-18 16:26 -------- d-----w- c:\documents and settings\m\.housecall6.6
2009-10-16 12:36 . 2009-10-16 12:36 152576 ----a-w- c:\documents and settings\m\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-16 12:08 . 2009-10-16 16:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 17:01 . 2009-10-16 16:33 -------- d-----w- c:\program files\Replay Music 3
2009-10-10 09:24 . 2009-10-09 06:33 57856 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\extensions\{eecba28f-b68b-4b3a-b501-6ce12e6b8696}\platform\WINNT_x86-msvc\components\winprocess.dll
2009-10-09 19:04 . 2009-10-09 19:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 19:07 . 2009-02-16 12:02 -------- d-----w- c:\documents and settings\m\Application Data\Free Download Manager
2009-11-05 18:33 . 2009-02-16 19:31 -------- d-----w- c:\documents and settings\m\Application Data\shrink_pic
2009-11-05 17:43 . 2009-02-15 18:29 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-04 22:21 . 2009-02-16 11:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-04 16:27 . 2009-09-27 15:38 -------- d-----w- c:\program files\SPAMfighter
2009-10-31 20:24 . 2009-07-19 19:37 -------- d-----w- c:\program files\Shareaza
2009-10-24 20:31 . 2009-07-29 21:19 -------- d-----w- c:\documents and settings\m\Application Data\OpenWith.org Cache
2009-10-21 20:53 . 2009-10-21 20:53 23 ----a-w- c:\windows\system32\drivers\adidsl.cfg
2009-10-21 20:32 . 2009-02-15 16:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-17 12:22 . 2009-03-31 19:54 -------- d-----w- c:\program files\Comodo
2009-10-17 10:33 . 2009-02-16 12:03 -------- d-----w- c:\documents and settings\m\Application Data\SUPERAntiSpyware.com
2009-10-16 16:33 . 2009-08-17 09:56 -------- d-----w- c:\program files\Nikon
2009-10-16 14:34 . 2009-10-16 14:34 -------- d-----w- c:\documents and settings\Administrator.M-34F56A33A4BC4.000\Application Data\Malwarebytes
2009-10-16 12:38 . 2009-07-04 12:42 -------- d-----w- c:\program files\Java
2009-10-15 18:20 . 2009-08-17 09:56 -------- d-----w- c:\program files\Common Files\Nikon
2009-10-12 17:17 . 2009-08-17 09:54 0 ---h--w- c:\documents and settings\All Users.WINDOWS\Application Data\PKP_DLbx.DAT
2009-10-11 17:40 . 2009-08-17 09:56 -------- d-----w- c:\documents and settings\m\Application Data\Nikon
2009-10-09 19:04 . 2009-02-16 12:02 -------- d-----w- c:\program files\Free Download Manager
2009-10-09 15:45 . 2009-03-30 04:27 -------- d-----w- c:\documents and settings\m\Application Data\Spotify
2009-10-09 15:26 . 2009-02-16 11:57 -------- d-----w- c:\program files\ThreatFire
2009-10-09 09:28 . 2009-02-16 11:57 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-10-05 10:13 . 2009-10-05 10:13 -------- d-----w- c:\program files\QuickTime
2009-09-27 15:39 . 2009-09-27 15:39 -------- d-----w- c:\program files\Common Files\Application
2009-09-27 15:37 . 2009-06-12 10:47 -------- d-----w- c:\documents and settings\m\Application Data\SPAMfighter
2009-09-23 14:07 . 2009-09-23 13:44 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-09-23 14:07 . 2009-09-23 13:44 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-09-22 17:04 . 2009-02-24 12:22 -------- d-----w- c:\program files\Glary Utilities
2009-09-19 08:39 . 2009-04-12 17:04 -------- d-----w- c:\documents and settings\m\Application Data\XnView
2009-09-13 16:14 . 2009-04-19 16:31 -------- d-----w- c:\program files\Process Lasso
2009-09-13 13:07 . 2009-09-13 13:07 -------- d-----w- c:\program files\PhraseExpress
2009-09-12 17:44 . 2009-04-16 09:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 17:43 . 2009-05-28 09:50 4045528 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-11 16:11 . 2009-09-18 09:36 94208 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-09-11 16:11 . 2009-09-18 09:36 50176 ----a-w- c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2009-09-10 13:54 . 2009-04-16 09:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-04-16 09:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-17 09:58 . 2009-08-17 09:58 57344 ----a-r- c:\documents and settings\m\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2009-08-17 09:35 . 2009-08-17 09:35 152576 ----a-w- c:\documents and settings\m\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-02-15 22:01 . 2009-02-15 22:01 21952 ---ha-w- c:\program files\folder.htt
.

------- Sigcheck -------

[-] 2009-02-17 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-02-17 . 8D8949936913B041C6A0E184FBF1030B . 359808 . . [5.1.2600.2892] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA3D342F-FF20-4E31-9E82-22334155730C}]
2009-06-02 14:51 2695168 ----a-w- c:\program files\Antbar\Ant.com Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbcore3.dll" [2009-06-02 2695168]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbcore3.dll" [2009-06-02 2695168]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Bootvis.lnk]
backup=c:\windows\pss\Bootvis.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^DSLMON.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\DSLMON.lnk
backup=c:\windows\pss\DSLMON.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PhraseExpress.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PhraseExpress.lnk
backup=c:\windows\pss\PhraseExpress.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^m^Start Menu^Programs^Startup^Shrink Pic.lnk]
path=c:\documents and settings\m\Start Menu\Programs\Startup\Shrink Pic.lnk
backup=c:\windows\pss\Shrink Pic.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^m^Start Menu^Programs^Startup^WordWeb.lnk]
path=c:\documents and settings\m\Start Menu\Programs\Startup\WordWeb.lnk
backup=c:\windows\pss\WordWeb.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ProcessSupervisorGUI"=c:\program files\Process Lasso\processlasso.exe
"ProcessGovernor"=c:\program files\Process Lasso\processgovernor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Deluge\\Deluge-Python\\deluged.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\7-Zip\\7zFM.exe"=
"c:\\Program Files\\Copernic Desktop Search - Home\\DesktopSearch.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\m\\desktop\\UTILITES\\pathload2-client.exe"=
"c:\\Program Files\\PhraseExpress\\phraseexpress.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\update.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [23/09/2009 13:44 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [23/09/2009 13:44 59664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 20:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 20:24 74480]
R2 ComodoBackupService;ComodoBackupService;c:\program files\Comodo\BackUp\CmdBkSvc.exe [31/03/2009 19:54 1023488]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [27/08/2009 08:24 189064]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [23/09/2009 13:44 33552]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/10/2009 23:51 108289]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 20:24 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-02-24 18:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/search?hl=en&source=hp&q=oiiuoiu&meta=cr%3DcountryUK%7CcountryGB&aq=f&oq=
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download web site with Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\documents and settings\m\Application Data\Mozilla\Firefox\Profiles\e7c6t0c7.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPJPI141_07.dll
FF - plugin: c:\program files\Java\j2re1.4.1_07\bin\NPOJI610.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{B52F8C4B-FE88-4B59-9B80-1C93669D7DEB}_is1 - c:\program files\OpenWith.org



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-05 19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1383384898-839522115-1003\RemoteAccess\Profile\^*`*(Η|]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014

[HKEY_USERS\S-1-5-21-515967899-1383384898-839522115-1003\RemoteAccess\Profile\x *]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@DACL=(02 0000)
@="c:\\PROGRA~1\\PHRASE~1\\PHRASE~1.EXE"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@DACL=(02 0000)
@="phraseexpress.DocHostUIHandler"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(528)
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2009-11-05 19:46
ComboFix-quarantined-files.txt 2009-11-05 19:46

Pre-Run: 8,467,083,264 bytes free
Post-Run: 8,443,813,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4B11D14F6330C5625941F04417320C3A

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:24 PM

Posted 06 November 2009 - 04:11 AM

Hello supergaz,

That looks better already :(

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM, and click on the update tab on the Check for updates now button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • A new DDS log
  • A description of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 superqaz

superqaz
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 06 November 2009 - 04:00 PM

hi

im not allowed to upload the zipped dds log???

thanx

Malwarebytes' Anti-Malware 1.41
Database version: 3111
Windows 5.1.2600 Service Pack 2

06/11/2009 20:19:55
mbam-log-2009-11-06 (20-19-34).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 205534
Time elapsed: 1 hour(s), 30 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Buzus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Desktop\check 4 virus\setup.exe (Trojan.Buzus) -> No action taken.
C:\Documents and Settings\m\Favorites\Free Porn Videos - XVIDEOS.COM.url (Rogue.Link) -> No action taken.


hi

im not allowed to upload the zipped dds log???

thanx

Malwarebytes' Anti-Malware 1.41
Database version: 3111
Windows 5.1.2600 Service Pack 2

06/11/2009 20:19:55
mbam-log-2009-11-06 (20-19-34).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 205534
Time elapsed: 1 hour(s), 30 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Buzus) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Desktop\check 4 virus\setup.exe (Trojan.Buzus) -> No action taken.
C:\Documents and Settings\m\Favorites\Free Porn Videos - XVIDEOS.COM.url (Rogue.Link) -> No action taken.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users