Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 Bwanap

Bwanap

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 26 December 2009 - 12:46 PM

I recently got a virus that caused another tab to open in mozilla with nothing in it and some long URL. Now and then my McAfee would note it blocked a trojan. I ran McAfee and it removed one thing, ran spybot and removed lots of things, ran adaware and removed a coupel more, ran clamwin and found nothing. However still happening in the browser. Plus my internet connection seems to be sending and receiving non-stop. Hijack log below - please help, really concerned about the constant data exchange.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:31 AM, on 12/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paul\Application Data\SystemProc\lsass.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {06217B14-2AA1-4120-9D0B-5AF65C511B37} - C:\WINDOWS\System32\DiskIO32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: XBTB00788 - {6D0E8A51-31CD-4f91-A38F-6A5639E766FB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [agent.exe] C:\Documents and Settings\Paul\Application Data\PC\agent.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Paul\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208899520093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208899511546
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.communicationsmgr.com/xupload/XUpload.ocx
O20 - AppInit_DLLs: C:\WINDOWS\System32\FDE32.dll,C:\WINDOWS\System32\dpl10032.dll
O20 - Winlogon Notify: 28080de8517 - C:\WINDOWS\System32\FDE32.dll (file missing)
O20 - Winlogon Notify: 28080de8720 - C:\WINDOWS\System32\dpl10032.dll
O20 - Winlogon Notify: __c006BB64 - C:\WINDOWS\system32\__c006BB64.dat (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c98ebc95ab88d4) (gupdate1c98ebc95ab88d4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 9437 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 26 December 2009 - 07:19 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 28 December 2009 - 06:59 PM

I can't download combofix on this PC, it keeps giving an error. McAfee is finding a trojan whenever I try to download. You said turn off before running not before downloading so not sure what is up with that trojan it's finding. I suppose the name change is to get around the virus limiting the tool or something?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 29 December 2009 - 07:08 AM

Turn off your McAfee for the whole process beginning from download until I give an all clear.. Please continue with ComboFix step :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 29 December 2009 - 09:59 AM

I've downloaded it at work (changing the name) and will save it on my USB drive. Should I copy it over or can I just run it from the USB back on my affected home computer? Or is there any reason I should download it directly as you say above?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 29 December 2009 - 10:50 AM

you can copy it via usb drive but its better if you run the programs from your computer rather than usb drive.. That means, please copy all downloaded programs from your usb drive to the Desktop (easier for you and me)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 29 December 2009 - 09:13 PM

ComboFix 09-12-28.06 - Paul 12/29/2009 19:57:44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.623 [GMT -6:00]
Running from: c:\documents and settings\Paul\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Paul\Application Data\02000000bbf1b79b720C.manifest
c:\documents and settings\Paul\Application Data\02000000bbf1b79b720O.manifest
c:\documents and settings\Paul\Application Data\02000000bbf1b79b720P.manifest
c:\documents and settings\Paul\Application Data\02000000bbf1b79b720S.manifest
c:\documents and settings\Paul\Application Data\SystemProc
c:\documents and settings\Paul\Application Data\SystemProc\lsass.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\GnuHashes.ini
c:\windows\system32\440035983
c:\windows\system32\BSTIeprintctl1.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\R8kLpeEiehkku.vbs
c:\windows\system32\unrar.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 )))))))))))))))))))))))))))))))
.

2009-12-26 17:29 . 2009-12-26 17:29 -------- d-----w- c:\program files\Trend Micro
2009-12-26 04:29 . 2009-12-26 04:33 -------- d-----w- c:\documents and settings\Paul\Application Data\.clamwin
2009-12-26 04:29 . 2009-12-26 04:29 -------- d-----w- c:\program files\ClamWin
2009-12-26 04:29 . 2009-12-26 04:29 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-12-26 04:27 . 2009-12-24 23:46 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-25 02:43 . 2009-12-25 02:43 193024 ----a-w- c:\windows\system32\DiskIO32.dll
2009-12-24 23:46 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-24 23:46 . 2009-12-24 23:46 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-24 23:46 . 2009-12-24 23:46 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-24 23:46 . 2009-12-24 23:46 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-12-24 23:46 . 2009-12-24 23:46 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-24 23:46 . 2009-12-24 23:46 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-24 23:46 . 2009-12-24 23:46 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-24 23:46 . 2009-12-24 23:46 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-12-24 23:46 . 2009-12-24 23:46 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-24 23:46 . 2009-12-24 23:46 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-24 23:30 . 2009-12-24 23:30 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-12-24 23:30 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-12-24 23:30 . 2009-12-24 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-24 23:30 . 2009-12-24 23:30 -------- d-----w- c:\program files\Lavasoft
2009-12-24 00:15 . 2009-12-24 23:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-24 00:15 . 2009-12-24 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-23 23:50 . 2009-12-23 23:50 10 ----a-w- C:\confin.sys
2009-12-23 23:47 . 2009-12-23 23:47 193024 ----a-w- c:\windows\system32\HPBMINI32.dll
2009-12-23 23:11 . 2009-12-23 23:11 -------- d-----w- c:\program files\Common Files\Apple
2009-12-23 23:11 . 2009-12-23 23:11 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Apple
2009-12-23 23:11 . 2009-12-23 23:11 -------- d-----w- c:\program files\Apple Software Update
2009-12-23 23:11 . 2009-12-23 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-23 04:47 . 2009-12-25 00:06 -------- d-sh--w- c:\windows\system32\SysWoW32
2009-12-23 04:45 . 2009-12-23 04:45 188416 ----a-w- c:\windows\system32\fxsext3232.dll
2009-12-23 04:45 . 2009-12-23 04:45 188416 ----a-w- c:\windows\system32\DPNMODEM32.dll
2009-12-23 04:45 . 2009-12-23 04:45 120832 ----a-w- c:\windows\system32\dpl10032.dll
2009-12-23 04:23 . 2009-12-23 04:24 18030130 ----a-w- c:\documents and settings\All Users\Application Data\vlc-1.0.3-win32.exe
2009-12-09 22:03 . 2009-12-09 22:03 -------- d-----w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 01:13 . 2009-01-28 02:07 -------- d-----w- c:\documents and settings\Paul\Application Data\U3
2009-12-30 00:56 . 2007-01-19 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-28 23:38 . 2009-12-28 23:38 0 ----a-w- c:\windows\system32\248.tmp
2009-12-25 22:40 . 2009-12-25 22:40 0 ----a-w- c:\windows\system32\10C.tmp
2009-12-24 23:46 . 2009-12-24 23:45 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-24 23:28 . 2004-10-07 02:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 21:50 . 2009-12-24 21:50 0 ----a-w- c:\windows\system32\494.tmp
2009-12-24 00:45 . 2009-12-24 00:45 0 ----a-w- c:\windows\system32\46E.tmp
2009-12-23 23:16 . 2005-12-05 14:52 -------- d-----w- c:\program files\QuickTime
2009-12-23 23:15 . 2005-02-25 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-23 23:14 . 2009-01-29 03:02 -------- d-----w- c:\documents and settings\Paul\Application Data\LimeWire
2009-12-23 04:45 . 2009-07-02 21:05 -------- d-----w- c:\documents and settings\Paul\Application Data\Apple Computer
2009-12-23 04:45 . 2009-12-23 04:45 741888 --sha-w- c:\windows\system32\337.tmp
2009-12-13 17:14 . 2005-04-07 16:03 -------- d-----w- c:\program files\Google
2009-12-09 22:03 . 2005-04-07 16:02 -------- d-----w- c:\program files\Common Files\Real
2009-12-09 22:02 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-09 22:02 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-09 22:02 . 2005-04-07 16:02 -------- d-----w- c:\program files\Real
2009-11-25 22:56 . 2009-01-28 04:12 -------- d-----w- c:\program files\McAfee
2009-11-25 22:15 . 2009-11-25 22:15 -------- d-----w- c:\program files\MSXML 4.0
2009-11-18 03:06 . 2009-10-07 01:33 127325 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\uninstall.exe
2009-11-18 03:06 . 2009-10-07 01:33 -------- d-----w- c:\documents and settings\Paul\Application Data\Move Networks
2009-11-18 03:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-18 03:06 . 2009-11-18 03:06 1408376 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-11-04 00:08 . 2004-10-07 02:25 -------- d-----w- c:\program files\Java
2009-11-04 00:07 . 2009-11-04 00:07 152576 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 00:06 . 2009-11-04 00:06 79488 ----a-w- c:\documents and settings\Paul\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-03 01:55 . 2009-11-03 01:55 127 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\fusioncache.dat
2009-10-29 07:45 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17 . 2009-01-29 02:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 01:33 . 2009-01-28 02:17 78056 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 01:33 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071505000010.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06217B14-2AA1-4120-9D0B-5AF65C511B37}]
2009-12-25 02:43 193024 ----a-w- c:\windows\SYSTEM32\DiskIO32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\28080de8720]
2009-12-23 04:45 120832 ----a-w- c:\windows\SYSTEM32\dpl10032.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1136\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1136\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1239\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1239\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1284\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1284\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1293\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1293\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1295\Scripts\Logoff\0\0]
"Script"=SBS_LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1295\Scripts\Logon\0\0]
"Script"=SBS_LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1298\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1298\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1307\Scripts\Logoff\0\0]
"Script"=SBS_LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1307\Scripts\Logon\0\0]
"Script"=SBS_LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1638\Scripts\Logoff\0\0]
"Script"=LOGOFF_SCRIPT.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1957994488-1078145449-725345543-1638\Scripts\Logon\0\0]
"Script"=LOGIN_SCRIPT.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Paul^Start Menu^Programs^Startup^Hotmail Popper.lnk]
path=c:\documents and settings\Paul\Start Menu\Programs\Startup\Hotmail Popper.lnk
backup=c:\windows\pss\Hotmail Popper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
2009-06-12 04:32 86016 ----a-w- c:\program files\ClamWin\bin\ClamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 16:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-09 22:02 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/24/2009 5:46 PM 64160]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [10/20/2009 6:11 PM 6097]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1c98ebc95ab88d4;Google Update Service (gupdate1c98ebc95ab88d4);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2009 9:54 AM 133104]
S3 Bulk503;Chameleon Mega Digital Camera;c:\windows\system32\Drivers\Bulk503.sys --> c:\windows\system32\Drivers\Bulk503.sys [?]
S3 ISO503;Chameleon Mega Video Camera;c:\windows\system32\Drivers\ISO503.SYS --> c:\windows\system32\Drivers\ISO503.SYS [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [10/20/2009 6:11 PM 299923]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1028432]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\iq4zc96x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{6D0E8A51-31CD-4f91-A38F-6A5639E766FB} - (no file)
HKCU-Run-agent.exe - c:\documents and settings\Paul\Application Data\PC\agent.exe
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Paul\Application Data\SystemProc\lsass.exe
Notify-28080de8517 - c:\windows\System32\FDE32.dll
Notify-__c006BB64 - c:\windows\system32\__c006BB64.dat
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe
AddRemove-UBCD4Win_is1 - c:\ubcd4win\unins000.exe
AddRemove-Visual MODFLOW 3.1.0 [ WinPEST, 3D-Explorer ] - c:\vmodnt\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 20:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Paul\Application Data\SystemProc\lsass.exe??#????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\System32\dpl10032.dll
.
Completion time: 2009-12-29 20:05:24
ComboFix-quarantined-files.txt 2009-12-30 02:05

Pre-Run: 9,534,496,768 bytes free
Post-Run: 10,113,015,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FD65513CCF9A7242FC2D9EC03916C117

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 30 December 2009 - 06:46 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\fxsext3232.dll
c:\windows\system32\DPNMODEM32.dll
c:\windows\system32\dpl10032.dll
c:\windows\system32\248.tmp
c:\windows\system32\10C.tmp
c:\windows\system32\494.tmp
c:\windows\system32\46E.tmp
c:\windows\system32\337.tmp
c:\windows\SYSTEM32\DiskIO32.dll

Folder::
c:\windows\system32\SysWoW32

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06217B14-2AA1-4120-9D0B-5AF65C511B37}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\28080de8720]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 30 December 2009 - 10:26 PM

Okay hope this has worked. With McAfee back on it is finding artemis trojan in the ComboFix.exe, I assume this is normal and means nothing since the program has already run with McAfee off.

Attached Files



#10 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 30 December 2009 - 10:38 PM

Whatever it is is still there, clicking on a google search results it comes up with the phony popup saying my PC has viruses and a page showing some crap.

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 31 December 2009 - 05:32 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\68.tmp
c:\windows\system32\HPBMINI32.dll
C:\confin.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\28080de8517]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c006BB64]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.




Please download OTL by OldTimer and save it to your desktop.

Under the Custom Scans/Fixes box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles

Don't change any setting... Just click on the Run Scan button.. Let it scan till finish..

Then a log will pop-up at your Desktop. Post the content of the log here



NEXT


We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 31 December 2009 - 10:55 AM

Okay will give these a try. At least I don't have the continuous network activity so it did help some. BTW after each ComboFix run it completely disappears from my PC, is that normal, is it deleting itself?

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 31 December 2009 - 11:02 AM

BTW after each ComboFix run it completely disappears from my PC, is that normal, is it deleting itself?


First of all, Happy New Year (its already 12am in Malaysia)

about your question, the only way I can be sure is to look at the logs :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Bwanap

Bwanap
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 31 December 2009 - 01:53 PM

Happy New Year to you, we still have 11 hours to go!

How do these look?

This is what McAfee is giving me BTW:
McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: Artemis!F0ACC6F4D279 (Trojan), Artemis!F0ACC6F4D279 (Trojan)
Location: C:\Documents and Settings\Paul\Desktop\Combo-Fix.exe

Attached Files



#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 31 December 2009 - 09:58 PM

Stupid McAfee :(


Go HERE and download Dr.Web CureIt to the Desktop. It will be download as random filename.
  • Run Dr.Web CureIt and let it run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users