Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Credit card number phished


  • This topic is locked This topic is locked
9 replies to this topic

#1 mariska

mariska

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:08:35 AM

Posted 20 January 2010 - 05:41 AM

Hi there,
I got a call from the bank and it appears my credit card has been used for gambling on a poker site,It was very quickly established that it was fraudulently used to my relief,but as you can imagine,my faith in my pcs´' security has been somewhat undermined.
I have i thought been very careful in always emptying TIF after any bank or CC transaction,but i would still like to establish has my pc been penetrated.There is also a possibility that the CC details have been stolen by more traditional metods(financially challenged waiter)
but as i don't know this for sure..ithink its more than worthwhile if it could be checked out by experts.For which i would be very grateful.
I have scanned with MB and f-secure online plus spybot which do not find any problems.

Thanking you in advance.
sincerly mariska


DDS log and rootrepeal logs follow.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Christian at 12:20:20,04 on ke 20.01.2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.358.1035.18.1015.500 [GMT 2:00]

AV: avast! antivirus 4.8.1368 [VPS 100120-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian\Työpöytä\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fi/
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.bbc.co.uk/schools/numbertime/games/test.shtml"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\kynnis~1\ohjelmat\kynnis~1\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Vie Microsoft E&xceliin - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://www.pandasecurity.com/activescan/cabs/as2stubie.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231075840671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231075829703
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-5 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-4 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-4 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-4 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-4 352920]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-28 38224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]







ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/20 12:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF75F6000 Size: 57344 File Visible: - Signed: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF797E000 Size: 19520 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7587000 Size: 187904 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2191488 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEE976000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xF7836000 Size: 54336 File Visible: - Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xF6D5E000 Size: 1204128 File Visible: - Signed: -
Status: -

Name: ALCXSENS.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXSENS.SYS
Address: 0xF6C31000 Size: 404736 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Address: 0xF6CB8000 Size: 453760 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xF76D6000 Size: 60800 File Visible: - Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF79AE000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xEE345000 Size: 87424 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xED834000 Size: 15104 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xEE7F9000 Size: 135168 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF7696000 Size: 39104 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF753F000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7BC2000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AFC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79E6000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7726000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF7846000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF7636000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7626000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF6F64000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE5DB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B0C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF6B65000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7BF1000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7916000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76E6000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF751F000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AFA000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7557000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EF000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Address: 0xF7736000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Address: 0xF798E000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xF7A62000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xED797000 Size: 265728 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF7816000 Size: 52096 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA37000 Size: 507904 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA06000 Size: 200704 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E4000 Size: 139264 File Visible: - Signed: -
Status: -

Name: ialmkchw.sys
Image Path: C:\WINDOWS\system32\drivers\ialmkchw.sys
Address: 0xEEAB8000 Size: 98944 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF6EBC000 Size: 95520 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D6000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ialmsbw.sys
Image Path: C:\WINDOWS\system32\drivers\ialmsbw.sys
Address: 0xEEA9A000 Size: 122048 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF7826000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF7ADA000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF77F6000 Size: 40320 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xEE9C0000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xEEA67000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75D6000 Size: 37120 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF791E000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7AD6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xED53C000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF6D27000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF74F6000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xF7896000 Size: 32768 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AFE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF790E000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF793E000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF7A72000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7606000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xEDDDB000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEE81A000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF795E000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF6F24000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7AAA000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7422000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF743C000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7A9A000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xEE4EF000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6C1A000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF6F04000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF76B6000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xEE998000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xF7666000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7966000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7469000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2191488 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C89000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF75E6000 Size: 61696 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF6D4A000 Size: 80256 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF785E000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7AEA000 Size: 6912 File Visible: - Signed: -
Status: -

Name: pavboot.sys
Image Path: pavboot.sys
Address: 0xF7866000 Size: 21888 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7576000 Size: 68096 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7B9E000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7856000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2191488 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6C94000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6C09000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF792E000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7AD2000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF6F54000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF6F44000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF6F34000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7936000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2191488 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xEE88A000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B00000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF7676000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED4CC000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RTL8139.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
Address: 0xF7906000 Size: 20992 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF7976000 Size: 28672 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xEE8B5000 Size: 135168 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7A8E000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF7806000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF750D000 Size: 73344 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xEDBC0000 Size: 333952 File Visible: - Signed: -
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Address: 0xF76F6000 Size: 53248 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7AF8000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF77C6000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xEEA0E000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7926000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF6F14000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6B79000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbaudio.sys
Image Path: C:\WINDOWS\system32\drivers\usbaudio.sys
Address: 0xF7716000 Size: 60032 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xF796E000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AF6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF78FE000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF6EE4000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6E84000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
Address: 0xF7986000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xF78F6000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7956000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6EA8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7616000 Size: 51840 File Visible: - Signed: -
Status: -

Name: VX1000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VX1000.sys
Address: 0xEE61B000 Size: 1956736 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF76A6000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF799E000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEE038000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7AD8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2191488 File Visible: - Signed: -
Status: -





BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:35 AM

Posted 20 January 2010 - 02:41 PM

Hi mariska,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I don't see any apparent malware/spyware on the logs. But to make make sure we need to dig in for any possible (rootkit) hidden malware.
  1. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:08:35 AM

Posted 21 January 2010 - 02:37 AM

Thankyou Farbar for replying so promptly,it's very much appreciated.

I followed your instructions and disabled Avasts' on access protection,and here are the logs:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 09:06:27
Windows 5.1.2600 Service Pack 3
Running: r1cc7yvf.exe; Driver: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\kfrdypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE56C6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE56C574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE56CA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE56C14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE56C64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE56C08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE56C0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE56C76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE56C72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE56C8AE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + B0 804E270C 2 Bytes [B8, C6]
.text ntoskrnl.exe!_abnormal_termination + B3 804E270F 1 Byte [EE]
.text ntoskrnl.exe!_abnormal_termination + 228 804E2884 2 Bytes [4E, C6]
.text ntoskrnl.exe!_abnormal_termination + 22B 804E2887 1 Byte [EE]
.text ntoskrnl.exe!_abnormal_termination + 310 804E296C 2 Bytes [6E, C7]
.text ...
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6BD4870]
? C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\kfrdypog.sys Määritettyä tiedostoa ei löydy. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----






combo fix log:


ComboFix 10-01-20.05 - Christian 21.01.2010 9:15.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.358.1035.18.1015.654 [GMT 2:00]
Sijainti: c:\documents and settings\Christian\Työpöytä\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100120-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2009-12-21 to 2010-01-21 )))))))))))))))))
.

2010-01-20 09:41 . 2010-01-20 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-20 09:40 . 2010-01-20 09:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-20 09:26 . 2010-01-20 09:26 -------- d-----w- c:\documents and settings\Christian\Application Data\Foxit
2010-01-20 09:25 . 2010-01-20 09:25 -------- d-----w- c:\program files\Foxit Software
2010-01-20 09:24 . 2010-01-20 09:24 5359048 ----a-w- c:\program files\FoxitReader31_enu_Setup_091125.exe
2010-01-15 17:07 . 2009-11-21 15:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-20 18:18 . 2009-01-11 19:33 -------- d-----w- c:\documents and settings\Christian\Application Data\Skype
2010-01-20 14:00 . 2009-01-11 19:36 -------- d-----w- c:\documents and settings\Christian\Application Data\skypePM
2010-01-20 09:52 . 2009-01-28 17:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 09:52 . 2009-05-31 18:56 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-20 09:20 . 2009-01-16 16:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-07 14:07 . 2009-01-28 17:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 14:07 . 2009-01-28 17:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 06:45 . 2003-04-25 12:00 86178 ----a-w- c:\windows\system32\perfc00B.dat
2009-12-11 06:45 . 2003-04-25 12:00 419252 ----a-w- c:\windows\system32\perfh00B.dat
2009-11-24 23:54 . 2009-01-04 13:15 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-01-04 13:15 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-01-04 13:15 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-01-04 13:15 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-01-04 14:25 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-01-04 13:15 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-01-04 13:15 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-01-04 13:15 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-01-04 13:15 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 16:06 . 2009-01-06 12:42 44728 ----a-w- c:\documents and settings\Lea\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:58 . 2003-04-25 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 08:51 . 2009-05-11 17:58 117760 ----a-w- c:\documents and settings\Christian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 16:37 . 2009-11-04 16:37 152576 ----a-w- c:\documents and settings\Christian\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:45 . 2003-04-25 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45 . 2009-05-29 14:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2003-04-25 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-01-11 19:32 . 2009-01-11 19:32 22260008 ----a-w- c:\program files\SkypeSetup.exe
2009-01-11 17:47 . 2009-01-11 17:43 406903544 ----a-w- c:\program files\Nero-7.11.10.0_all_update.exe
2009-01-09 13:51 . 2009-01-09 13:51 3165824 ----a-w- c:\program files\ccsetup215.exe
2009-01-06 17:17 . 2009-01-06 17:17 16320472 ----a-w- c:\program files\vlc-0.9.8a-win32.exe
2009-01-06 17:05 . 2009-01-06 17:05 6560523 ----a-w- c:\program files\realalt190.exe
2009-01-06 11:10 . 2009-01-06 11:06 160691584 ----a-w- c:\program files\rw2_021_w02_sve.exe
2009-01-05 18:56 . 2009-01-05 18:56 5824544 ----a-w- c:\program files\SUPERAntiSpyware.exe
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-04 39408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-04-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-04-22 118784]
"SoundMan"="SOUNDMAN.EXE" [2004-04-22 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"VX1000"="c:\windows\vVX1000.exe" [2006-12-05 707360]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-30 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\K„ynnist„-valikko\Ohjelmat\K„ynnistys\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5.1.2009 20:49 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.1.2009 15:15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22.12.2008 11:06 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [22.12.2008 11:05 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.1.2009 16:25 20560]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [28.1.2009 19:38 38224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [22.12.2008 11:06 7408]

--- Muut muistissa olevat ajurit/palvelut ---

*NewlyCreated* - KFRDYPOD
*NewlyCreated* - KFRDYPOG
*Deregistered* - kfrdypod
*Deregistered* - kfrdypog
.
'Ajoitetut tehtävät'-kansion sisältö

2009-04-17 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8231238619.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 22:52]
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.fi/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Vie Microsoft E&xceliin - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - POISTETUT JÄMÄRIVIT - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-21 09:25
Windows 5.1.2600 Service Pack 3 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- LUKITUT REKISTERIAVAIMET ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ÿcÓw*]
"b049C053C7D38EE4AB9A00CB3B5D2472"="C?\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\PUBPLACE.HTT"
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Valmistumisajankohta: 2010-01-21 09:30:29
ComboFix-quarantined-files.txt 2010-01-21 07:30

Ennen ajoa: 25 020 047 360 tavua vapaana
Ajon jälkeen: 25 445 462 016 tavua vapaana

WindowsXP-KB310994-SP2-Home-BootDisk-FIN.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2150C00B68E1AF0A4FA4CC31AE277770


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:35 AM

Posted 21 January 2010 - 09:17 AM

Well done. thumbup2.gif

One of the files removed by ComboFix is a possible worm with backdoor capacity and another one is a possible Password stealer and banking/info stealer:

To make sure of that please do the following:

Go to Start => Run, copy and paste the following in the run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A log file opens. Please copy and paste the content to your reply.

#5 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:08:35 AM

Posted 21 January 2010 - 11:32 AM

Ahaa..O.K. Thanks alot..here's the quarantine list:

2010-01-21 07:28:33 . 2010-01-21 07:28:33 1,194 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-KB923789.reg.dat
2010-01-21 07:28:33 . 2010-01-21 07:28:33 772 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Agere Systems Soft Modem.reg.dat
2010-01-21 07:27:41 . 2010-01-21 07:27:41 395 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-RunOnce-Shockwave Updater.reg.dat
2010-01-21 07:22:18 . 2010-01-21 15:52:36 6,994 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-01-21 07:12:14 . 2010-01-21 15:44:42 153 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-05-01 11:53:46 . 2009-10-11 02:17:45 386,872 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jucheck.exe.vir
2009-01-04 17:26:23 . 2009-01-04 17:30:15 380 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp.reg.vir
2009-01-04 17:26:04 . 2008-09-20 09:45:23 80,384 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\o4Patch.exe.vir
2009-01-04 17:26:04 . 2008-11-29 15:58:21 82,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\IEDFix.C.exe.vir
2009-01-04 17:26:04 . 2008-08-18 09:19:03 82,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\404Fix.exe.vir
2009-01-04 17:26:04 . 2008-10-01 12:51:40 87,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\VACFix.exe.vir
2009-01-04 17:26:04 . 2008-05-18 18:40:35 82,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\IEDFix.exe.vir
2009-01-04 17:26:04 . 2007-10-03 21:36:46 25,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\WS2Fix.exe.vir
2009-01-04 17:26:03 . 2007-09-05 21:22:23 289,144 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\VCCLSID.exe.vir
2009-01-04 17:26:03 . 2004-07-31 15:50:36 51,200 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dumphive.exe.vir
2009-01-04 17:26:03 . 2006-04-27 14:49:30 288,417 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SrchSTS.exe.vir
2009-01-04 17:26:03 . 2003-06-05 18:13:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:35 AM

Posted 21 January 2010 - 12:44 PM

Let's see what we get.

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jucheck.exe.vir


If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#7 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:08:35 AM

Posted 21 January 2010 - 01:04 PM

Thanks vey much.here are the results:

File Process.exe.vir received on 2010.01.21 17:54:27 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.21 -
AhnLab-V3 5.0.0.2 2010.01.21 -
AntiVir 7.9.1.146 2010.01.21 -
Antiy-AVL 2.0.3.7 2010.01.21 -
Authentium 5.2.0.5 2010.01.21 -
Avast 4.8.1351.0 2010.01.21 -
AVG 9.0.0.730 2010.01.21 -
BitDefender 7.2 2010.01.21 -
CAT-QuickHeal 10.00 2010.01.21 -
ClamAV 0.94.1 2010.01.21 -
Comodo 3659 2010.01.21 -
DrWeb 5.0.1.12222 2010.01.21 Tool.Prockill
eSafe 7.0.17.0 2010.01.20 -
eTrust-Vet 35.2.7250 2010.01.21 -
F-Prot 4.5.1.85 2010.01.20 -
F-Secure 9.0.15370.0 2010.01.21 -
Fortinet 4.0.14.0 2010.01.21 -
GData 19 2010.01.21 -
Ikarus T3.1.1.80.0 2010.01.21 -
Jiangmin 13.0.900 2010.01.21 -
K7AntiVirus 7.10.951 2010.01.20 -
Kaspersky 7.0.0.125 2010.01.21 -
McAfee 5867 2010.01.20 potentially unwanted program PrcViewer
McAfee+Artemis 5867 2010.01.20 potentially unwanted program PrcViewer
McAfee-GW-Edition 6.8.5 2010.01.21 Heuristic.BehavesLike.Win32.Dropper.L
Microsoft 1.5302 2010.01.21 -
NOD32 4791 2010.01.20 Win32/PrcView
Norman 6.04.03 2010.01.20 -
nProtect 2009.1.8.0 2010.01.21 -
Panda 10.0.2.2 2010.01.21 -
PCTools 7.0.3.5 2010.01.21 -
Prevx 3.0 2010.01.21 -
Rising 22.31.03.04 2010.01.21 -
Sophos 4.50.0 2010.01.21 -
Sunbelt 3.2.1858.2 2010.01.21 -
Symantec 20091.2.0.41 2010.01.21 -
TheHacker 6.5.0.8.157 2010.01.21 Aplicacion/Processor.20
TrendMicro 9.120.0.1004 2010.01.21 -
VBA32 3.12.12.1 2010.01.20 -
ViRobot 2010.1.21.2148 2010.01.21 -
VirusBuster 5.0.21.0 2010.01.20 -

Additional information
File size: 53248 bytes
MD5...: 7397f6ee4a9601a123b645c0cd428017
SHA1..: 890368473ecbc404dcd42ff0c6c38397102f59c0
SHA256: 5aaf73ef89f0efab963abb170bc9b7cd7d4d5bd7a691cd83137b4cc39cd120de
ssdeep: 768:ORWMA68kDGXcK1JP9COApZsLUFDeLHAwu0aB0wWYS/a/x9GYDM0+0O:OkMKH<BR>9fApDFPgiKMM0I<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x2b42<BR>timedatestamp.....: 0x3edf2cf1 (Thu Jun 05 11:43:45 2003)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x7bea 0x8000 6.52 c01fadec01aae81015745dad0ecda107<BR>.rdata 0x9000 0x1dfc 0x2000 5.10 e5217bccc8786d801b7a78bb7cce029c<BR>.data 0xb000 0x1fc8 0x1000 2.67 5ba738a705a45c4209cbffe7469d458a<BR>.rsrc 0xd000 0x3c0 0x1000 0.99 0967ff97890b79a40016a44e82666655<BR><BR>( 3 imports ) <BR>&gt; KERNEL32.dll: GetLastError, GetProcessAffinityMask, OpenProcess, Sleep, TerminateProcess, WaitForSingleObject, SetPriorityClass, lstrcmpiA, HeapFree, ResumeThread, SuspendThread, GetVersionExA, WideCharToMultiByte, HeapAlloc, CloseHandle, GlobalFree, GlobalAlloc, FileTimeToSystemTime, SystemTimeToFileTime, GetSystemTime, LocalFree, FormatMessageA, HeapSize, RtlUnwind, LCMapStringW, LCMapStringA, VirtualQuery, GetSystemInfo, SetProcessAffinityMask, LoadLibraryA, GetProcAddress, FreeLibrary, GetProcessHeap, GetCurrentProcess, ExitProcess, GetModuleHandleA, GetCommandLineA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, WriteFile, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, GetACP, GetOEMCP, GetCPInfo, FlushFileBuffers, SetFilePointer, GetLocaleInfoA, VirtualProtect, SetStdHandle<BR>&gt; USER32.dll: CloseDesktop, EnumDesktopWindows, GetWindowThreadProcessId, PostMessageA, OpenDesktopA<BR>&gt; ADVAPI32.dll: LookupAccountSidA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, GetTokenInformation<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
pdfid.: -
trid..: Win64 Executable Generic (59.6%)<BR>Win32 Executable MS Visual C++ (generic) (26.2%)<BR>Win32 Executable Generic (5.9%)<BR>Win32 Dynamic Link Library (generic) (5.2%)<BR>Generic Win/DOS Executable (1.3%)
sigcheck:<BR>publisher....: http://www.beyondlogic.org<BR>copyright....: Copyright 2003 Craig.Peacock@beyondlogic.org<BR>product......: Command Line Process Utility<BR>description..: Command Line Process Utility<BR>original name: Process.exe<BR>internal name: Process.exe<BR>file version.: 2, 0, 0, 0<BR>comments.....: n/a<BR>signers......: -<BR>signing date.: -<BR>verified.....: Unsigned<BR


File jucheck.exe.vir received on 2010.01.21 17:59:22 (UTC)Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.21 -
AhnLab-V3 5.0.0.2 2010.01.21 -
AntiVir 7.9.1.146 2010.01.21 -
Antiy-AVL 2.0.3.7 2010.01.21 -
Authentium 5.2.0.5 2010.01.21 -
Avast 4.8.1351.0 2010.01.21 -
AVG 9.0.0.730 2010.01.21 -
BitDefender 7.2 2010.01.21 -
CAT-QuickHeal 10.00 2010.01.21 -
ClamAV 0.94.1 2010.01.21 -
Comodo 3659 2010.01.21 -
DrWeb 5.0.1.12222 2010.01.21 -
eSafe 7.0.17.0 2010.01.20 -
eTrust-Vet 35.2.7250 2010.01.21 -
F-Prot 4.5.1.85 2010.01.20 -
F-Secure 9.0.15370.0 2010.01.21 -
Fortinet 4.0.14.0 2010.01.21 -
GData 19 2010.01.21 -
Ikarus T3.1.1.80.0 2010.01.21 -
Jiangmin 13.0.900 2010.01.21 -
K7AntiVirus 7.10.951 2010.01.20 -
Kaspersky 7.0.0.125 2010.01.21 -
McAfee 5867 2010.01.20 -
McAfee+Artemis 5867 2010.01.20 -
McAfee-GW-Edition 6.8.5 2010.01.21 -
Microsoft 1.5302 2010.01.21 -
NOD32 4791 2010.01.20 -
Norman 6.04.03 2010.01.20 -
nProtect 2009.1.8.0 2010.01.21 -
Panda 10.0.2.2 2010.01.21 -
PCTools 7.0.3.5 2010.01.21 -
Prevx 3.0 2010.01.21 -
Rising 22.31.03.04 2010.01.21 -
Sophos 4.50.0 2010.01.21 -
Sunbelt 3.2.1858.2 2010.01.21 -
Symantec 20091.2.0.41 2010.01.21 -
TheHacker 6.5.0.8.157 2010.01.21 -
TrendMicro 9.120.0.1004 2010.01.21 -
VBA32 3.12.12.1 2010.01.20 -
ViRobot 2010.1.21.2148 2010.01.21 -
VirusBuster 5.0.21.0 2010.01.20 -

Additional information
File size: 386872 bytes
MD5...: 6dfdf0a116e92646b883af52ae5a2b15
SHA1..: a9fa8496669d64dc958e1fae3b4d8d39103f290f
SHA256: b8c4c25ffa97d58481080f76e5a6068cc5a0920d383fd4e8d04252774b040660
ssdeep: 3072:pThPyI+3323/KT7khkrk87t1ftayD78yRFMFlnhwz0YlezPawSP7MSpLfxv<BR>CmVlI:Z3K3/B1fr7jMF9hPzywSY8aQo<BR>
PEiD..: -
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x14af9<BR>timedatestamp.....: 0x4ad1aecd (Sun Oct 11 10:09:17 2009)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x1e485 0x1f000 6.47 dd4c74bb7d0e95f6a032ee0e79aaa004<BR>.rdata 0x20000 0x7b6c 0x8000 5.27 173ef584472f625a0d81a18d6e4faae0<BR>.data 0x28000 0x31d8 0x2000 2.75 03eb65c744db87fc862947ea0818bc79<BR>.rsrc 0x2c000 0x32e48 0x33000 6.30 5858b850e2ea3d73f0f2f1b847b054fd<BR><BR>( 13 imports ) <BR>&gt; ADVAPI32.dll: RegDeleteKeyA, RegCreateKeyExA, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, RegQueryInfoKeyA, RegEnumKeyExA, RegSetValueExA, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegQueryValueExA, RegEnumKeyA, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, CryptCreateHash, CryptAcquireContextA<BR>&gt; CRYPT32.dll: CertGetNameStringW, CertFindCertificateInStore, CryptMsgGetParam, CryptQueryObject, CryptMsgClose, CertCloseStore<BR>&gt; VERSION.dll: VerQueryValueA, GetFileVersionInfoA<BR>&gt; USER32.dll: IsWindowUnicode, ReleaseCapture, SetCapture, FillRect, GetClientRect, MapDialogRect, SetWindowContextHelpId, GetWindowRect, PtInRect, SetCursor, GetDlgCtrlID, LoadBitmapA, EnableWindow, EndDialog, RegisterClassA, ShowWindow, PostQuitMessage, CreatePopupMenu, AppendMenuA, GetCursorPos, SetForegroundWindow, TrackPopupMenu, PostMessageA, GetSystemMetrics, LoadImageA, DialogBoxIndirectParamA, RegisterWindowMessageA, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, RegisterClassExA, GetDC, UnregisterClassA, MessageBoxA, LoadStringA, CharNextA, wsprintfA, GetDesktopWindow, PeekMessageA, DispatchMessageA, DispatchMessageW, TranslateMessage, GetMessageA, GetMessageW, GetSysColor, MsgWaitForMultipleObjects, ReleaseDC, SetWindowLongA, InvalidateRect, InvalidateRgn, CallWindowProcA, EndPaint, BeginPaint, SetFocus, GetWindow, IsChild, GetFocus, DestroyAcceleratorTable, GetWindowLongA, DefWindowProcA, GetClassInfoExA, LoadCursorA, CreateWindowExA, CreateAcceleratorTableA, GetParent, GetClassNameA, SetWindowPos, DestroyWindow, RedrawWindow, GetDlgItem, IsWindow, SendMessageA<BR>&gt; GDI32.dll: StretchBlt, SetTextColor, SaveDC, SetGraphicsMode, ModifyWorldTransform, SetViewportOrgEx, SetWindowOrgEx, DPtoLP, CreateFontIndirectA, RestoreDC, CreateSolidBrush, GetStockObject, GetObjectA, GetDeviceCaps, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteDC, SelectObject, DeleteObject, SetBkMode<BR>&gt; COMCTL32.dll: -<BR>&gt; WINTRUST.dll: WinVerifyTrust<BR>&gt; WININET.dll: InternetErrorDlg, InternetTimeToSystemTime, InternetReadFile, HttpAddRequestHeadersA, InternetOpenA, InternetCrackUrlA, InternetConnectA, HttpOpenRequestA, InternetTimeFromSystemTime, InternetGetConnectedState, InternetCloseHandle, HttpQueryInfoA, HttpSendRequestA<BR>&gt; urlmon.dll: URLDownloadToFileA<BR>&gt; SHELL32.dll: ShellExecuteA, Shell_NotifyIconA<BR>&gt; KERNEL32.dll: FreeEnvironmentStringsA, UnhandledExceptionFilter, GetStdHandle, GetCPInfo, GetOEMCP, GetTimeZoneInformation, SetUnhandledExceptionFilter, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, HeapSize, CompareStringW, IsBadWritePtr, HeapCreate, HeapDestroy, ExitProcess, GetStartupInfoA, GetSystemTimeAsFileTime, HeapReAlloc, VirtualQuery, SetEnvironmentVariableA, RtlUnwind, GetEnvironmentStrings, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, CreatePipe, SetHandleInformation, ReadFile, GetCurrentProcessId, GetTickCount, SystemTimeToTzSpecificLocalTime, LocalFree, GetEnvironmentVariableA, GetTempPathA, GetSystemInfo, LoadLibraryA, OpenEventA, GetProcAddress, GetSystemTime, CreateEventA, CreateThread, ResetEvent, WaitForMultipleObjects, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, IsBadReadPtr, IsBadCodePtr, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, CompareStringA, VirtualProtect, TerminateProcess, SetEvent, LockResource, GlobalHandle, GlobalFree, SetLastError, GlobalLock, GlobalUnlock, MulDiv, GetCurrentThreadId, FormatMessageA, DeleteFileA, CreateProcessA, GetExitCodeProcess, GlobalAlloc, GetCurrentProcess, FlushInstructionCache, LeaveCriticalSection, EnterCriticalSection, lstrcpyA, lstrcatA, CreateFileA, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, CloseHandle, GetLastError, CreateMutexA, lstrcmpiA, GetCommandLineA, InterlockedIncrement, InterlockedDecrement, lstrlenW, GetModuleHandleA, MultiByteToWideChar, lstrlenA, GetModuleFileNameA, WideCharToMultiByte, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, lstrcpynA, IsDBCSLeadByte, lstrcmpA, WriteFile, WaitForSingleObject, SetEndOfFile, SetFilePointer, CompareFileTime, SystemTimeToFileTime, Sleep, FileTimeToSystemTime, GetFileTime, GetFileSize<BR>&gt; ole32.dll: OleUninitialize, OleInitialize, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CreateStreamOnHGlobal, OleLockRunning, StringFromCLSID, CoInitializeSecurity, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, CoInitialize, CoUninitialize, StringFromGUID2<BR>&gt; OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -<BR><BR>( 0 exports ) <BR>



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:35 AM

Posted 21 January 2010 - 02:27 PM

You are welcome. smile.gif

You probably have used SmithfraudFix tool, haven't you?

Anyway, they are much less harmless than it looked. Besides Malwarebytes we used some top scanners and there seems to be nothing on your computer to support the idea of a serious infection or a password or info stealer.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Do you have any question before we close.




#9 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:08:35 AM

Posted 21 January 2010 - 02:54 PM

Hi Farbar Thanks again for all ur help,you guys and gals are doing a great job!!
Yes i have used SFF once along time ago...relief to here that i'm not infected..so it appears it must have been the "financially challenged waiter with a gambling problem"...well,people like that get whats coming to them.
I don't think i've got anything to add to that apart from keep up the good work.

Case closed.
Mariska.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:35 AM

Posted 21 January 2010 - 04:25 PM

You are most welcome and thanks for your kind words Mariska smile.gif

This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users