Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix log


  • This topic is locked This topic is locked
22 replies to this topic

#1 iamnovice

iamnovice

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 21 February 2010 - 08:28 PM

hi, good day to all. well, i think a virus disabled my antivirus because when i tried installing a new antivirus, it's not working. i mean, the exe file loads but closes after. i'm having this problem for at least a week now.

i tried searching the net and found out that many are going through with the same problem as i am, and also, have seen recommendations to download combofix then post the log report, thus, i searched for combofix program. however, I saw that it must not be run unless told by an expert.

well, no one told me to run it,but knowing i have the same problem like the others and the recommendations i saw were to run the combofix, in my initiative, i did it.

here's the log report, pls help me... tnx



ComboFix 10-02-21.02 - OWNER 02/22/2010 20:13:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.707 [GMT -8:00]
Running from: c:\documents and settings\OWNER\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-22 11:12 . 2010-02-22 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-02-22 11:11 . 2010-02-22 11:12 -------- d-----w- c:\program files\Google
2010-02-22 11:00 . 2010-02-22 11:00 -------- d-----w- c:\program files\RealArcade
2010-02-22 06:21 . 2010-02-22 06:21 -------- d-----w- c:\program files\Yahoo!
2010-02-21 18:02 . 2010-02-21 18:03 -------- d-----w- c:\program files\Plants vs Zombies
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-16 18:19 . 2010-02-16 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2010-02-16 17:55 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-16 17:55 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-16 10:16 . 2010-02-19 10:56 1901 ----a-w- c:\windows\panose.bin
2010-02-16 06:07 . 2010-02-16 06:07 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-16 06:07 . 2010-02-16 06:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-29 00:21 . 2010-01-29 00:21 -------- d-----w- C:\lj1010seriesprintsys
2010-01-27 13:04 . 2010-01-27 13:18 -------- d-----w- C:\UniScan
2010-01-27 13:04 . 2007-01-17 09:21 622592 ----a-r- c:\windows\system32\hpxp2436.dll
2010-01-27 13:04 . 2007-01-17 09:19 438272 ----a-r- c:\windows\system32\hp2436co.dll
2010-01-27 13:04 . 2007-01-17 09:18 413696 ----a-r- c:\windows\system32\hpgt2436.dll
2010-01-27 13:04 . 2004-08-04 06:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-27 13:04 . 2004-08-04 06:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-27 12:47 . 2010-01-27 12:47 -------- d-----w- c:\program files\DIFX
2010-01-27 07:44 . 2010-01-27 07:44 -------- d-----w- c:\program files\RocketDock
2010-01-27 07:39 . 2010-01-27 17:38 -------- d-----w- c:\program files\Webshots
2010-01-27 07:39 . 2000-09-13 18:52 106496 ----a-w- c:\windows\WebshotsUninstall.exe
2010-01-27 07:39 . 2000-09-13 18:51 684032 ----a-w- c:\windows\Webshots.scr
2010-01-26 02:48 . 2004-08-04 07:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 10:05 . 2010-02-16 10:05 -------- d-----w- c:\program files\Common Files\Vbox
2010-02-16 10:05 . 2010-01-18 00:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 07:44 . 2010-01-18 00:36 63200 ----a-w- c:\documents and settings\OWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 18:38 . 2010-01-18 00:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-18 00:49 . 2010-01-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-18 00:48 . 2010-01-18 00:48 -------- d-----w- c:\documents and settings\OWNER\Application Data\CyberLink
2010-01-18 00:45 . 2010-01-18 00:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 00:44 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink DVD Solution
2010-01-18 00:42 . 2010-01-18 00:42 -------- d-----w- c:\documents and settings\OWNER\Application Data\InterTrust
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Ahead
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-18 00:40 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink
2010-01-18 00:39 . 2010-01-18 00:24 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Common Files\L&H
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft Works
2010-01-18 00:36 . 2010-01-18 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-01-18 00:32 . 2010-01-18 00:31 -------- d-----w- c:\program files\IDT
2010-01-18 00:30 . 2010-01-18 00:30 -------- d-----w- c:\program files\Intel
2010-01-18 00:16 . 2010-01-18 00:16 -------- d-----w- c:\program files\microsoft frontpage
2010-01-18 00:13 . 2010-01-18 00:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2004-10-01 23:00 . 2010-01-18 00:40 110592 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1699840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 495616]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 102400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 237568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 208896]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 229376]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 208896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 126976]

c:\documents and settings\OWNER\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2010-1-26 266240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 288344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\IDT\\WDM\\sttray.exe"=
"c:\\Program Files\\Webshots\\WebshotsTray.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"=
"c:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [8/24/2009 6:51 AM 185640]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\fqnlet.sys --> c:\windows\system32\drivers\fqnlet.sys [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2004-04-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 22:17]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\ofvznqpf.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 20:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3256)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-22 20:19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 04:19

Pre-Run: 12,078,182,400 bytes free
Post-Run: 12,160,319,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 532B578508EE8A307F1C6816FD07EDD3





---------------------

i also downloaded malwarebytes and tried to scan my computer and i found out that there are 5 infected... i removed the files through malwarebytes and tried again to install a free antivirus but it did not load.. here's the log report

Malwarebytes' Anti-Malware 1.44
Database version: 3772
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/22/2010 9:11:06 PM
mbam-log-2010-02-22 (21-10-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 145679
Time elapsed: 18 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 24 February 2010 - 12:53 AM

Hi iamnovice

I'm afraid I have some bad news.

A file comes back as the Sality Virus

abp470n5
http://www.ca.com/us/securityadvisor/virus...s.aspx?id=74007
Sality is a file infector in the same line as Virut.

Lets verify this to make sure.

Please do this.

Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  • c:\windows\system32\drivers\fqnlet.sys
  • Click on the submit button
  • Please post the results in your next reply.
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file c:\windows\system32\drivers\fqnlet.sys
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
Now this one.

you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
you will need to read the below information.

Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

QUOTE
The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.
CA Virus detail of W32/Virut

QUOTE
The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.
McAfee Risk Assessment and Overview of W32/Virut

QUOTE
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.
AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

QUOTE
...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:Please post the results.

Thanks
maranatha

Edited by maranatha, 24 February 2010 - 12:56 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 24 February 2010 - 09:56 PM

tnx very much for your reply.

sighhh...

i think, this virus has infected most of my system...

i cannot open the sites you've provided, i think the virus is prventing them from opening.

this is a total mess....

can this virus infect my files?

-----

i think, this is really a sality virus from one of the flash drive of those who used my pc.

ill try to download dr web cure it from other comp and copy it here.

Edited by iamnovice, 24 February 2010 - 10:24 PM.


#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 24 February 2010 - 10:33 PM

Hi
QUOTE
can this virus infect my files?

I'm afraid so, Sality and Virut are some bad infections

QUOTE
from one of the flash drive of those who used my pc.

If you know this person you need to let them know so they don't infect someone else.

QUOTE
ill try to download dr web cure it from other comp and copy it here.

OK let me know what happens.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 12:08 AM

ive downloaded the file from a different website successfully..

however, when i tried going to safemode, i cannot enter.

i mean, when i pressed enter to enter to 'safemode', my pc reboots and then i return to the same page again (the black page with different options like, safemode, safemode with command prompt, normal, etc).

i tried going to 'normal' then pressed enter, and i successfully entered to the normal window. but whenever i try entering to safemode, i cannot enter.

what shall i do?

tnx again

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 25 February 2010 - 12:11 AM

Hi
See if it will run in normal mode.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 12:15 AM

hello,

you mean the program?

here's a detail on what happened:

so after i pressed f8, i was at a blank window, with different options... i have chosen safemode. then it loads and im presentd with 2 options again:

windows recovery console
windows xp...

i chose windows xp and i returned to the earlier page where there are many options to choose from

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 25 February 2010 - 12:20 AM

Hi
Yes I mean the program, Dr Web CureIt. See if it will run in normal mode.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 12:22 AM

a message appears an error is encountered...

lemme try to download another one.. it wont take long

thnx again for your time and for sharing your expertise

#10 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 12:37 AM

hi again,

well, i downloaded another one, and tried to run it... it doesnt run.

Edited by iamnovice, 25 February 2010 - 12:38 AM.


#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 25 February 2010 - 01:08 AM

Hi
OK lets see if you can do this,

Download ComboFix from Here

Before saving it rename it to Mobofcix.exe then download it to your Desktop.

Please run it this way.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click Mobofcix.exe and follow the prompts.
  • Vista users right click Mobofcix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 01:25 AM

hi maranatha,

as instructed.... here's the report:

ComboFix 10-02-24.01 - OWNER 02/26/2010 2:21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.710 [GMT -8:00]
Running from: c:\documents and settings\OWNER\Desktop\Mobofcix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5


((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-23 08:45 . 2010-02-23 08:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-02-23 05:15 . 2010-02-23 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-23 05:13 . 2010-02-23 05:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-23 05:09 . 2010-02-26 10:16 -------- d-----w- c:\documents and settings\OWNER\Local Settings\Application Data\Google
2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- c:\documents and settings\OWNER\Application Data\Malwarebytes
2010-02-23 04:48 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-23 04:48 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-22 11:12 . 2010-02-22 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-02-22 11:11 . 2010-02-23 05:13 -------- d-----w- c:\program files\Google
2010-02-22 11:00 . 2010-02-22 11:00 -------- d-----w- c:\program files\RealArcade
2010-02-22 06:21 . 2010-02-22 06:21 -------- d-----w- c:\program files\Yahoo!
2010-02-21 18:02 . 2010-02-21 18:03 -------- d-----w- c:\program files\Plants vs Zombies
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-16 18:19 . 2010-02-16 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2010-02-16 17:55 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-16 17:55 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-16 10:16 . 2010-02-26 09:49 1901 ----a-w- c:\windows\panose.bin
2010-02-16 06:07 . 2010-02-16 06:07 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-16 06:07 . 2010-02-16 06:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-29 00:21 . 2010-01-29 00:21 -------- d-----w- C:\lj1010seriesprintsys
2010-01-27 13:04 . 2010-01-27 13:18 -------- d-----w- C:\UniScan
2010-01-27 13:04 . 2007-01-17 09:21 622592 ----a-r- c:\windows\system32\hpxp2436.dll
2010-01-27 13:04 . 2007-01-17 09:19 438272 ----a-r- c:\windows\system32\hp2436co.dll
2010-01-27 13:04 . 2007-01-17 09:18 413696 ----a-r- c:\windows\system32\hpgt2436.dll
2010-01-27 13:04 . 2004-08-04 06:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-27 13:04 . 2004-08-04 06:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-27 12:47 . 2010-01-27 12:47 -------- d-----w- c:\program files\DIFX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 10:05 . 2010-02-16 10:05 -------- d-----w- c:\program files\Common Files\Vbox
2010-02-16 10:05 . 2010-01-18 00:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 17:38 . 2010-01-27 07:39 -------- d-----w- c:\program files\Webshots
2010-01-27 07:44 . 2010-01-18 00:36 63200 ----a-w- c:\documents and settings\OWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-27 07:44 . 2010-01-27 07:44 -------- d-----w- c:\program files\RocketDock
2010-01-26 18:38 . 2010-01-18 00:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-18 00:49 . 2010-01-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-18 00:48 . 2010-01-18 00:48 -------- d-----w- c:\documents and settings\OWNER\Application Data\CyberLink
2010-01-18 00:45 . 2010-01-18 00:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 00:44 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink DVD Solution
2010-01-18 00:42 . 2010-01-18 00:42 -------- d-----w- c:\documents and settings\OWNER\Application Data\InterTrust
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Ahead
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-18 00:40 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink
2010-01-18 00:39 . 2010-01-18 00:24 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Common Files\L&H
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft Works
2010-01-18 00:36 . 2010-01-18 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-01-18 00:32 . 2010-01-18 00:31 -------- d-----w- c:\program files\IDT
2010-01-18 00:30 . 2010-01-18 00:30 -------- d-----w- c:\program files\Intel
2010-01-18 00:16 . 2010-01-18 00:16 -------- d-----w- c:\program files\microsoft frontpage
2010-01-18 00:13 . 2010-01-18 00:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2004-10-01 23:00 . 2010-01-18 00:40 110592 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-02-23_04.17.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 10:24 . 2010-02-26 10:24 16384 c:\windows\temp\Perflib_Perfdata_f10.dat
- 2010-01-18 00:22 . 2010-02-23 04:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-18 00:22 . 2010-02-26 10:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-01-18 00:22 . 2010-02-23 04:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-18 00:22 . 2010-02-26 10:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-18 00:22 . 2010-02-26 10:24 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-01-18 00:22 . 2010-02-23 04:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-23 05:13 . 2010-02-23 05:13 22528 c:\windows\Installer\3408b6.msi
+ 2010-02-23 05:13 . 2010-02-23 05:13 24064 c:\windows\Installer\3408b1.msi
+ 2010-02-16 06:06 . 2009-10-14 19:12 315408 c:\windows\system32\drivers\klif.sys
- 2010-02-16 06:06 . 2010-02-16 06:06 315408 c:\windows\system32\drivers\klif.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 569344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1699840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 495616]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 102400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 237568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 208896]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 229376]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 208896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 126976]

c:\documents and settings\OWNER\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2010-1-26 266240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 288344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\IDT\\WDM\\sttray.exe"=
"c:\\Program Files\\Webshots\\WebshotsTray.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"=
"c:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2010\\klwtblfs.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [8/24/2009 6:51 AM 185640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2010 9:13 PM 205296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2004-04-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 22:17]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 05:13]

2010-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 05:13]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\ofvznqpf.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 02:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-26 02:27:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 10:27
ComboFix2.txt 2010-02-23 04:19

Pre-Run: 11,974,234,112 bytes free
Post-Run: 11,945,811,968 bytes free

- - End Of File - - F06DFF7D95BFED8A06EE8D719826E877




#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 25 February 2010 - 08:00 AM

hi
This is the log from the 2nd run of Combofix, I need to see the first log.

Please go to C:\qoobox open the folder and post the contents of ComboFix2.txt log file

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 iamnovice

iamnovice
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 25 February 2010 - 06:48 PM

hi maranatha,

here's the first one:

ComboFix 10-02-21.02 - OWNER 02/22/2010 20:13:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.707 [GMT -8:00]
Running from: c:\documents and settings\OWNER\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AutoRun.inf
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-22 11:12 . 2010-02-22 11:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-02-22 11:11 . 2010-02-22 11:12 -------- d-----w- c:\program files\Google
2010-02-22 11:00 . 2010-02-22 11:00 -------- d-----w- c:\program files\RealArcade
2010-02-22 06:21 . 2010-02-22 06:21 -------- d-----w- c:\program files\Yahoo!
2010-02-21 18:02 . 2010-02-21 18:03 -------- d-----w- c:\program files\Plants vs Zombies
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Reflexive
2010-02-21 18:02 . 2010-02-21 18:02 -------- d-----w- c:\program files\ReflexiveArcade
2010-02-16 18:19 . 2010-02-16 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2010-02-16 17:55 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-16 17:55 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-16 10:16 . 2010-02-19 10:56 1901 ----a-w- c:\windows\panose.bin
2010-02-16 06:07 . 2010-02-16 06:07 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-16 06:07 . 2010-02-16 06:07 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\program files\Kaspersky Lab
2010-02-16 06:06 . 2010-02-16 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-29 00:21 . 2010-01-29 00:21 -------- d-----w- C:\lj1010seriesprintsys
2010-01-27 13:04 . 2010-01-27 13:18 -------- d-----w- C:\UniScan
2010-01-27 13:04 . 2007-01-17 09:21 622592 ----a-r- c:\windows\system32\hpxp2436.dll
2010-01-27 13:04 . 2007-01-17 09:19 438272 ----a-r- c:\windows\system32\hp2436co.dll
2010-01-27 13:04 . 2007-01-17 09:18 413696 ----a-r- c:\windows\system32\hpgt2436.dll
2010-01-27 13:04 . 2004-08-04 06:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-01-27 13:04 . 2004-08-04 06:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-01-27 12:47 . 2010-01-27 12:47 -------- d-----w- c:\program files\DIFX
2010-01-27 07:44 . 2010-01-27 07:44 -------- d-----w- c:\program files\RocketDock
2010-01-27 07:39 . 2010-01-27 17:38 -------- d-----w- c:\program files\Webshots
2010-01-27 07:39 . 2000-09-13 18:52 106496 ----a-w- c:\windows\WebshotsUninstall.exe
2010-01-27 07:39 . 2000-09-13 18:51 684032 ----a-w- c:\windows\Webshots.scr
2010-01-26 02:48 . 2004-08-04 07:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 10:05 . 2010-02-16 10:05 -------- d-----w- c:\program files\Common Files\Vbox
2010-02-16 10:05 . 2010-01-18 00:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 07:44 . 2010-01-18 00:36 63200 ----a-w- c:\documents and settings\OWNER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-26 18:38 . 2010-01-18 00:15 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-18 00:49 . 2010-01-18 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-01-18 00:48 . 2010-01-18 00:48 -------- d-----w- c:\documents and settings\OWNER\Application Data\CyberLink
2010-01-18 00:45 . 2010-01-18 00:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 00:44 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink DVD Solution
2010-01-18 00:42 . 2010-01-18 00:42 -------- d-----w- c:\documents and settings\OWNER\Application Data\InterTrust
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Ahead
2010-01-18 00:41 . 2010-01-18 00:41 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-18 00:40 . 2010-01-18 00:40 -------- d-----w- c:\program files\CyberLink
2010-01-18 00:39 . 2010-01-18 00:24 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Common Files\L&H
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-18 00:37 . 2010-01-18 00:37 -------- d-----w- c:\program files\Microsoft Works
2010-01-18 00:36 . 2010-01-18 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-01-18 00:32 . 2010-01-18 00:31 -------- d-----w- c:\program files\IDT
2010-01-18 00:30 . 2010-01-18 00:30 -------- d-----w- c:\program files\Intel
2010-01-18 00:16 . 2010-01-18 00:16 -------- d-----w- c:\program files\microsoft frontpage
2010-01-18 00:13 . 2010-01-18 00:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2004-10-01 23:00 . 2010-01-18 00:40 110592 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1699840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-12-14 495616]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 102400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 237568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 208896]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 229376]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 208896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 126976]

c:\documents and settings\OWNER\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\WebshotsTray.exe [2010-1-26 266240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 288344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\IDT\\WDM\\sttray.exe"=
"c:\\Program Files\\Webshots\\WebshotsTray.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"=
"c:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [8/24/2009 6:51 AM 185640]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\fqnlet.sys --> c:\windows\system32\drivers\fqnlet.sys [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2004-04-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 22:17]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\OWNER\Application Data\Mozilla\Firefox\Profiles\ofvznqpf.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 20:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3256)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\idt\ecsxpv_5762_010208\wdm\STacSV.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-02-22 20:19:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-23 04:19

Pre-Run: 12,078,182,400 bytes free
Post-Run: 12,160,319,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 532B578508EE8A307F1C6816FD07EDD3


#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:43 PM

Posted 25 February 2010 - 09:01 PM

Hi
OK Lets do this, then see if you can run Dr Web CureIt.

First.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::
File::
c:\windows\system32\drivers\fqnlet.sys

Driver::
abp470n5


Now try to run Dr Web CureIt in safe mode.

Post the Combofix log and the Dr. log.

Thanks
maranatha.


Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users