Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'w32/Rustock.gen.c', 'New Malware.j', 'Patched-SYSFile.a'


  • This topic is locked This topic is locked
21 replies to this topic

#1 NCKitkat63

NCKitkat63

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 24 February 2010 - 11:40 PM

Hi to everyone! I'm not new to the forum as I've been reading things here often. Great site here guys and gals! thumbup.gif I am new to posting for help though. (Grrr!) Let me apologize for the length of this post in advance. I want to make sure I describe as much as I can and include detailed information. Plus, I didn't think I would run into problems trying to run a program to get the logs y'all need to assist me. 'DDS did great, but 'GMER' is really struggling. I'm on my 4th or 5th attempt now. Here we go ...

Currently I'm using another computer to post here and running all newly downloaded programs via a USB Flash drive on the problem child. This is because anytime I get online I get alerts from McAfee constantly about 'New Malware.j' and the Temporary folder gets slammed with new folders. There is new *.tmp folders/files added if I'm not online, too. However, this happens a lot more when online and the names do change for every new *.tmp folder/file) McAfee did quarantine 'zaqbutwx.sys' driver, ''w32/Rustock.gen.c'right before the really troublesome one started on 2-16 around 8:37 am, and I can see where the name has been changed in the registry. (I guess that is how they quarantined it?) I have made a document of all McAfee has found since, when, what was open and what I had been doing when this started. I know exactly what had been downloaded and what web pages I had just copied and pasted into 'MS Word' documents. I have run Malwarebytes (quick and full) and Spybot S&D and they came up clean.
I have had instances where IE-7 would crash and go poof, too. (I'm trying to laugh) and sometimes making the computer re-boot due to an error. I have seen info in some logs that sometimes it was related to 'Flash.ocx' So I'll let y'all tell me what you think after some major house cleaning. :-)

Another one mentioned in my 'Topic Title', 'Patched-SYSFile.a', , ( C:\WINDOWS\system32\drivers\atapi.sys) this one seems to happen every 4-7 days or so. I've been trying to find information on that one by myself, as I know y'all stay pretty busy. For some reason I feel this might have started back when I installed a new Seagate EHD a few months ago. It seems at that time the 'icon' that had been used for my 'C:' drive changed, too. And my 'C:' drive quit being seen in 'Computer Management.' Of course, I could be wrong there.

'GMER' is doomed. I've attempted to run it 5 times now with my computer just shutting down or giving me a BSOD and I've typed out the exact messages for both BSODs on a 'notepad'. I lost the first post I had completed when I selected to post it. (grrr!) I am going to attach the notepad (hope that is ok!) and it will also have the McAfee findings since this started with details. McAfee found 4 or 5 different things once this started.

Thank you in advance for your time and help! :-)

DDS (Ver_09-12-01.01) - NTFSx86
Run by ******** ******* at 17:05:24.09 on Wed 02/24/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.261 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
E:\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRunOnce: [DelayShred] "c:\program files\mcafee.com\shredder\shred32.exe" /q c:\windows\temp\mc9010~1.sh! c:\windows\temp\mc1593~1.sh! c:\docume~1\kathle~1\locals~1\temp\mpc9f.sh! c:\docume~1\kathle~1\locals~1\temp\~df3ada.sh! c:\docume~1\kathle~1\locals~1\temp\~df3acd.sh! c:\windows\temp\pea8d4~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\i86902np.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\dakzw2nq.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\hqko6ep9.sh! c:\docume~1\kathle~1\locals~1\temp\mc5fae~1.sh! c:\docume~1\kathle~1\locals~1\temp\mc5136~1.sh! c:\docume~1\kathle~1\locals~1\temp\mcmsc_~4.sh! c:\docume~1\kathle~1\locals~1\temp\mcmsc_~3.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\index.sh! c:\docume~1\billsw~1\locals~1\tempor~1\content.ie5\index.sh! c:\docume~1\networ~1\cookies\index.sh! c:\docume~1\networ~1\locals~1\history\history.ie5\index.sh! c:\docume~1\kathle~1\locals~1\history.sh! c:\docume~1\kathle~1\cookies\index.sh! c:\docume~1\kathle~1\locals~1\history\history.ie5\index.sh! c:\docume~1\kathle~1\locals~1\applic~1\micros~1\windows\usrclass.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\rrv6e8y6.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\rrv6e8y6\search~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx\huufca~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx\j7huca~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx\ind474~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx\ind074~1.sh! c:\docume~1\networ~1\locals~1\tempor~1\content.ie5\w5bhvofx\indc64~1.sh! c:\docume~1\locals~1\locals~1\tempor~1\content.ie5\index.sh! c:\docume~1\locals~1\locals~1\history.sh! c:\docume~1\locals~1\locals~1\tempor~1.sh! c:\docume~1\locals~1\locals~1\history\history.ie5\index.sh! c:\docume~1\kathle~1\locals~1\tempor~1.sh! c:\windows\temp\mc319d~1.sh! c:\windows\temp\peb1a7~1.sh! c:\windows\temp\mc8992~1.sh! c:\windows\temp\mc5f90~1.sh! c:\windows\temp\MC7FA4~1.SH!
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SetIcon] \Program Files\WDC\SetIcon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: &Yahoo! Search
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: E&xport to Microsoft Excel
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448}
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1260307005781
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108575655843
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134741178453
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - hxxp://hoylegames.igl.net/cab/WONWebLauncherControl.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5824/mcfscan.cab
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-28 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-10 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-6-10 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-6-10 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-6-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-10 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-10 40552]
S2 zswqjaf;zswqjaf;\??\c:\windows\system32\drivers\zaqbutwx.sys --> c:\windows\system32\drivers\zaqbutwx.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-6-23 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-6-23 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-6-23 81288]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 mbr;mbr;\??\c:\docume~1\kathle~1\locals~1\temp\mbr.sys --> c:\docume~1\kathle~1\locals~1\temp\mbr.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-10 34248]
S4 sdAuxService;PC Tools Auxiliary Service;f:\program files\spyware doctor\pctsauxs.exe --> f:\program files\spyware doctor\pctsAuxs.exe [?]
S4 sdCoreService;PC Tools Security Service;f:\program files\spyware doctor\pctssvc.exe --> f:\program files\spyware doctor\pctsSvc.exe [?]

=============== Created Last 30 ================

2010-02-24 21:59:20 0 ----a-w- c:\documents and settings\kathleen swinney\defogger_reenable
2010-02-21 18:44:57 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-02-21 18:43:56 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-02-21 18:42:54 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-02-21 18:41:59 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2010-02-21 18:40:56 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2010-02-21 18:39:57 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2010-02-21 18:38:58 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2010-02-21 18:37:58 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-02-21 18:36:57 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-02-21 18:35:57 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-02-21 18:34:59 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2010-02-21 18:33:58 86016 ----a-w- c:\windows\system32\dllcache\pctspk.exe
2010-02-21 18:32:58 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2010-02-21 18:31:58 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2010-02-21 18:30:53 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-02-21 18:29:56 7424 ----a-w- c:\windows\system32\dllcache\mammoth.sys
2010-02-21 18:28:58 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2010-02-21 18:27:57 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-02-21 18:26:58 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-02-21 18:25:58 93696 ----a-w- c:\windows\system32\dllcache\hpgt42.dll
2010-02-21 18:24:49 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2010-02-21 18:23:58 57856 ----a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-02-21 18:22:59 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-02-21 18:21:59 131156 ----a-w- c:\windows\system32\dllcache\digidbp.dll
2010-02-21 18:20:57 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2010-02-21 18:19:59 66082 ----a-w- c:\windows\system32\dllcache\c_20833.nls
2010-02-21 18:18:59 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
2010-02-21 18:17:59 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2010-02-21 18:17:58 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2010-02-21 18:17:58 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2010-02-21 18:17:57 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-02-21 18:17:56 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2010-02-21 18:17:55 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-02-21 18:17:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2010-02-21 18:17:54 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-02-21 18:17:54 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-02-21 18:17:53 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-02-21 18:17:52 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-02-21 18:17:51 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-02-21 18:17:51 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-02-21 18:16:48 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-17 18:22:29 3566 ----a-w- c:\windows\system32\iecavp
2010-02-17 18:22:27 43008 ----a-w- c:\windows\system32\akquyl.dll
2010-02-16 03:55:42 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-16 03:55:42 1409 ----a-w- c:\windows\QTFont.for
2010-02-13 18:15:26 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-13 11:51:59 2284 ----a-w- C:\autorun.PNF
2010-02-10 12:03:44 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 12:03:43 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 12:03:43 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 12:03:43 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 12:03:43 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 12:03:43 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-06 00:40:59 0 d-sh--r- C:\cmdcons
2010-02-06 00:40:56 0 d-----w- c:\windows\setup.pss
2010-02-06 00:40:39 0 d-----w- c:\windows\setupupd
2010-02-05 16:37:48 0 d-----w- c:\program files\WildTangent
2010-01-28 10:28:02 0 d-----w- c:\docume~1\kathle~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-01-27 12:20:25 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2010-02-24 21:52:19 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-24 21:52:19 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-02-18 18:00:49 100720 ----a-w- c:\docume~1\kathle~1\applic~1\GDIPFONTCACHEV1.DAT
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-18 13:05:43 634648 --s-a-w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 09:23:28 474112 ----a-w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ----a-w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll
2009-09-16 09:31:53 16544 ----a-w- c:\program files\common files\iqikocobum.dat
2007-03-25 16:58:40 82090337 ----a-w- c:\program files\rn73dlx_16lang.exe
2007-03-25 16:21:40 270 ----a-w- c:\program files\Read Me First!!!.txt
2007-03-25 16:21:38 1312845 ----a-w- c:\program files\PatchGdiPlus.EXE
2005-10-14 04:55:43 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-06-09 15:46:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060920090610\index.dat

============= FINISH: 17:06:36.14 ===============
Thanks again,

Kat :-)

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 26 February 2010 - 10:40 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2010 - 06:32 PM

Hi m0le,

Thank you for for your reply to my post and I look forward to your assistance. I'm here and will be checkin' off and on to see what my instructions are from you. Also, I will now try not to touch anything without your instructions. Just an update from my original post: I have tried to run Gmer several more times and even in safe mode, with no success. Is there a time that's better than another to catch you online? My time on this other computer is more limited now because my Mom wanted her computer back. But I will try to check as often as I can!

Hope you're havin' a nice weekend!

Thanks again,

Kat smile.gif



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 27 February 2010 - 06:53 PM

Hi Kat,

I'm in the UK so your last post shows 11.32pm. If you're in the US it is likely to show 4pm-ish, depending on where in the US you are.

From what you have told me and the scans are showing we have a TDSS rootkit here which is hard to remove. TDSS can be removed with TDSSKiller.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to leave the file alone
    .
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here (or attach it).

Posted Image
m0le is a proud member of UNITE

#5 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2010 - 08:12 PM

You must be a nightowl too. (I am) My time now would be 8:08pm :-)

Looks like this got some of the problem, m0le. I'm attachin' the *.txt file generated.

Thank you (I'll not be able to say it enough)

Kat

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 27 February 2010 - 09:02 PM

Yep, I'm a night owl. smile.gif

That's a start then. atapi.sys is a system file which TDSS infects and takes over.

TDSSKiller has replaced it with a clean one so we should now be able to see what else TDSS brought with it. Please run Combofix next.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 February 2010 - 10:09 PM

Hi m0le,

I sent this via a PM but then thought this might be good information to put here, too.

I was just checkin' the link for the instructions to disable Anti Virus and Spy/Malware removal processes running before running Combofix. However, when it comes to getting 'ResetTeaTimer.zip' the link does not work. Any suggestions?

Thanks,

Kat

#8 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 28 February 2010 - 12:43 AM

Hi and good mornin', m0le.

I kinda figured you'd called it a night, so in ref to the 'Resetteatimer' link I searched a bit and found another post here that commented on the same issue. Nothing was mentioned in the response about it really being needed and they went ahead with the 'ComboFix" scan. So that is what I did. Also, this is the first time I've come online with my 'problem child' since, so here's hoping it's not causing more problems. (it has enough already.)

Okay .. I'll catch up with you later this afternoon (night for you) and see what else we can cure. ComboFix log to follow.

Thank you again for your time and assistance! smile.gif

Kat

PS .. Don't say it too loud McAfee has not gone off. Shhhh!

QUOTE
ComboFix 10-02-27.04 - Kat***** ******* 02/27/2010 23:14:53.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.222 [GMT -5:00]
Running from: c:\documents and settings\Kat***** *******\Desktop\ComFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\Error Repair Professional
c:\windows\system32\iniasd.txt
c:\windows\system32\Thumbs.db
c:\windows\xobglu16.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 12:52 . 2010-02-27 16:52 -------- d-----w- C:\Temp for SYSClean
2010-02-25 09:13 . 2010-02-25 09:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-21 18:44 . 2001-08-17 17:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-02-21 18:43 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-02-21 18:42 . 2001-08-18 03:36 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-02-21 18:41 . 2001-08-17 19:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2010-02-21 18:40 . 2001-08-17 18:52 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2010-02-21 18:39 . 2004-08-04 11:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-02-21 18:38 . 2001-08-17 17:10 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2010-02-21 18:37 . 2001-08-17 17:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-02-21 18:36 . 2001-08-17 18:51 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-02-21 18:35 . 2001-08-17 17:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-02-21 18:34 . 2001-08-17 18:28 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2010-02-21 18:33 . 2001-08-18 03:36 86016 ----a-w- c:\windows\system32\dllcache\pctspk.exe
2010-02-21 18:32 . 2001-08-17 17:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2010-02-21 18:31 . 2001-08-17 18:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2010-02-21 18:30 . 2001-08-17 19:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-02-21 18:29 . 2001-08-17 18:52 7424 ----a-w- c:\windows\system32\dllcache\mammoth.sys
2010-02-21 18:28 . 2008-04-14 01:11 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2010-02-21 18:27 . 2001-08-18 03:36 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-02-21 18:26 . 2001-08-17 18:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-02-21 18:25 . 2001-08-18 03:36 93696 ----a-w- c:\windows\system32\dllcache\hpgt42.dll
2010-02-21 18:24 . 2001-08-18 03:36 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2010-02-21 18:23 . 2004-08-04 11:00 57856 ----a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-02-21 18:22 . 2001-08-17 17:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-02-21 18:21 . 2001-08-18 03:36 131156 ----a-w- c:\windows\system32\dllcache\digidbp.dll
2010-02-21 18:20 . 2001-08-17 17:11 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2010-02-21 18:19 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-02-21 18:18 . 2001-08-18 03:36 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
2010-02-21 18:17 . 2004-08-04 03:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2010-02-21 18:17 . 2001-08-17 17:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2010-02-21 18:17 . 2001-08-17 17:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2010-02-21 18:17 . 2004-08-04 03:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-02-21 18:17 . 2001-08-18 03:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2010-02-21 18:17 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-02-21 18:17 . 2001-08-17 19:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2010-02-21 18:17 . 2008-04-13 19:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-02-21 18:17 . 2001-08-17 17:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-02-21 18:17 . 2001-08-17 19:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-02-21 18:17 . 2001-08-17 18:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-02-21 18:17 . 2008-04-13 19:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-02-21 18:17 . 2001-08-17 19:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-02-21 18:16 . 2001-08-17 19:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-20 07:26 . 2010-02-20 07:26 101112 ----a-w- c:\documents and settings\Kat***** *******\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 18:22 . 2010-02-17 18:22 43008 ----a-w- c:\windows\system32\akquyl.dll
2010-02-16 16:04 . 2010-02-16 16:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-13 18:15 . 2010-02-13 18:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-10 12:03 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 12:03 . 2009-08-05 00:44 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 12:03 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 12:03 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 12:03 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 12:03 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-05 16:37 . 2010-02-05 16:38 -------- d-----w- c:\program files\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 00:57 . 2008-04-13 19:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-27 17:12 . 2004-12-29 08:26 -------- d-----w- c:\program files\Viewpoint
2010-02-27 11:59 . 2004-12-29 08:26 -------- d-----w- c:\program files\QuickTime
2010-02-27 11:43 . 2004-12-29 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-15 20:32 . 2009-12-18 03:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-15 17:48 . 2005-05-07 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-02-04 17:21 . 2009-12-02 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-28 23:00 . 2005-03-01 13:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 22:52 . 2010-01-28 22:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-28 21:23 . 2010-01-28 21:23 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-01-28 10:28 . 2010-01-28 10:28 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-01-27 10:46 . 2009-12-02 06:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-24 16:44 . 2007-10-24 23:50 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\Yammy
2010-01-24 16:32 . 2009-09-16 08:25 -------- d-----w- c:\program files\Super Yahoo Messenger Archive Decoder
2010-01-24 14:15 . 2010-01-24 14:15 1406 ----a-r- c:\documents and settings\Kat***** *******\Application Data\Microsoft\Installer\{AEF5105C-B29A-4D58-BF09-C5522CE93FFE}\_43f8711.exe
2010-01-24 14:15 . 2010-01-24 14:15 -------- d-----w- c:\program files\YArchiveViewerWB
2010-01-23 07:09 . 2004-12-29 08:15 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 07:09 . 2010-01-23 07:09 348160 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\msvcr71.dll
2010-01-23 07:09 . 2010-01-23 07:09 503808 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\msvcp71.dll
2010-01-23 07:09 . 2010-01-23 07:09 61440 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60983f70-n\decora-sse.dll
2010-01-23 07:09 . 2010-01-23 07:09 499712 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\jmc.dll
2010-01-23 07:09 . 2010-01-23 07:09 12800 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60983f70-n\decora-d3d.dll
2010-01-23 07:09 . 2004-12-29 08:15 -------- d-----w- c:\program files\Java
2010-01-23 03:24 . 2009-12-02 04:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 06:53 . 2009-10-03 10:44 -------- d-----w- c:\program files\Nailwarebytes' Anti-Malware
2010-01-16 06:53 . 2009-12-06 05:38 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 06:17 . 2009-12-29 01:41 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\Move Networks
2010-01-12 06:16 . 2009-12-29 01:41 144160 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\uninstall.exe
2010-01-12 06:16 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-10 04:39 . 2004-12-29 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 04:29 . 2010-01-10 04:29 -------- d-----w- c:\program files\Microsoft Reader
2010-01-10 03:12 . 2008-01-13 12:50 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\uTorrent
2010-01-10 00:06 . 2008-01-13 12:50 -------- d-----w- c:\program files\uTorrent
2010-01-08 09:34 . 2010-01-08 09:34 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\New Folder
2010-01-07 21:07 . 2009-09-28 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-28 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 22:14 . 2009-09-03 10:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2006-11-15 10:41 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 13:39 . 2009-09-28 08:29 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-30 13:39 . 2009-09-28 08:29 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-09-16 09:31 . 2009-09-16 09:31 16544 ----a-w- c:\program files\Common Files\iqikocobum.dat
2007-03-25 16:58 . 2009-04-25 07:45 82090337 ----a-w- c:\program files\rn73dlx_16lang.exe
2007-03-25 16:21 . 2009-04-25 07:45 270 ----a-w- c:\program files\Read Me First!!!.txt
2005-10-14 04:55 . 2005-10-14 04:55 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 98304]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee.com\shredder\SHRED32.EXE" [2005-07-15 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"P17Helper"="P17.dll" [2005-05-03 64512]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-04-28 42496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2004-09-15 07:01 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 -c----w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GetModule18"="c:\program files\GetModule\GetModule18.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WD Button Manager"=WDBtnMgr.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Diagnostics\\diagnos3.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Equalizer\\CTEQ.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\MiniDisc\\CTMDCen.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Program\\Restore.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Speaker Settings\\SpkSet.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\SurMixer.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\WaveStudio\\CtWave32.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\Program Files\\McAfee.com\\Shredder\\Shred32.exe"=
"c:\\Program Files\\Outlook Express\\MSIMN.EXE"=
"c:\\Program Files\\Windows NT\\Pinball\\PINBALL.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Sienna\\Starry Night Bundle Edition\\starrynight.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPIDER.EXE"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/28/2009 3:30 AM 64160]
S2 zswqjaf;zswqjaf;\??\c:\windows\system32\drivers\zaqbutwx.sys --> c:\windows\system32\drivers\zaqbutwx.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
S4 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe --> f:\program files\Spyware Doctor\pctsAuxs.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-06-10 16:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: &Yahoo! Search
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: E&xport to Microsoft Excel
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 23:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1684424257-2583858332-3864400153-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-27 23:25:29
ComboFix-quarantined-files.txt 2010-02-28 04:25

Pre-Run: 33,417,125,888 bytes free
Post-Run: 33,389,051,904 bytes free

- - End Of File - - C63B2E3753C96FE1AD4D5CDFE5DD7319



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 28 February 2010 - 05:14 AM

Yes, that link is dead on the guide.


We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy


Now let's remove this malicious driver using Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\drivers\zaqbutwx.sys

Driver::
zaqbutwx


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run ESET

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#10 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 28 February 2010 - 10:34 AM

Hi m9le,

I managed to get 'Teatimer' disabled on the previous scan and I did the same for the current one I'm fixin' to post.
So two logs will be included in this response.

Thank you again!

Hope you're havin' a great weekend!

Kar smile.gif

QUOTE
ComboFix Scan:

ComboFix 10-02-27.04 - Kat***** ******* 02/28/2010 7:32.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.333 [GMT -5:00]
Running from: c:\documents and settings\Kat***** *******\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\Kat***** *******\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\drivers\zaqbutwx.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Temp\0202661267335923mcinst.exe

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 12:52 . 2010-02-27 16:52 -------- d-----w- C:\Temp for SYSClean
2010-02-25 09:13 . 2010-02-25 09:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-21 18:44 . 2001-08-17 17:12 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-02-21 18:43 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2010-02-21 18:42 . 2001-08-18 03:36 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-02-21 18:41 . 2001-08-17 19:56 440576 ----a-w- c:\windows\system32\dllcache\tridkb.dll
2010-02-21 18:40 . 2001-08-17 18:52 7040 ----a-w- c:\windows\system32\dllcache\tandqic.sys
2010-02-21 18:39 . 2004-08-04 11:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll
2010-02-21 18:38 . 2001-08-17 17:10 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2010-02-21 18:37 . 2001-08-17 17:50 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2010-02-21 18:36 . 2001-08-17 18:51 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-02-21 18:35 . 2001-08-17 17:12 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-02-21 18:34 . 2001-08-17 18:28 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2010-02-21 18:33 . 2001-08-18 03:36 86016 ----a-w- c:\windows\system32\dllcache\pctspk.exe
2010-02-21 18:32 . 2001-08-17 17:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2010-02-21 18:31 . 2001-08-17 18:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2010-02-21 18:30 . 2001-08-17 19:00 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-02-21 18:29 . 2001-08-17 18:52 7424 ----a-w- c:\windows\system32\dllcache\mammoth.sys
2010-02-21 18:28 . 2008-04-14 01:11 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2010-02-21 18:27 . 2001-08-18 03:36 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2010-02-21 18:26 . 2001-08-17 18:28 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-02-21 18:25 . 2001-08-18 03:36 93696 ----a-w- c:\windows\system32\dllcache\hpgt42.dll
2010-02-21 18:24 . 2001-08-18 03:36 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2010-02-21 18:23 . 2004-08-04 11:00 57856 ----a-w- c:\windows\system32\dllcache\esuimgd.dll
2010-02-21 18:22 . 2001-08-17 17:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2010-02-21 18:21 . 2001-08-18 03:36 131156 ----a-w- c:\windows\system32\dllcache\digidbp.dll
2010-02-21 18:20 . 2001-08-17 17:11 39936 ----a-w- c:\windows\system32\dllcache\cnxt1803.sys
2010-02-21 18:19 . 2001-08-17 18:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-02-21 18:18 . 2001-08-18 03:36 87552 ----a-w- c:\windows\system32\dllcache\avmcoxp.dll
2010-02-21 18:17 . 2004-08-04 03:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2010-02-21 18:17 . 2001-08-17 17:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2010-02-21 18:17 . 2001-08-17 17:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2010-02-21 18:17 . 2004-08-04 03:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-02-21 18:17 . 2001-08-18 03:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2010-02-21 18:17 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-02-21 18:17 . 2001-08-17 19:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2010-02-21 18:17 . 2008-04-13 19:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-02-21 18:17 . 2001-08-17 17:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-02-21 18:17 . 2001-08-17 19:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-02-21 18:17 . 2001-08-17 18:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-02-21 18:17 . 2008-04-13 19:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2010-02-21 18:17 . 2001-08-17 19:06 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-02-21 18:16 . 2001-08-17 19:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-02-20 07:26 . 2010-02-20 07:26 101112 ----a-w- c:\documents and settings\Kat***** *******\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-17 18:22 . 2010-02-17 18:22 43008 ----a-w- c:\windows\system32\akquyl.dll
2010-02-16 16:04 . 2010-02-16 16:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-13 18:15 . 2010-02-13 18:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-10 12:03 . 2009-08-04 14:20 2066048 ----a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 12:03 . 2009-08-05 00:44 2189184 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 12:03 . 2009-08-04 15:13 2145280 ----a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 12:03 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-10 12:03 . 2009-08-04 14:20 2023936 ----a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-10 12:03 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-05 16:37 . 2010-02-05 16:38 -------- d-----w- c:\program files\WildTangent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 06:18 . 2005-01-15 07:15 -------- d-----w- c:\program files\McAfee
2010-02-28 00:57 . 2008-04-13 19:40 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-27 17:12 . 2004-12-29 08:26 -------- d-----w- c:\program files\Viewpoint
2010-02-27 11:59 . 2004-12-29 08:26 -------- d-----w- c:\program files\QuickTime
2010-02-27 11:43 . 2004-12-29 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-02-15 20:32 . 2009-12-18 03:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-15 17:48 . 2005-05-07 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-02-04 17:21 . 2009-12-02 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-28 23:00 . 2005-03-01 13:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 22:52 . 2010-01-28 22:52 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-28 21:23 . 2010-01-28 21:23 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-01-28 10:28 . 2010-01-28 10:28 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-01-27 10:46 . 2009-12-02 06:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-24 16:44 . 2007-10-24 23:50 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\Yammy
2010-01-24 16:32 . 2009-09-16 08:25 -------- d-----w- c:\program files\Super Yahoo Messenger Archive Decoder
2010-01-24 14:15 . 2010-01-24 14:15 1406 ----a-r- c:\documents and settings\Kat***** *******\Application Data\Microsoft\Installer\{AEF5105C-B29A-4D58-BF09-C5522CE93FFE}\_43f8711.exe
2010-01-24 14:15 . 2010-01-24 14:15 -------- d-----w- c:\program files\YArchiveViewerWB
2010-01-23 07:09 . 2004-12-29 08:15 -------- d-----w- c:\program files\Common Files\Java
2010-01-23 07:09 . 2010-01-23 07:09 348160 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\msvcr71.dll
2010-01-23 07:09 . 2010-01-23 07:09 503808 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\msvcp71.dll
2010-01-23 07:09 . 2010-01-23 07:09 61440 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60983f70-n\decora-sse.dll
2010-01-23 07:09 . 2010-01-23 07:09 499712 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-19c41024-n\jmc.dll
2010-01-23 07:09 . 2010-01-23 07:09 12800 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-60983f70-n\decora-d3d.dll
2010-01-23 07:09 . 2004-12-29 08:15 -------- d-----w- c:\program files\Java
2010-01-23 03:24 . 2009-12-02 04:30 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 06:53 . 2009-10-03 10:44 -------- d-----w- c:\program files\Nailwarebytes' Anti-Malware
2010-01-16 06:53 . 2009-12-06 05:38 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-12 06:17 . 2009-12-29 01:41 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\Move Networks
2010-01-12 06:16 . 2009-12-29 01:41 144160 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\uninstall.exe
2010-01-12 06:16 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-10 04:39 . 2004-12-29 08:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 04:29 . 2010-01-10 04:29 -------- d-----w- c:\program files\Microsoft Reader
2010-01-10 03:12 . 2008-01-13 12:50 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\uTorrent
2010-01-10 00:06 . 2008-01-13 12:50 -------- d-----w- c:\program files\uTorrent
2010-01-08 09:34 . 2010-01-08 09:34 -------- d-----w- c:\documents and settings\Kat***** *******\Application Data\New Folder
2010-01-07 21:07 . 2009-09-28 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-28 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-04 11:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-04 11:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 22:14 . 2009-09-03 10:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2006-11-15 10:41 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\Kat***** *******\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 18:22 . 2004-08-04 11:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 13:39 . 2009-09-28 08:29 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-30 13:39 . 2009-09-28 08:29 2353992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-09-16 09:31 . 2009-09-16 09:31 16544 ----a-w- c:\program files\Common Files\iqikocobum.dat
2007-03-25 16:58 . 2009-04-25 07:45 82090337 ----a-w- c:\program files\rn73dlx_16lang.exe
2007-03-25 16:21 . 2009-04-25 07:45 270 ----a-w- c:\program files\Read Me First!!!.txt
2005-10-14 04:55 . 2005-10-14 04:55 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_04.22.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-28 06:18 . 2010-02-28 06:18 16384 c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 98304]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DelayShred"="c:\program files\mcafee.com\shredder\SHRED32.EXE" [2005-07-15 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"P17Helper"="P17.dll" [2005-05-03 64512]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [2004-04-28 42496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2004-09-15 07:01 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 -c----w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"GetModule18"="c:\program files\GetModule\GetModule18.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WD Button Manager"=WDBtnMgr.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\WinRAR\\WinRAR.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Diagnostics\\diagnos3.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Equalizer\\CTEQ.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\MiniDisc\\CTMDCen.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Program\\Restore.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Speaker Settings\\SpkSet.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\Surround Mixer\\SurMixer.exe"=
"c:\\Program Files\\Creative\\Sound Blaster Live! 24-bit\\WaveStudio\\CtWave32.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcshell.exe"=
"c:\\Program Files\\McAfee.com\\Shredder\\Shred32.exe"=
"c:\\Program Files\\Outlook Express\\MSIMN.EXE"=
"c:\\Program Files\\Windows NT\\Pinball\\PINBALL.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Sienna\\Starry Night Bundle Edition\\starrynight.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPIDER.EXE"=
"c:\\Program Files\\deepinvent\\MailStore Home\\MailStoreLocal.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [9/28/2009 3:30 AM 64160]
S2 0202661267335923mcinstcleanup;McAfee Application Installer Cleanup (0202661267335923);c:\windows\TEMP\020266~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\020266~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 zswqjaf;zswqjaf;\??\c:\windows\system32\drivers\zaqbutwx.sys --> c:\windows\system32\drivers\zaqbutwx.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1028432]
S4 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe --> f:\program files\Spyware Doctor\pctsAuxs.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0202661267335923MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-06-10 16:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: &Yahoo! Search
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: E&xport to Microsoft Excel
IE: Yahoo! &Dictionary
IE: Yahoo! &Maps
IE: Yahoo! &SMS
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 07:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1684424257-2583858332-3864400153-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-28 07:42:16
ComboFix-quarantined-files.txt 2010-02-28 12:42
ComboFix2.txt 2010-02-28 04:25

Pre-Run: 33,358,372,864 bytes free
Post-Run: 33,321,881,600 bytes free

- - End Of File - - C0D37369F9C478696614D00424FC4BF8


Now for the 'ESET' Scan results ... (wait are you smilin' and havin' a good day? .. if so we can continue) smile.gif

QUOTE

ESET Scan Results:

C:\Documents and Settings\Kat***** *******\My Documents\exe's-BURNED\testmh-repair.exe Win32/Adware.ErrorRepairPro application deleted - quarantined
C:\Documents and Settings\Kat***** *******\My Documents\exe's-BURNED\NEW\Trend_Micro_Internet_Security_Pro_2010_v17.50.0.1366.rar probably a variant of Win32/Agent trojan deleted - quarantined


Looking forward to the next instructions you have .. (this is fun .. seeing and learnin'!)

Kat smile.gif



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 28 February 2010 - 03:53 PM

ESET's results show where the infection probably began.

There's still a dat file to delete

Use Windows Explorer to find and delete this file:

c:\program files\Common Files\iqikocobum.dat

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Finally run MBAM


Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks, nearly there smile.gif
Posted Image
m0le is a proud member of UNITE

#12 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 01 March 2010 - 11:44 PM

Hi m0le,

Sorry I didn't get a chance to get back with you and do your instructions yesterday. I didn't have internet service access. Anyway, I've deleted the *.dat file you mentioned and am now scanning with Mbam.exe. Will post the report as soon as it finishes.

Thank you again for your time and assistance,

Kat smile.gif

#13 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 02 March 2010 - 12:10 AM

Howdy again, m0le,

Here is the mbam log.
------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.44
Database version: 3811
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/1/2010 11:54:17 PM
mbam-log-2010-03-01 (23-54-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 203729
Time elapsed: 34 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{532d5848-2e87-4af0-a4cd-4f9857ac0b6d} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\akquyl.dll (Password.Stealer) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------------------------------------------------------------------

Thanks,

Kat smile.gif

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:31 AM

Posted 02 March 2010 - 07:42 AM

That's looking good.

How is the machine running?
Posted Image
m0le is a proud member of UNITE

#15 NCKitkat63

NCKitkat63
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 03 March 2010 - 02:58 AM

Hi m0le,

My machine is running much better! Thank you!! However I have several questions for you now.

1. I have folders/files that still exist that I'm pretty sure I can delete. Yet I didn't want to do that until I asked you about them. Main reason being, even though they're not detected as issues I know they were associated with the infection in some way and I hope that they do not have others files associated with them somewhere, too.

These folders exist with new names because they were ones that appeared in the folder name form after I attempted to delete the 'original' folders. The 'normal' ones being 'Temp Internet Files' and 'History' and they would multiply continously if I was online and I would get McAfee alerts like crazy. The 'original' folders do exist still, too.

Folders under
C:\ D&S\Kat\Local Settings\TEMPOR~1.SH!
C:\ D&S\Kat\Local Settings\History.SH!
**They both contain a 'index.dat' file**

So is it safe to delete the others and *still* feel as though my system is clean?

2. Maybe I'm paranoid but there is a long file name (with letter and numbers) that to me seems to be a new *.ini file (even though the dates do not reflect it) @ C:\ D&S\Kat\Local Settings\App.. Data .. that's an *.ini file. I could be wrong about this one, but I would like to know how I can/could research it to know.

3. Also, when I was trying to find and delete the files that kept multiplying (prior to posting for help here) I requested
that numerous files be sent to 'McAfee Shredder.' Several of the folders/files required that I re-boot to complete the shreddin'. In McAfee terms they call it 'delay shred' in the start-up. Anyway, I feel as though part of the infection I had disabled that command
in some way and I'd like to know how to correct it. It shows the command still exist in 'start-up' and reads as follows in my
registry:

Located: HK_CU:RunOnce, DelayShred
where: S-1-5-21-1684424257-2583858332-3864400153-1006...
command: "c:\program files\mcafee.com\shredder\SHRED32.EXE" /q C:\WINDOWS\Temp\MC9010~1.SH! C:\WINDOWS\Temp\MC1593~1.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\MPC9F.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\~DF3ADA.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\~DF3ACD.SH! C:\WINDOWS\Temp\PEA8D4~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\I86902NP.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\DAKZW2NQ.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\HQKO6EP9.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\MC5FAE~1.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\MC5136~1.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\MCMSC_~4.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\temp\MCMSC_~3.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\index.SH! C:\DOCUME~1\BILLSW~1\LOCALS~1\TEMPOR~1\Content.IE5\index.SH! C:\DOCUME~1\NETWOR~1\Cookies\index.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\History\History.IE5\index.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\History.SH! C:\DOCUME~1\KATHLE~1\Cookies\INDEX.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\History\History.IE5\index.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\UsrClass.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\RRV6E8Y6.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\RRV6E8Y6\SEARCH~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX\HUUFCA~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX\J7HUCA~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX\IND474~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX\IND074~1.SH! C:\DOCUME~1\NETWOR~1\LOCALS~1\TEMPOR~1\Content.IE5\W5BHVOFX\INDC64~1.SH! C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\Content.IE5\index.SH! C:\DOCUME~1\LOCALS~1\LOCALS~1\History.SH! C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1.SH! C:\DOCUME~1\LOCALS~1\LOCALS~1\History\History.IE5\INDEX.SH! C:\DOCUME~1\KATHLE~1\LOCALS~1\TEMPOR~1.SH! C:\WINDOWS\Temp\MC319D~1.SH! C:\WINDOWS\Temp\PEB1A7~1.SH! C:\WINDOWS\Temp\MC8992~1.SH! C:\WINDOWS\Temp\MC5F90~1.SH! C:\WINDOWS\Temp\MC7FA4~1.SH!
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

4. Last but not least, the most important question is .. Since we seem to have fixed my machine and I know I've backed up the stuff I have on this 'C:' drive numerous times, and on numerous external hard drives, what should I know/do before booting them up, (knowing they are infected probably) and what procedures should I follow once I do boot them up to remove the infections?

I would like to thank you again for your time and assistance, m0le!! This forum is great and the people here that assist others are awesome. (There are great and helpful people in the world!) thumbup.gif I sure hope that many of the ones that come here for assistance appreciate you/y'all as much as I do!! clapping.gif

Have a wonderful day and smile,
Kat smile.gif






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users