Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Canadian Telcos Patch Vulnerability in TRS Systems

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

Photo

Help I have apparently have a olmarik trojan in my win 32 file

Started by puckhead , Apr 01 2010 04:46 PM

  • This topic is locked This topic is locked
8 replies to this topic

#1 puckhead

puckhead

  • Members
  • 49 posts
  • OFFLINE
    •  
  • Local time:06:26 PM

Posted 01 April 2010 - 04:46 PM

My nod 32 av detects a olmarik trojan in my win 32 file but it cant remove it I have already ran ATF, SDfix, SAS, and simitfraud fix but its still there what should I do included is the dds report and the gmer log.

thanks in advance

ken



DDS (Ver_10-03-17.01) - NTFSx86
Run by ken at 21:06:33.46 on Tue 03/30/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1592 [GMT -6:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineDownloadManagerIcon.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineMessageService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineNetworkService.exe
C:\Documents and Settings\ken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net?cid=103109
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - bullroarer\TurbineDownloadManagerIcon.exe"
mRun: [PROMon.exe] PROMon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [EPSON Stylus CX3200] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = opera.exe
dPolicies-disallowrun: 2 = firefox.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120676994187
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143777018421
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} - hxxp://playgames.comcast.net/online2/asianata/asianata.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://playgames.comcast.net/online2/gold_fever/goldfever.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.jpmorganchase.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineMessageService.exe [2009-12-9 271856]
R3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineNetworkService.exe [2009-12-9 218608]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1ca10b0796a5742;Google Update Service (gupdate1ca10b0796a5742);c:\program files\google\update\GoogleUpdate.exe [2009-7-29 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-03-31 03:03:06 0 ----a-w- c:\documents and settings\ken\defogger_reenable
2010-03-31 02:22:47 2502 ----a-w- c:\windows\system32\tmp.reg
2010-03-31 00:15:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:14:50 0 d-----w- c:\docume~1\ken\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-30 23:47:09 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-30 23:42:18 0 d-----w- c:\windows\ERUNT
2010-03-30 23:38:49 0 d-----w- C:\SDFix
2010-03-29 17:24:00 0 d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2010-03-29 17:23:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:23:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 17:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-29 17:23:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 01:21:05 0 d-----w- c:\program files\ESET
2010-03-21 23:50:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-21 22:17:16 0 d-----w- c:\program files\Lavasoft
2010-03-14 21:55:15 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-03-14 21:55:15 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-03-14 21:53:28 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-03-14 21:53:28 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-03-14 21:53:02 0 d-----w- c:\program files\iolo
2010-03-11 20:48:59 0 d-sh--w- c:\windows\system32\winsys
2010-03-10 01:25:25 0 d-----w- c:\docume~1\ken\applic~1\.BitTornado
2010-03-10 01:21:18 0 d-----w- c:\program files\BitTornado

==================== Find3M ====================

2010-03-23 21:09:44 39938 -c--a-w- c:\windows\DIIUnin.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-10-07 13:07:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat

============= FINISH: 21:07:29.78 ===============
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-31 20:12:19
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ken\LOCALS~1\Temp\ugnyipog.sys


---- System - GMER 1.0.15 ----

SSDT 890EBA20 ZwAssignProcessToJobObject
SSDT 890EC5A0 ZwDebugActiveProcess
SSDT 890EBFD0 ZwDuplicateObject
SSDT 890EB160 ZwOpenProcess
SSDT 890EB460 ZwOpenThread
SSDT 890EBE60 ZwProtectVirtualMemory
SSDT 890EBD00 ZwSetContextThread
SSDT 890EBB80 ZwSetInformationThread
SSDT 890E8A50 ZwSetSecurityObject
SSDT 890EB8C0 ZwSuspendProcess
SSDT 890EB760 ZwSuspendThread
SSDT 890EB2F0 ZwTerminateProcess
SSDT 890EB5F0 ZwTerminateThread
SSDT 890EC3F0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F74C9B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by puckhead, 01 April 2010 - 04:59 PM.

BC AdBot (Login to Remove)

 

#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:12:26 AM

Posted 05 April 2010 - 12:13 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#3 puckhead

puckhead
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
    •  
  • Local time:06:26 PM

Posted 05 April 2010 - 11:33 PM

Thanks for your help The only 2 things happening is that my browser redirects ocasionlly and i get a warning on my av nod32

alert: threat found
object: operating memory
threat: win32/olmarik trojan

DDS (Ver_10-03-17.01) - NTFSx86
Run by ken at 19:25:01.51 on Mon 04/05/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1378 [GMT -6:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineDownloadManagerIcon.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Turbine\Turbine Download Manager - Bullroarer\TurbineMessageService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iolo\System Mechanic\SMSystemAnalyzer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net?cid=103109
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - bullroarer\TurbineDownloadManagerIcon.exe"
mRun: [PROMon.exe] PROMon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [EPSON Stylus CX3200] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = opera.exe
dPolicies-disallowrun: 2 = firefox.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - hxxp://housecall60.trendmicro.com/housecall/xscan60.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120676994187
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143777018421
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://playgames.comcast.net/online2/mystery_solitaire/SpinTopGamesLauncher.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://comcast.oberon-media.com/online2/luxor_amun_rising/mjolauncher.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {A219C6A1-B503-42A9-95DC-A84B2CC1231F} - hxxp://playgames.comcast.net/online2/asianata/asianata.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v49/luxor/luxor.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://playgames.comcast.net/online2/gold_fever/goldfever.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.jpmorganchase.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15034/CTPID.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2010-3-14 665008]
R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineMessageService.exe [2009-12-9 271856]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1ca10b0796a5742;Google Update Service (gupdate1ca10b0796a5742);c:\program files\google\update\GoogleUpdate.exe [2009-7-29 133104]
S3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\turbine\turbine download manager - bullroarer\TurbineNetworkService.exe [2009-12-9 218608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-03-31 03:03:06 0 ----a-w- c:\documents and settings\ken\defogger_reenable
2010-03-31 02:22:47 2502 ----a-w- c:\windows\system32\tmp.reg
2010-03-31 00:15:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:14:50 0 d-----w- c:\docume~1\ken\applic~1\SUPERAntiSpyware.com
2010-03-31 00:14:35 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-30 23:47:09 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-30 23:42:18 0 d-----w- c:\windows\ERUNT
2010-03-30 23:38:49 0 d-----w- C:\SDFix
2010-03-29 17:24:00 0 d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2010-03-29 17:23:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:23:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 17:23:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-29 17:23:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 01:21:05 0 d-----w- c:\program files\ESET
2010-03-21 23:50:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-21 22:17:16 0 d-----w- c:\program files\Lavasoft
2010-03-14 21:55:15 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-03-14 21:55:15 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-03-14 21:53:28 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-03-14 21:53:28 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-03-14 21:53:02 0 d-----w- c:\program files\iolo
2010-03-11 20:48:59 0 d-sh--w- c:\windows\system32\winsys
2010-03-10 01:25:25 0 d-----w- c:\docume~1\ken\applic~1\.BitTornado
2010-03-10 01:21:18 0 d-----w- c:\program files\BitTornado

==================== Find3M ====================

2010-03-23 21:09:44 39938 -c--a-w- c:\windows\DIIUnin.dat
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2008-10-07 13:07:25 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100720081008\index.dat

============= FINISH: 19:25:24.78 ===============

Edited by puckhead, 05 April 2010 - 11:36 PM.

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:07:26 PM

Posted 07 April 2010 - 03:58 AM

Hi puchhead,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.

Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Start > Run and copy/paste the following bolded command into run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.

In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log

Tell me if you have any remaining issues on your pc.

#5 puckhead

puckhead
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
    •  
  • Local time:06:26 PM

Posted 07 April 2010 - 09:17 AM

thanks for you help it apperas to be fixed now here are the reports you requested is there anything else you see that i need to adderss?

07:34:25:140 3492 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
07:34:25:140 3492 ================================================================================
07:34:25:140 3492 SystemInfo:

07:34:25:140 3492 OS Version: 5.1.2600 ServicePack: 3.0
07:34:25:140 3492 Product type: Workstation
07:34:25:140 3492 ComputerName: HOME-E67EOFTXD1
07:34:25:140 3492 UserName: ken
07:34:25:140 3492 Windows directory: C:\WINDOWS
07:34:25:140 3492 Processor architecture: Intel x86
07:34:25:140 3492 Number of processors: 1
07:34:25:140 3492 Page size: 0x1000
07:34:25:140 3492 Boot type: Normal boot
07:34:25:140 3492 ================================================================================
07:34:25:140 3492 UnloadDriverW: NtUnloadDriver error 2
07:34:25:140 3492 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
07:34:25:375 3492 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
07:34:25:375 3492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:34:25:390 3492 wfopen_ex: Trying to KLMD file open
07:34:25:390 3492 wfopen_ex: File opened ok (Flags 2)
07:34:25:390 3492 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
07:34:25:390 3492 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:34:25:390 3492 wfopen_ex: Trying to KLMD file open
07:34:25:390 3492 wfopen_ex: File opened ok (Flags 2)
07:34:25:390 3492 Initialize success
07:34:25:390 3492
07:34:25:390 3492 Scanning Services ...
07:34:25:765 3492 Raw services enum returned 349 services
07:34:25:781 3492
07:34:25:781 3492 Scanning Kernel memory ...
07:34:25:781 3492 Devices to scan: 2
07:34:25:781 3492
07:34:25:781 3492 Driver Name: Disk
07:34:25:781 3492 IRP_MJ_CREATE : F765DBB0
07:34:25:781 3492 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
07:34:25:781 3492 IRP_MJ_CLOSE : F765DBB0
07:34:25:781 3492 IRP_MJ_READ : F7657D1F
07:34:25:781 3492 IRP_MJ_WRITE : F7657D1F
07:34:25:781 3492 IRP_MJ_QUERY_INFORMATION : 804FA88E
07:34:25:781 3492 IRP_MJ_SET_INFORMATION : 804FA88E
07:34:25:781 3492 IRP_MJ_QUERY_EA : 804FA88E
07:34:25:781 3492 IRP_MJ_SET_EA : 804FA88E
07:34:25:781 3492 IRP_MJ_FLUSH_BUFFERS : F76582E2
07:34:25:781 3492 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
07:34:25:781 3492 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
07:34:25:781 3492 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
07:34:25:781 3492 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
07:34:25:781 3492 IRP_MJ_DEVICE_CONTROL : F76583BB
07:34:25:781 3492 IRP_MJ_INTERNAL_DEVICE_CONTROL : F765BF28
07:34:25:781 3492 IRP_MJ_SHUTDOWN : F76582E2
07:34:25:781 3492 IRP_MJ_LOCK_CONTROL : 804FA88E
07:34:25:781 3492 IRP_MJ_CLEANUP : 804FA88E
07:34:25:781 3492 IRP_MJ_CREATE_MAILSLOT : 804FA88E
07:34:25:781 3492 IRP_MJ_QUERY_SECURITY : 804FA88E
07:34:25:781 3492 IRP_MJ_SET_SECURITY : 804FA88E
07:34:25:781 3492 IRP_MJ_POWER : F7659C82
07:34:25:781 3492 IRP_MJ_SYSTEM_CONTROL : F765E99E
07:34:25:781 3492 IRP_MJ_DEVICE_CHANGE : 804FA88E
07:34:25:781 3492 IRP_MJ_QUERY_QUOTA : 804FA88E
07:34:25:781 3492 IRP_MJ_SET_QUOTA : 804FA88E
07:34:25:796 3492 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
07:34:25:796 3492
07:34:25:796 3492 Driver Name: atapi
07:34:25:796 3492 IRP_MJ_CREATE : F74C9B3A
07:34:25:796 3492 IRP_MJ_CREATE_NAMED_PIPE : F74C9B3A
07:34:25:796 3492 IRP_MJ_CLOSE : F74C9B3A
07:34:25:796 3492 IRP_MJ_READ : F74C9B3A
07:34:25:796 3492 IRP_MJ_WRITE : F74C9B3A
07:34:25:796 3492 IRP_MJ_QUERY_INFORMATION : F74C9B3A
07:34:25:796 3492 IRP_MJ_SET_INFORMATION : F74C9B3A
07:34:25:796 3492 IRP_MJ_QUERY_EA : F74C9B3A
07:34:25:796 3492 IRP_MJ_SET_EA : F74C9B3A
07:34:25:796 3492 IRP_MJ_FLUSH_BUFFERS : F74C9B3A
07:34:25:796 3492 IRP_MJ_QUERY_VOLUME_INFORMATION : F74C9B3A
07:34:25:796 3492 IRP_MJ_SET_VOLUME_INFORMATION : F74C9B3A
07:34:25:796 3492 IRP_MJ_DIRECTORY_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_FILE_SYSTEM_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_DEVICE_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_SHUTDOWN : F74C9B3A
07:34:25:796 3492 IRP_MJ_LOCK_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_CLEANUP : F74C9B3A
07:34:25:796 3492 IRP_MJ_CREATE_MAILSLOT : F74C9B3A
07:34:25:796 3492 IRP_MJ_QUERY_SECURITY : F74C9B3A
07:34:25:796 3492 IRP_MJ_SET_SECURITY : F74C9B3A
07:34:25:796 3492 IRP_MJ_POWER : F74C9B3A
07:34:25:796 3492 IRP_MJ_SYSTEM_CONTROL : F74C9B3A
07:34:25:796 3492 IRP_MJ_DEVICE_CHANGE : F74C9B3A
07:34:25:796 3492 IRP_MJ_QUERY_QUOTA : F74C9B3A
07:34:25:796 3492 IRP_MJ_SET_QUOTA : F74C9B3A
07:34:25:796 3492 Driver "atapi" infected by TDSS rootkit!
07:34:25:812 3492 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
07:34:25:812 3492 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 07:34:25:812 3492 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
07:34:25:812 3492 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
07:34:26:046 3492 vfvi6
07:34:26:140 3492 !dsvbh1
07:34:28:484 3492 dsvbh2
07:34:28:484 3492 fdfb2
07:34:28:484 3492 Backup copy found, using it..
07:34:28:718 3492 will be cured on next reboot
07:34:28:718 3492 Reboot required for cure complete..
07:34:28:921 3492 Cure on reboot scheduled successfully
07:34:28:921 3492
07:34:28:921 3492 Completed
07:34:28:921 3492
07:34:28:921 3492 Results:
07:34:28:921 3492 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
07:34:28:921 3492 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
07:34:28:921 3492 File objects infected / cured / cured on reboot: 1 / 0 / 1
07:34:28:921 3492
07:34:28:921 3492 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
07:34:28:921 3492 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
07:34:28:921 3492 UnloadDriverW: NtUnloadDriver error 1
07:34:28:921 3492 KLMD(ARK) unloaded successfully


ComboFix 10-04-06.04 - ken 04/07/2010 7:51.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1595 [GMT -6:00]
Running from: c:\documents and settings\ken\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ken\Local Settings\Temporary Internet Files\search.html
c:\documents and settings\ken\Local Settings\Temporary Internet Files\temp.cab
c:\program files\Common Files\Uninstall
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\patch.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\ndisapi.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\winsys
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-03-31 00:22 . 2010-03-31 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-31 00:15 . 2010-03-31 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 23:47 . 2010-03-30 23:47 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-30 23:42 . 2010-03-30 23:42 -------- d-----w- c:\windows\ERUNT
2010-03-30 23:38 . 2010-03-31 00:10 -------- d-----w- C:\SDFix
2010-03-29 22:02 . 2010-03-29 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-03-29 17:24 . 2010-03-29 17:24 -------- d-----w- c:\documents and settings\ken\Application Data\Malwarebytes
2010-03-29 17:23 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:23 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 17:23 . 2010-03-29 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 17:23 . 2010-03-31 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 01:21 . 2010-03-29 22:02 -------- d-----w- c:\program files\ESET
2010-03-22 00:25 . 2010-03-22 00:25 -------- d-----w- c:\documents and settings\ken\Local Settings\Application Data\Deployment
2010-03-21 23:50 . 2010-03-21 23:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-21 22:17 . 2010-03-29 22:08 -------- d-----w- c:\program files\Lavasoft
2010-03-18 00:13 . 2010-03-24 19:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-14 22:06 . 2010-03-14 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2010-03-14 21:55 . 2010-02-09 23:02 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-03-14 21:55 . 2010-02-09 23:01 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-03-14 21:53 . 2010-01-28 23:13 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-03-14 21:53 . 2010-01-28 23:13 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-03-14 21:53 . 2010-03-14 21:53 -------- d-----w- c:\program files\iolo
2010-03-10 01:25 . 2010-03-10 01:25 -------- d-----w- c:\documents and settings\ken\Application Data\.BitTornado
2010-03-10 01:21 . 2010-03-10 01:21 -------- d-----w- c:\program files\BitTornado

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 13:35 . 2002-09-03 13:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-07 04:03 . 2005-01-15 02:28 -------- d-----w- c:\program files\Diablo II
2010-03-31 02:25 . 2010-03-31 02:25 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 00:23 . 2010-03-31 00:23 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 00:23 . 2010-03-31 00:23 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-31 00:15 . 2010-03-31 00:15 52224 ----a-w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 00:15 . 2010-03-31 00:15 117760 ----a-w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-29 22:11 . 2007-05-26 01:14 -------- d-----w- c:\program files\MySpace
2010-03-29 22:08 . 2009-02-17 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-23 21:09 . 2005-01-15 02:34 39938 -c--a-w- c:\windows\DIIUnin.dat
2010-03-14 22:16 . 2009-07-25 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-03-14 22:13 . 2009-07-25 21:29 1511 ----a-w- c:\documents and settings\ken\Application Data\iolo\restore.bat
2010-03-11 12:38 . 2004-08-24 03:32 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-12-23 17:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-09-03 13:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-21 05:43 . 2007-09-18 03:10 -------- d-----w- c:\documents and settings\ken\Application Data\FrostWire
2010-02-21 05:38 . 2007-09-18 03:09 -------- d-----w- c:\program files\FrostWire
2010-02-18 00:55 . 2006-03-28 05:00 -------- d-----w- c:\program files\Turbine
2010-02-14 02:12 . 2005-01-18 05:49 61432 -c--a-w- c:\documents and settings\ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-13 00:42 . 2010-02-13 00:42 -------- d-----w- c:\program files\MSECache
2010-01-22 17:28 . 2010-01-22 17:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-07 20:21 . 2010-01-07 20:21 683 ----a-w- c:\windows\eReg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineDownloadManagerIcon.exe" [2010-01-05 472568]
"PROMon.exe"="PROMon.exe" [2002-04-19 73728]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"EPSON Stylus CX3200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= opera.exe
"2"= firefox.exe
"3"= chrome.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online - Bullroarer\\lotroclient.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager - Bullroarer\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager - Bullroarer\\TurbineNetworkService.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [4/9/2009 3:21 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/14/2010 3:55 PM 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/14/2010 3:55 PM 665008]
R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineMessageService.exe [12/9/2009 9:40 PM 271856]
R3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineNetworkService.exe [12/9/2009 9:40 PM 218608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1ca10b0796a5742;Google Update Service (gupdate1ca10b0796a5742);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2009 6:55 PM 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 00:55]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net?cid=103109
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-klmdb.sys
AddRemove-RealArcade 1.2 - c:\program files\Real\RealArcade\Update\rnuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 08:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-682003330-99065831-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\NMSSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PROMon.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-07 08:09:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 14:09

Pre-Run: 13,486,735,360 bytes free
Post-Run: 14,057,697,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 71951A28B5E19B510BBD79CE2D2B8CA8

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:07:26 PM

Posted 07 April 2010 - 09:50 AM

Hi puchhead,



Since the culprit is gone, we need to scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:

Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Driver::
Lbd
DDS::
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: 1 (0x1) - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=-
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 19 (JDK or JRE)".
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    J2SE Runtime Environment 5.0 Update 11
    Java™ 6 Update 17
    Java™ 6 Update 2
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1

  12. Click the Remove or Change/Remove button.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  16. After that, please clear your java cache as instructed in this thread .


Step3

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step4

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.ComboFix log
2.Kas Online Scan Report

Let me know if you have any remaining issues on your pc.

#7 puckhead

puckhead
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
    •  
  • Local time:06:26 PM

Posted 07 April 2010 - 07:40 PM

Ok I got that for you it seems to be running fine with no issues I have seen

ComboFix 10-04-06.05 - ken 04/07/2010 11:00:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1594 [GMT -6:00]
Running from: c:\documents and settings\ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ken\Desktop\cfscript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LBD
-------\Service_Lbd


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-03-31 00:22 . 2010-03-31 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-03-31 00:15 . 2010-03-31 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com
2010-03-31 00:14 . 2010-03-31 00:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 23:47 . 2010-03-30 23:47 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-03-30 23:42 . 2010-03-30 23:42 -------- d-----w- c:\windows\ERUNT
2010-03-30 23:38 . 2010-03-31 00:10 -------- d-----w- C:\SDFix
2010-03-29 22:02 . 2010-03-29 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-03-29 17:24 . 2010-03-29 17:24 -------- d-----w- c:\documents and settings\ken\Application Data\Malwarebytes
2010-03-29 17:23 . 2010-03-30 06:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 17:23 . 2010-03-30 06:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 17:23 . 2010-03-29 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-29 17:23 . 2010-03-31 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 01:21 . 2010-03-29 22:02 -------- d-----w- c:\program files\ESET
2010-03-22 00:25 . 2010-03-22 00:25 -------- d-----w- c:\documents and settings\ken\Local Settings\Application Data\Deployment
2010-03-21 23:50 . 2010-03-21 23:50 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-21 22:17 . 2010-03-29 22:08 -------- d-----w- c:\program files\Lavasoft
2010-03-18 00:13 . 2010-03-24 19:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-03-14 22:06 . 2010-03-14 22:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\iolo
2010-03-10 01:25 . 2010-03-10 01:25 -------- d-----w- c:\documents and settings\ken\Application Data\.BitTornado
2010-03-10 01:21 . 2010-03-10 01:21 -------- d-----w- c:\program files\BitTornado

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 14:42 . 2005-01-15 02:28 -------- d-----w- c:\program files\Diablo II
2010-04-07 14:26 . 2009-07-25 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2010-04-07 13:35 . 2002-09-03 13:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-31 02:25 . 2010-03-31 02:25 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 00:23 . 2010-03-31 00:23 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 00:23 . 2010-03-31 00:23 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-31 00:15 . 2010-03-31 00:15 52224 ----a-w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-31 00:15 . 2010-03-31 00:15 117760 ----a-w- c:\documents and settings\ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-29 22:11 . 2007-05-26 01:14 -------- d-----w- c:\program files\MySpace
2010-03-29 22:08 . 2009-02-17 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-23 21:09 . 2005-01-15 02:34 39938 -c--a-w- c:\windows\DIIUnin.dat
2010-03-14 22:13 . 2009-07-25 21:29 1511 ----a-w- c:\documents and settings\ken\Application Data\iolo\restore.bat
2010-03-11 12:38 . 2004-08-24 03:32 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-12-23 17:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-09-03 13:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-21 05:43 . 2007-09-18 03:10 -------- d-----w- c:\documents and settings\ken\Application Data\FrostWire
2010-02-21 05:38 . 2007-09-18 03:09 -------- d-----w- c:\program files\FrostWire
2010-02-18 00:55 . 2006-03-28 05:00 -------- d-----w- c:\program files\Turbine
2010-02-14 02:12 . 2005-01-18 05:49 61432 -c--a-w- c:\documents and settings\ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-13 00:42 . 2010-02-13 00:42 -------- d-----w- c:\program files\MSECache
2010-01-22 17:28 . 2010-01-22 17:28 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-07 20:21 . 2010-01-07 20:21 683 ----a-w- c:\windows\eReg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Turbine Download Manager Tray Icon"="c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineDownloadManagerIcon.exe" [2010-01-05 472568]
"PROMon.exe"="PROMon.exe" [2002-04-19 73728]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"EPSON Stylus CX3200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online - Bullroarer\\lotroclient.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager - Bullroarer\\TurbineMessageService.exe"=
"c:\\Program Files\\Turbine\\Turbine Download Manager - Bullroarer\\TurbineNetworkService.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [4/9/2009 3:21 PM 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 PublicPreviewTurbineMessageService;Turbine Message Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineMessageService.exe [12/9/2009 9:40 PM 271856]
R3 PublicPreviewTurbineNetworkService;Turbine Network Service - PublicPreview;c:\program files\Turbine\Turbine Download Manager - Bullroarer\TurbineNetworkService.exe [12/9/2009 9:40 PM 218608]
S2 gupdate1ca10b0796a5742;Google Update Service (gupdate1ca10b0796a5742);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2009 6:55 PM 133104]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder

2010-04-07 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 00:55]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-30 00:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net?cid=103109
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} - hxxp://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/trytwoofakind/zylomgamesplayer.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 11:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-682003330-99065831-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\NMSSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PROMon.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-04-07 11:19:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 17:19
ComboFix2.txt 2010-04-07 14:09

Pre-Run: 14,152,761,344 bytes free
Post-Run: 14,135,836,672 bytes free

- - End Of File - - DC3A780ACDA93F1BDEE3657A68490EB4


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, April 7, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 07, 2010 20:02:47
Records in database: 3918834
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 76227
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:39:32


File name / Threat / Threats count
C:\Documents and Settings\ken\Shared\Slick Rick - Rub you the right way.wma Infected: Trojan-Downloader.WMA.Wimad.y 1

Selected area has been scanned.

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:07:26 PM

Posted 07 April 2010 - 09:15 PM

Hi puchhead,


QUOTE
it seems to be running fine with no issues I have seen

That sounds good. thumbup2.gif Please navigate to the following file path and delete the boded file manually.
C:\Documents and Settings\ken\Shared\Slick Rick - Rub you the right way.wma

Other than that, your system appears clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Please remove all the logs and tools we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!


#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
    •  
  • Gender:Not Telling
  • Local time:07:26 PM

Posted 13 April 2010 - 06:35 PM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·