Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS: Still infected


  • This topic is locked This topic is locked
8 replies to this topic

#1 jesop

jesop

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 27 April 2010 - 11:35 AM

Sorry I didn't follow instructions properly before. Here's the current status of my situation: I rad TDSSKiller which reported that atapi.sys was infected. I replaced it a number of times from the recovery console, but TDSSKiller kept reporting that it was infected after reboot. I ran MBAM a number of times, each time it found something new and claimed to deal with it. I also ran Norton Security Suite a few times and it also removed some stuff. None of these seemed to do the trick, I got desperate, and I ran ComboFix.exe (I know I broke the rules...). The infection does seem to be gone, the redirects have stopped, I'm not seeing anything strange when I run netstat ("netstat -r 5"), but I still want to be 100% sure.

TDSSKiller no longer reports any problems, and I've run a full scan with MBAM (updated at midnight last night) and it found nothing as well.

GMER has been running for literally hours, but here's what it says so far:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-27 09:32:13
Windows 5.1.2600 Service Pack 3
Running: u78819fr.exe; Driver: C:\DOCUME~1\seth\LOCALS~1\Temp\fxtdqpoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB92AB360, 0x36E81D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \Driver\BTHUSB \Device\0000009e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000009e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\000000a0 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001c26f55465 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26f55465
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001c26f55465 (not active ControlSet)

And here's the DDS report:


DDS (Ver_10-03-17.01) - NTFSx86
Run by seth at 8:20:55.00 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1501 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\PROGRAM FILES\DNA\BTDNA.EXE
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\seth\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Aptana Debugger: {b8add4ea-ade3-4deb-a957-9bbd17d6d0c8} - c:\documents and settings\seth\my documents\work\teaching\bcc - cityofseattle javascript class\aptana\.metadata\.plugins\com.aptana.ide.debug.core\.dll\AptanaDebugger.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Aptana Debugger: {f348e1b0-cbfe-47c3-81b4-9f44b3b5a618} - c:\documents and settings\seth\my documents\work\teaching\bcc - cityofseattle javascript class\aptana\.metadata\.plugins\com.aptana.ide.debug.core\.dll\AptanaDebugger.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Google Side Bar: {32004b8a-44a9-43e7-84e9-808838809519} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoeMonitor.exe] "c:\documents and settings\seth\local settings\application data\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\BTDNA.EXE"
uRun: [Google Update] "c:\documents and settings\seth\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214597209500
DPF: {74F4F118-91E6-4AFC-B8D2-04066781F239} - hxxps://webdeposit.ensenta.com/eztwainx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: wlcrdplauncher - c:\program files\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\seth\applic~1\mozilla\firefox\profiles\wl7bbodm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\documents and settings\seth\application data\mozilla\firefox\profiles\wl7bbodm.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\seth\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\seth\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\seth\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-8-27 115856]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-8-27 41424]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-9-20 12672]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-8 37296]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2008-10-30 9040]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2008-10-30 19408]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-8-27 91472]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-8-5 99472]
S0 dxheufun;dxheufun;c:\windows\system32\drivers\nqututsi.sys --> c:\windows\system32\drivers\nqututsi.sys [?]
S0 fboopctu;fboopctu; [x]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswfsblk.sys --> c:\windows\system32\drivers\aswFsBlk.sys [?]
S2 gupdate1c908e5c3f3e4e6;Google Update Service (gupdate1c908e5c3f3e4e6);c:\program files\google\update\GoogleUpdate.exe [2008-8-28 133104]
S3 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2008-1-18 24635]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2009-8-27 25856]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2009-8-27 32016]
S3 wlcrasvc;Live Mesh Remote Desktop;c:\program files\live mesh\remote desktop\wlcrasvc.exe [2009-10-21 44880]

=============== Created Last 30 ================

2010-04-27 15:20:01 0 ----a-w- c:\documents and settings\seth\defogger_reenable
2010-04-27 02:01:34 0 d-----w- c:\docume~1\seth\applic~1\Tific
2010-04-27 01:42:32 0 d-sha-r- C:\cmdcons
2010-04-27 01:39:05 98816 ----a-w- c:\windows\sed.exe
2010-04-27 01:39:05 77312 ----a-w- c:\windows\MBR.exe
2010-04-27 01:39:05 261632 ----a-w- c:\windows\PEV.exe
2010-04-27 01:39:05 161792 ----a-w- c:\windows\SWREG.exe
2010-04-27 01:12:18 362 ----a-w- c:\windows\Shortcut to WINDOWS.lnk
2010-04-26 20:19:43 0 d-----w- C:\flooper
2010-04-26 17:56:36 86912 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-26 17:55:47 86912 ----a-w- c:\windows\system32\drivers\atapi.oldbleep
2010-04-26 16:34:47 328752 ----a-r- c:\windows\system32\drivers\symds.sys
2010-04-26 16:34:47 172592 ----a-r- c:\windows\system32\drivers\symefa.sys
2010-04-26 16:22:14 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-04-26 16:19:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-04-26 07:58:10 0 d-----w- c:\docume~1\seth\applic~1\Panda Security
2010-04-26 07:57:36 0 d-----w- c:\program files\Panda Security
2010-04-26 03:44:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-26 00:37:10 36 ----a-w- c:\program files\skynet.dat
2010-04-26 00:36:46 93184 --sha-r- c:\windows\system32\xmirage9.dll
2010-04-22 21:18:19 0 d-----w- c:\docume~1\seth\applic~1\Dropbox
2010-04-21 11:55:32 299008 ----a-w- c:\windows\system32\xbaqsloy.dll
2010-04-09 18:25:11 10726 ----a-w- c:\documents and settings\seth\.recently-used.xbel
2010-04-09 18:24:40 0 d-----w- c:\documents and settings\seth\.camel_certs
2010-04-09 18:05:17 0 d-----w- c:\documents and settings\seth\.evolution
2010-04-09 18:05:15 0 d-----w- c:\documents and settings\seth\.gconfd
2010-04-09 18:05:15 0 d-----w- c:\documents and settings\seth\.gconf
2010-04-09 18:05:14 0 d-----w- c:\documents and settings\seth\.gnome2_private
2010-04-09 18:05:14 0 d-----w- c:\documents and settings\seth\.gnome2
2010-04-01 23:58:43 7804 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-04-27 02:49:26 222352 ----a-w- c:\windows\system32\nvModes.dat
2010-03-31 17:27:10 89 ----a-w- c:\program files\putty.log
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 00:46:36 224 ----a-w- c:\docume~1\seth\applic~1\MapReverseConverter.dat
2010-03-18 17:46:49 67252 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-07-01 19:19:40 172032 ----a-w- c:\program files\puttygen.exe
2009-05-28 03:04:54 282624 ----a-w- c:\program files\plink.exe
2008-04-15 18:48:45 454656 ----a-w- c:\program files\putty.exe
2007-02-18 21:14:40 101716 ----a-w- c:\program files\md5.exe
2008-05-18 19:25:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051820080519\index.dat

============= FINISH: 8:21:26.67 ===============



And finally the Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/12/2008 5:13:07 PM
System Uptime: 4/27/2010 8:11:35 AM (0 hours ago)

Motherboard: Dell Inc. | | 0JX269
Processor: Intel® Core™2 Duo CPU T7300 @ 2.00GHz | Microprocessor | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 90 GiB total, 30.492 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 51 GiB total, 4.964 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F1000F&REV_1000\4&220DA15F&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F1000F&REV_1000\4&220DA15F&0&0102
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetLink ™ Fast Ethernet
Device ID: PCI\VEN_14E4&DEV_1713&SUBSYS_01F31028&REV_02\4&1E93A591&0&00E5
Manufacturer: Broadcom
Name: Broadcom NetLink ™ Fast Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1713&SUBSYS_01F31028&REV_02\4&1E93A591&0&00E5
Service: b57w2k

==== System Restore Points ===================

RP1: 4/26/2010 6:50:20 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
7-Zip 4.57
AAC Decoder
ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 9.3.2
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Advertising Center
AFPL Ghostscript 8.53
AFPL Ghostscript Fonts
AIO_Scan
AllNetic Working Time Tracker
Any Video Converter 3.0.1
Apache HTTP Server 2.2.8
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Aptana Studio 1.5
Aptana Studio 2.0
Ashampoo Burning Studio 6 FREE
Aspell English Dictionary-0.50-2
AutoUpdate
Bitvise Tunnelier 4.29 (remove only)
Bonjour
Bonjour Core for Windows
Broadcom Gigabit Integrated Controller
BufferChm
C4200
C4200_doccd
c4200_Help
Catan (remove only)
CDDRV_Installer
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Copy
CPUID CPU-Z 1.53.1
Critical Update for Windows Media Player 11 (KB959772)
Dead Space™
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DNA
DocProc
DocProcQFolder
DolbyFiles
Dropbox
EPSON Printer Software
EPSON Scan
eSupportQFolder
FeedDemon
Firewall Builder 3.0
Free SMTP Server
Garmin Communicator Plugin
Garmin USB Drivers
GIMP 2.4.5
GmoteServer
GNU Aspell 0.50-3
Google Gears
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Goombah Partner COM Server
GTK+ Runtime 2.14.7 rev a (remove only)
H.264 Decoder
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Solution Center 9.0
HP USB Disk Storage Format Tool
HPProductAssistant
ImagXpress
Inkscape 0.46
iTunes
J2SE Runtime Environment 5.0 Update 2
Java DB 10.3.1.4
Java™ 6 Update 10
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 7
jEdit 4.3pre16
KhalInstallWrapper
Launchy 2.1.2
Live Mesh
Logitech Registration
Logitech SetPoint
Malwarebytes' Anti-Malware
Menu Templates - Starter Kit
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office Professional Edition 2003
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
MKV Splitter
MobilePre
Move Media Player
Movie Templates - Starter Kit
MozBackup 1.4.9
Mozilla Firefox (3.5.9)
Mozilla Thunderbird (2.0.0.24)
Mp3tag v2.43
MPEG2 Codec(libmpeg2/mad)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero Live
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroExpress
NeroLiveGadget
neroxml
Notepad++
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenOffice.org 3.1
Opera 9.62
PartitionMagic
Password Safe
Pawn 3
Picasa 3
Pidgin
Pod to PC 2.6
PowerISO
PowerQuest PartitionMagic 8.0
PrimoPDF
Project64 1.6
PS_AIO_ProductContext
PS_AIO_Software
PS_AIO_Software_min
PSSWCORE
QuickBooks
QuickBooks Pro 2010
QuickTime
Revo Uninstaller 1.87
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SigmaTel Audio
Skype™ 3.8
SolutionCenter
SoulSeek 157 NS 13
SoundTrax
SQL Server System CLR Types
Status
Sun xVM VirtualBox
SyncBack
TBS WMP Plug-in
Toolbox
TortoiseSVN 1.6.3.16613 (32 bit)
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoToolkit01
WebFldrs XP
WebReg
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinSCP 4.1.6
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

4/26/2010 7:32:56 PM, error: Service Control Manager [7034] - The Norton Security Suite service terminated unexpectedly. It has done this 3 time(s).
4/26/2010 7:30:41 PM, error: Service Control Manager [7031] - The Norton Security Suite service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/26/2010 7:13:54 PM, error: Service Control Manager [7031] - The Norton Security Suite service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
4/26/2010 6:51:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi BHDrvx86 ccHP SymDS SymEFA SymIRON
4/26/2010 6:39:03 PM, error: SRService [104] - The System Restore initialization process failed.
4/26/2010 6:39:03 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
4/26/2010 6:37:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/26/2010 6:24:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi BHDrvx86 ccHP ctxusbm eeCtrl Fips intelppm SCDEmu SRTSPX StarOpen SymIRON SYMTDI VBoxDrv VBoxUSBMon
4/25/2010 8:29:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi ctxusbm Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu StarOpen Tcpip VBoxDrv VBoxUSBMon
4/25/2010 8:29:34 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
4/25/2010 8:29:34 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/25/2010 8:29:34 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/25/2010 8:14:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi
4/25/2010 8:05:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi ctxusbm Fips iaStor intelppm ohci1394 SCDEmu StarOpen VBoxDrv VBoxUSBMon
4/25/2010 8:04:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/25/2010 7:53:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi iaStor
4/25/2010 7:53:28 PM, error: Service Control Manager [7000] - The avast! Standard Shield Support service failed to start due to the following error: The system cannot find the file specified.
4/25/2010 7:53:28 PM, error: Service Control Manager [7000] - The aswFsBlk service failed to start due to the following error: The system cannot find the file specified.
4/25/2010 7:52:08 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/25/2010 7:52:08 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/25/2010 5:53:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/25/2010 5:42:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi ctxusbm Fips intelppm SCDEmu StarOpen VBoxDrv VBoxUSBMon
4/25/2010 5:36:57 PM, error: Service Control Manager [7000] - The avast! Asynchronous Virus Monitor service failed to start due to the following error: A device attached to the system is not functioning.
4/25/2010 11:56:39 AM, error: BTHUSB [17] - The local Bluetooth radio has failed in an undetermined manner and will be unloaded.
4/24/2010 4:00:55 PM, error: Dhcp [1002] - The IP address lease 192.168.2.100 for the Network Card with network address 0013E88D7B89 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/24/2010 11:08:08 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0013E88D7B89 has been denied by the DHCP server 192.168.2.254 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 PM

Posted 01 May 2010 - 07:24 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 jesop

jesop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 02 May 2010 - 12:50 PM

I am here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 PM

Posted 02 May 2010 - 12:59 PM

If you haven't uninstalled Combofix can you fetch me the log.

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 jesop

jesop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 02 May 2010 - 01:27 PM

2010-04-27 02:13:59 . 2010-04-27 02:13:59 249 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ActiveSetup-{278356AC-8907-43AC-B9AE-F9544F1CAAFA}.reg.dat
2010-04-27 02:13:53 . 2010-04-27 02:13:53 546 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SafeBoot-klmdb.sys.reg.dat
2010-04-27 02:13:32 . 2010-04-27 02:13:32 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-Locked.reg.dat
2010-04-27 02:01:12 . 2010-04-27 02:01:12 812 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_IAS.reg.dat
2010-04-27 02:01:12 . 2010-04-27 02:01:12 774 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2010-04-27 02:00:49 . 2010-04-27 02:00:49 14,029 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-04-27 01:50:13 . 2010-04-27 01:50:13 208,896 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe.vir
2010-04-27 01:38:51 . 2010-04-27 01:50:25 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-04-26 00:36:53 . 2010-04-26 00:36:53 28,842 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\seth\Application Data\EF21FCF0C29E0DF266F2CDD96BE579AD\enemies-names.txt.vir
2010-04-21 11:55:04 . 2010-04-21 11:55:04 319,488 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\zugmxbpu.dll.vir
2010-04-15 10:58:44 . 2010-04-15 10:58:44 384,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tcrdmwlvrblfkg.dll.vir
2010-01-03 19:23:11 . 2010-01-03 19:23:11 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tevenos.dll.vir
2002-08-29 12:00:00 . 2008-04-14 07:10:48 36,352 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir
1999-12-10 03:19:48 . 1999-12-10 03:19:48 147,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Zip32.dll.vir


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 PM

Posted 02 May 2010 - 02:49 PM

The second to last entry was the TDSS rootkit-infected file thumbup2.gif

Let's take a quick look at an online scanner result

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#7 jesop

jesop
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 02 May 2010 - 11:40 PM

C:\Qoobox\Quarantine\C\WINDOWS\system32\zugmxbpu.dll.vir Win32/Lifze.D trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{8BD81EB2-21F3-43E2-8106-C88727393654}\RP1\A0000065.dll Win32/Lifze.D trojan cleaned by deleting - quarantined


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 PM

Posted 03 May 2010 - 04:05 AM

That's the last scan. Good news, jesop...


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up


Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Please make sure you turn on the Java Automatic Update Feature

    Then you will not have to remember to update it when Java introduces a new version.
    Java is updated very frequently, and the old versions are malware magnets.

    Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 PM

Posted 07 May 2010 - 06:19 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users