Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mkolea.exe Virus/Trojan on Computer


  • This topic is locked This topic is locked
27 replies to this topic

#1 AzuraFrost

AzuraFrost

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 30 April 2010 - 12:04 PM

Hello! So I've got a nasty little bug on my computer. Comodo Security scans this program called Mkolea.exe on my computer. Avira comes up clean, so I'm not sure what to do or if it really is a virus.

Here is my DDS:


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Sakunade at 16:53:03.25 on Fri 04/30/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2567 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Users\Sakunade\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [combofix] "c:\combofix\cf7380.cfxxe" /c "c:\combofix\C.bat"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\sakunade\appdata\roaming\mozilla\firefox\profiles\r8ad6qd4.default\
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - component: c:\program files\comodo\hopsurftoolbar\hopsurfext_ff3_5\components\hopsurf.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\sakunade\appdata\roaming\mozilla\firefox\profiles\r8ad6qd4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 16744]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-11-3 27632]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-11 11608]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 218560]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 30112]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-11 108289]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-11 185089]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-11 56816]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-4-6 13224]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-11-3 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-11-3 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-11-3 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-11-3 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-11-3 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-11-3 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-11-3 115752]

=============== Created Last 30 ================

2010-04-30 19:28:20 41000 ----a-w- c:\users\sakunade\2470797.jpg
2010-04-30 19:27:32 38137 ----a-w- c:\users\sakunade\2483089.jpg
2010-04-30 19:27:04 69093 ----a-w- c:\users\sakunade\2483115.jpg
2010-04-30 19:26:19 97415 ----a-w- c:\users\sakunade\2483085.jpg
2010-04-30 19:26:03 45147 ----a-w- c:\users\sakunade\2483086.jpg
2010-04-30 19:25:35 52817 ----a-w- c:\users\sakunade\2483088.jpg
2010-04-30 19:24:57 95523 ----a-w- c:\users\sakunade\2483087.jpg
2010-04-30 19:24:15 114698 ----a-w- c:\users\sakunade\2512451.jpg
2010-04-30 16:16:25 0 d-s---w- C:\ComboFix
2010-04-30 04:02:34 0 d--h--w- C:\VritualRoot
2010-04-30 04:01:30 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-30 03:46:43 0 d-----w- c:\programdata\Comodo
2010-04-30 03:02:33 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-30 02:27:07 467747 ----a-w- c:\users\sakunade\whitequeen4.jpg
2010-04-30 02:25:20 1249657 ----a-w- c:\users\sakunade\whitequeennew3b.jpg
2010-04-30 02:24:31 374945 ----a-w- c:\users\sakunade\poster.jpg
2010-04-30 00:05:15 0 d-----w- c:\users\sakunade\appdata\roaming\Comodo
2010-04-30 00:05:15 0 d-----w- c:\program files\Comodo
2010-04-30 00:03:42 0 d-----w- c:\programdata\Comodo Downloader
2010-04-29 23:34:49 0 d-----w- c:\users\sakunade\appdata\roaming\Malwarebytes
2010-04-29 23:34:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 23:34:09 0 d-----w- c:\programdata\Malwarebytes
2010-04-29 23:34:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 23:34:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 23:25:47 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 19:32:18 0 d-----w- C:\$RECYCLE.BIN
2010-04-29 16:05:36 0 d-----w- c:\program files\Trend Micro
2010-04-29 08:36:48 261867574 ----a-w- c:\windows\MEMORY.DMP
2010-04-29 08:30:49 77312 ----a-w- c:\windows\MBR.exe
2010-04-29 08:30:48 98816 ----a-w- c:\windows\sed.exe
2010-04-29 08:30:48 256512 ----a-w- c:\windows\PEV.exe
2010-04-29 08:30:48 161792 ----a-w- c:\windows\SWREG.exe
2010-04-29 07:54:13 0 d-----w- c:\program files\SpywareBlaster
2010-04-29 03:02:07 0 --shatr- c:\windows\wininit.ini
2010-04-25 05:00:03 225474 ----a-w- c:\users\sakunade\bwing11.jpg
2010-04-25 04:58:28 31774 ----a-w- c:\users\sakunade\photo_lrg.jpg
2010-04-23 23:32:55 3236878 ----a-w- c:\users\sakunade\Tutorial__Cosplay_Jewel_Making_by_vintage_aerith.jpg
2010-04-23 21:34:37 238562 ----a-w- c:\users\sakunade\1272053888944.jpg
2010-04-14 03:33:39 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 03:33:39 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 03:33:39 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 03:33:36 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 03:33:36 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 03:33:26 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 03:27:29 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 03:27:29 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 03:27:26 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 03:27:26 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 03:27:26 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 03:20:46 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 03:20:44 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 05:26:12 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 05:25:30 30112 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 05:25:28 218560 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 05:25:28 16744 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-06 14:23:35 65536 ----a-w- c:\windows\IFinst27.exe

==================== Find3M ====================

2010-04-30 03:01:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-30 03:01:10 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-30 03:01:06 143360 ----a-w- c:\windows\inf\infstor.dat
2010-04-28 17:29:13 3162 ----a-w- c:\users\sakunade\appdata\roaming\wklnhst.dat
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-04 23:27:22 572 ----a-w- c:\program files\Blaze Media Pro - Shortcut.lnk
2009-11-18 02:05:29 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 08:06:59 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-01 04:29:37 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-06-11 04:20:32 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009061120090612\index.dat
2009-07-01 04:29:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009070120090702\index.dat
2009-07-08 04:47:47 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009070820090709\index.dat
2009-07-29 18:00:35 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009072920090730\index.dat
2009-09-25 18:22:57 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009092520090926\index.dat
2010-01-30 04:46:41 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012010012920100130\index.dat
2008-10-23 10:05:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 16:55:06.94 ===============

Going back, there were some problems getting those files in normal Windows.

When I run DDS, an alert comes up from Comodo saying that it is an executable file evp.exe and it's listed as TrojWare.Win32.Agent~JJG@91800696.

That takes me into Gmer. It stops working on a section called \Devices\HardDiskVolumeShadowCopy 1. When I try to restart the program, it blues screens and gives this error code:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 8225DD95
BCP3: B04B1A54
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini043010-02.dmp
C:\Users\Sakunade\AppData\Local\temp\WER-48875-0.sysdata.xml
C:\Users\Sakunade\AppData\Local\temp\WERCDD9.tmp.version.txt

I was able to get the log by going into Safe Mode, which I've attached the log.

Other programs I have on my computer are: Avira, MalwareBytes, SpywareBlaster and Spybot. Any help would be appreciated. The system for the most part is running fine. Just want to fight this before it gets worse.

Edit: I also included logs for Hijack This and MalwareBytes.

Attached Files


Edited by AzuraFrost, 30 April 2010 - 05:23 PM.


BC AdBot (Login to Remove)

 


#2 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 02 May 2010 - 10:03 AM

Hi

Welcome to Bleeping Computer,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

I will post back as soon as I have decided on the best course of action to take with your malware issues.

Thankyou for your patience,
K27.

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#3 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 02 May 2010 - 01:54 PM

AzuraFrost,

Your system is infected with a rootkit called TDL3, this can be removed but we have some work to do before we can start.

Your logs show you have P2P programs installed and these need to be removed as it is not only illegal but P2P file sharing is a breeding ground for Malware and it will be next to impossible to clean your system all the time it is installed, also your logs show three(3) Anti-Virus programs installed, this is never a good idea as they will conflict with each other and leave you with nothing but an unsecure and unstable machine, please remove Norton as it is not fully active and then please remove either Avira or Comodo, the choice is yours but you must only run Anti-Virus at a time.

The reason that DDS was flagged as a Trojan is because you need to disable your anti-virus before running the tool.

Your logs also show that you have downloaded and run Combo-Fix,

The below is as posted at the very top of where you would of downloaded Combo-fix from:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Right all that aside, lets get started.

First i need you to go to:
  • Start (windows icon bottom left corner of screen)
  • Control panel
  • Add/Remove programs
µTorrent
Java™ 6 Update 7
Norton Internet Security
And either COMODO or AVIRA

  • Uninstall
  • Reboot PC


Next please post the log from the first time you run Combo-Fix that should be located at C:\Combofix.txt and then please delete your version of Combo-Fix and download a fresh version from HERE

NOTE: please be sure to save combo-fix to your desktop and run it from there and please make sure your disable the Anti-Virus program you decided to keep before running Combo-Fix
Thanks
K27.


The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#4 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 02 May 2010 - 10:01 PM

Thanks for helping me!

I attached the log from ComboFix for you. That program was recommended by a friend who works with computers but he didn't have access to the logs and he suggested this site to me. I uninstalled it after use, so I redownloaded from the link you sent.

As for the programs - Norton wasn't listed under the Add/Remove and it's not listed under my Program Files or Start Menu. However there is a folder that reads ProgramData and it contains the Norton files as well but I don't see a way to uninstall the files. There are also some odd folders listed there that I have no idea what they are.

Attached Files



#5 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 04 May 2010 - 01:29 AM

AzuraFrost,

Your Welcome.

The log you posted was from the 04/29/2010 (MM/DD/YYYY) and was the log from the second time you run combo-fix, please copy/paste the log from the combo-fix you downloaded and run from my last instructions.

Thanks
K27.

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#6 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 04 May 2010 - 09:53 AM

Hmm, that is the only log I have. I checked the recycle bin and there wasn't anything else in there. I know I tried to start the program in regular mode but had to switch to safe mode to get it to run. What else do you need me to do? I have not run ComboFix since we started working together but I did download a fresh copy.

#7 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 05 May 2010 - 12:41 AM

AzuraFrost,

Lets take this from the top, please delete the copy of Combo-Fix you have saved by right clicking the Combo-Fix file then then clicking delete, and then please follow these next instructions for downloading and RUNNING Combo-Fix.

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Instructions for disabling your active protection can be found HERE

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks
K27


The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#8 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 05 May 2010 - 10:34 AM

Alright, I deleted my copy of ComboFix then redownloaded it.

I have Vista so it went straight into the scan after the registry part (which I'll assume means I have the Recovery Console since no prompt came up).

When I ran it the first time, it didn't scan and said that the path could not be specified. I verified that it was on the desktop, then tried to run again. It said that it found rootkit activity and had to restart the system. It restarted the system and upon rebooting, it began to run again and somewhere during the process, it blue screened.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: a
BCP1: 00000016
BCP2: 0000001B
BCP3: 00000000
BCP4: 822B57DB
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini050510-01.dmp
C:\Users\Sakunade\AppData\Local\temp\WER-785059-0.sysdata.xml
C:\Users\Sakunade\AppData\Local\temp\WER3967.tmp.version.txt

Not sure what stage it got to because I went in the other room to get food. This is the problem I had before, and I had to run in Safe Mode to get it to work. Would you like me to do that this time?

#9 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 05 May 2010 - 03:48 PM

AzuraFrost,

Combo-Fix is being blocked by the infection and that is why you are getting the blue screen, we are going to have to do this another way.

Open notepad and copy/paste the text in the codebox below into it:

CODE
@echo off
cls
echo................Searching for File..............
echo...............Please be patient................
dir /a d /s "%systemdrive%\atapi.sys" > log.txt
notepad log.txt
del %0


Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Please right click on search.bat & then click "Run as Administrator" and allow it to run.

Once the search has finished there will be a notepad file saved to your desktop, please copy/paste the contents of the notepad file be to me, also please let me know if you have your windows installation disk.

Thanks
K27


The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#10 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 05 May 2010 - 11:19 PM

I looked for the packet that had all of my computer stuff in it from when I got it. I have a HP laptop and apparently, this system was designed to not have disks or CDs and it says that I can load them from the hard drive.

Here is the log file contents.

Volume in drive C has no label.
Volume Serial Number is 2228-7488

Directory of C:\Windows\ERDNT\cache

04/11/2009 02:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of C:\Windows\System32\drivers

04/11/2009 02:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7f3e4ed9

10/23/2008 06:05 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84

04/11/2009 02:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b7393fc6

10/23/2008 06:05 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699

11/02/2006 05:49 AM 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d

01/20/2008 10:23 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20847_none_dbb74a7b3d9afbc1

10/23/2008 06:05 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c

01/20/2008 10:23 PM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22193_none_dd6376773aedb5e4

10/23/2008 06:05 AM 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8

04/11/2009 02:32 AM 19,944 atapi.sys
1 File(s) 19,944 bytes

Total Files Listed:
11 File(s) 228,184 bytes
0 Dir(s) 48,419,057,664 bytes free



#11 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 07 May 2010 - 07:36 AM

AzuraFrost,

Please go to Start > Run then type in cmd then hit the ok button.
In the black box that comes up please copy/paste the text in bold below into the command prompt window and hit enter.

copy /y "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys" C:\

If it works correctly you will see a 1 file(s) copied message.


Next:
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below between the dotted lines to the clipboard by highlighting it and then pressing Ctrl+C.
    ------------------------------------------------------------------------------------

    Files to move:
    c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


    ------------------------------------------------------------------------------------
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new combo-fix log in your next reply.

Thanks
K27.

The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#12 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 07 May 2010 - 12:29 PM

Here are the files you requested.

It did blue screen when I first tried to run ComboFix after running Avenger, but the second time it worked. This was the info from the blue screen, not sure if it will make a difference or not.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: C0000005
BCP2: 82244B2D
BCP3: B38035B8
BCP4: B38032B4
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini050710-01.dmp
C:\Users\Sakunade\AppData\Local\temp\WER-35958-0.sysdata.xml
C:\Users\Sakunade\AppData\Local\temp\WER70AC.tmp.version.txt

Attached Files



#13 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 08 May 2010 - 12:44 PM

AzuraFrost,

Avenger got the infected driver for us, Are you still being redirected?

This next fix is going to remove the folder from uTorrent, a few parts of Avira left on the machine, a malicious file and we are also going to take a look at a suspicious looking folder, please proceed as follows:

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please:
  • Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
    Anti Virus
    Anti Spyware
  • If you have trouble disabling your firewall please post back before continuning which one you use and I will give you the instructioins.
    (If its a third party Firewall there should be a Icon on your task bar by the clock, right click that and choose Disable/Stop. If its the Windows built-in firewall you should be able to disable it via Control Panel.


Next we are going to run Combo-Fix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

QUOTE
KillAll::

Driver::
AntiVirSchedulerService

File::
c:\users\Sakunade\AppData\Roaming\uTorrent
c:\windows\IFinst27.exe

Folder::
c:\program files\Avira

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"=-

DirLook::
c:\users\Sakunade\AppData\Local\gqxhnfygu


Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks
K27.


The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.

#14 AzuraFrost

AzuraFrost
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 08 May 2010 - 05:47 PM

Erm, before we continue - I want to point out that Avira was the anti-virus I decided to keep (unless you think I should have kept Comodo). So I don't want to proceed since it looks like I'll be removing some stuff I need for the program.

#15 K27

K27

    Malware Fighter


  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 09 May 2010 - 03:18 PM

AzuraFrost,

Sorry about that, please run these next instructions:



PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please:
  • Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)
    Anti Virus
    Anti Spyware
  • If you have trouble disabling your firewall please post back before continuning which one you use and I will give you the instructioins.
    (If its a third party Firewall there should be a Icon on your task bar by the clock, right click that and choose Disable/Stop. If its the Windows built-in firewall you should be able to disable it via Control Panel.


Next we are going to run Combo-Fix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

QUOTE
KillAll::

File::
c:\users\Sakunade\AppData\Roaming\uTorrent
c:\windows\IFinst27.exe

Folder::
c:\users\Sakunade\AppData\Local\Comodo
c:\users\Sakunade\AppData\Roaming\Comodo

DirLook::
c:\users\Sakunade\AppData\Local\gqxhnfygu


Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks
K27.


The Internet is the New Age Battle of the Old Age Clash Between Good and Evil


My Help and Advice is always FREE, but if you would like to consider making a small donation towards my fight against Malware please click the
Posted Image button, all donations, however small are gratefully received.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users