Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please HELP win32:Zbot-MPQ(Trj) on my pc!!


  • This topic is locked This topic is locked
46 replies to this topic

#1 littlelady_bird

littlelady_bird

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 May 2010 - 03:36 AM

Hi my name is Viv and I am having trouble with my computer I recently had a trojan virus on my pc which i thought i had fixed.

I have now got another one called win32:Zbot-MPQ(Trj) and win32:unruy-E(Trj)

I haI am now getting stressed and worried as i cannot fix it . Could someone please help me as the kids cannot do their homework and I am afraid to work on it. crazy.gif

All help greatly appreciated
smile.gif

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 04 May 2010 - 12:14 PM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post the required logs when you reply and we will begin from there. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 04 May 2010 - 02:27 PM

Thank you I have now subscribed to this post and I await a reply and thank you again thumbup2.gif

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 04 May 2010 - 08:15 PM

Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Then post the required logs when you reply and we will begin from there. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 06 May 2010 - 10:42 AM

Hi I have run the first two logs and been trying to run the GMER log for the past 24 hours!! I have used both sites to download it from but it keeps freezing after about an hour.

could you advise me what to do now sorry to be so dumb wacko.gif

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 06 May 2010 - 11:02 AM

Hi,

Please do not attached logs unless instructed.


+++++++++++++++++++++++++


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitComet 1.20).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



++++++++++++++++++++


1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy




2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 07 May 2010 - 08:56 AM

I have now run the combofix how would you like me to proceed?

I have also removed bitcomet from my pc using the remove programs tool and disabled my avast.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 07 May 2010 - 10:59 AM

Hi,

You can re-enable Avast after running Combofix.

Please post the Combofix report when ready. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 08 May 2010 - 05:15 AM

i really appreciate your help on this blink.gif

Attached Files



#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 08 May 2010 - 05:26 AM

Hi,

Please do not attach logs unless instructed. smile.gif


+++++++++++++++++++


1. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - No File
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - ?p=ZKxdm021YYGB


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 09 May 2010 - 04:45 AM

Hello the GMER program ran for almost 24 hours!!!

here are my reports:

ComboFix 10-05-08.02 - viv 09/05/2010 10:31:06.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.167 [GMT 1:00]
Running from: c:\documents and settings\viv\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\viv\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100508-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-04 08:15 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 08:15 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 17:54 . 2009-11-24 22:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-02 17:54 . 2009-11-24 22:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-02 17:54 . 2009-11-24 22:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-02 17:54 . 2009-11-24 22:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-05-02 17:54 . 2009-11-24 22:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-02 17:54 . 2009-11-24 22:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-02 17:54 . 2009-11-24 22:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-02 17:54 . 2009-11-24 22:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-02 17:53 . 2009-11-24 22:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-29 17:05 . 2010-04-29 17:05 -------- d-----w- c:\program files\Free YouTube Downloader Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 17:06 . 2010-04-02 17:06 -------- d-----w- c:\program files\iPod
2010-04-02 17:06 . 2010-04-02 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-02 16:58 . 2010-04-02 16:58 -------- d-----w- c:\program files\Bonjour
2010-04-02 16:54 . 2010-04-02 16:54 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-13 17:18 . 2010-03-13 17:18 -------- d-----w- c:\documents and settings\viv\Application Data\InterTrust
2010-03-13 17:14 . 2010-03-13 17:14 -------- d-----w- c:\program files\EPSON
2010-03-10 06:15 . 2004-08-04 04:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2005-07-02 18:11 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-01-18 20:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-01 16:57 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-01 16:34 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:46 . 2010-02-12 10:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 10:46 . 2010-02-12 10:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 09:03 . 2010-03-08 17:11 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2004-08-04 04:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 04:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
CODE
<pre>
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\PC Tools AntiVirus\pctav .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
c:\windows\ime\imjp8_1\imjpmig .exe
</pre>


((((((((((((((((((((((((((((( SnapShot@2010-05-07_08.33.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-09 09:25 . 2010-05-09 09:25 16384 c:\windows\temp\Perflib_Perfdata_b4.dat
+ 2010-05-09 09:25 . 2010-05-09 09:25 16384 c:\windows\temp\Perflib_Perfdata_554.dat
- 2010-05-07 08:00 . 2010-05-07 08:00 16384 c:\windows\temp\Perflib_Perfdata_554.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-02 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SiSPower"="SiSPower.dll" [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"SMSERIAL"="sm56hlpr.exe" [2005-06-06 544768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [N/A]
"Workflow"="E:\Workflow.exe" [N/A]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [N/A]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-12-26 262144]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr .exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27017:TCP"= 27017:TCP:BitComet 27017 TCP
"27017:UDP"= 27017:UDP:BitComet 27017 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [02/05/2010 18:54 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [02/05/2010 18:54 20560]
R3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/12/2009 18:32 135664]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [10/01/2010 20:03 36608]
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 17:13]

2010-05-08 c:\windows\Tasks\User_Feed_Synchronization-{36E89C61-68E9-4D1C-A0CA-FFFBECE2D6A8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 17:31]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 17:31]

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.blueyonder.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 10:37
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-09 10:40:29
ComboFix-quarantined-files.txt 2010-05-09 09:40
ComboFix2.txt 2010-05-09 09:12
ComboFix3.txt 2010-05-07 08:36

Pre-Run: 3,531,866,112 bytes free
Post-Run: 3,485,106,176 bytes free

- - End Of File - - 997DC11FA9999EF1C340F9956C919227
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-09 09:39:21
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\viv\LOCALS~1\Temp\uxdyipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB5E086B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB5E08574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB5E08A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB5E0814C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB5E0864E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB5E0808C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB5E080F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB5E0876E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB5E0872E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB5E088AE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----


I hope this is right now and this is how you wanted the logs posted sad.gif i get so confused with all this stuff.

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 09 May 2010 - 04:58 AM

Hi,

Yes you did it right. thumbup2.gif


++++++++++++++++++++++++


1. Did you install Fast Browser Search (My Web Tattoo) by yourself?

If not please go to Control Panel > Add Remove Programs > locate and remove Fast Browser Search (My Web Tattoo).

Then go to C: > Program Files > Delete the Fast Browser Search (My Web Tattoo) folder if present.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
RenV::
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\PC Tools AntiVirus\pctav .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
c:\windows\system32\IME\TINTLGNT\tintsetp .exe
c:\windows\ime\imjp8_1\imjpmig .exe


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by sempai, 09 May 2010 - 05:02 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 09 May 2010 - 05:23 AM

phew!! no I didn't install webtattoo myself and do you want me to run combofix again after?

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:25 PM

Posted 09 May 2010 - 05:26 AM

Yes run Combofix again and make sure to follow the new instruction on how to run it. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 littlelady_bird

littlelady_bird
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 09 May 2010 - 05:28 AM

I have looked in my add or remove programs and it is not listed there and is not listed in the other C folder???




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users