Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google work slow, redirects me to unknown websites (possibly Virtumonde)


  • Please log in to reply
16 replies to this topic

#1 Zaftwave

Zaftwave

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 15 May 2010 - 03:56 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/316443/infected-and-not-sure-anymore-what-to-do/ ~ OB

Whenever I enter Google and search for websites that I frequenlty visit and click on them most of the time I get redirected to other websites with really long URL's (probably websites that infects or do something else)...however there's not even any content on these strange websites..I just get blank space all over the browser window. Malwarebytes Anti-Malware keep saying that it is blocking access to potentionally malicious website with some unknown IP following afterwards

Sometimes I do manage to enter my websites through google but very rarely, also from what I've noticed this only seem happen when I try to enter websites through google search. If I just were to write the websites I want to visit directly in the URL bar it works fine. I've noticed that around the time I most likely got infected (that was when I opened an obvious fake mail by mistake) my computer has been working really slow as well.

I've followed the Preperation Guide Step 6-9 and have created a DDS and Attach log. I tried to run GMER and while it did scan it would take forever to scan but that's not the problem, the problem is that GMER basically freeze my whole computer, I can't do anything, not run a simple application..I can't even save the results from the scanning done in GMER because if I do click on the save button my computer will just show this loading icon and nothing will ever happen..and I can't do anything outside it as well (such as trying to terminate the process). I tried this three times and I would get the same result everytime. I was told to skip it if it didn't run.

Here's the DDS log along with the Attach file:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 9:43:28,20 on 2010-05-13
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2047.1008 [GMT 2:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\SysMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: : {3e02f6b0-d2b4-4861-9ccc-928a1d315186} - c:\windows\system32\eqiicxk.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Servicecenter Plugin: {db87cde1-ef9c-44eb-a42f-6d0b3c72c516} - c:\program files\bredbandsbolaget\servicecenter\IEFixItNowPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\l

Attached Files


Edited by Orange Blossom, 15 May 2010 - 02:08 PM.


BC AdBot (Login to Remove)

 


#2 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 15 May 2010 - 09:10 AM

It seems that everytime I try to post a new post with my whole DDS log more then half of it disappear, everytime I try to modify the post by putting the whole log it gives me an error. I can't even attach the file. What's wrong?

Edited by Zaftwave, 15 May 2010 - 12:38 PM.


#3 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 15 May 2010 - 03:39 PM

Hi Zaftwave,

Welcome to Bleeping Computer.

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don''t understand, don''t hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

QUOTE
It seems that everytime I try to post a new post with my whole DDS log more then half of it disappear, everytime I try to modify the post by putting the whole log it gives me an error. I can't even attach the file. What's wrong?

That's a sign of one of the newer infections, I don't think it's a problem with the forums.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#4 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 16 May 2010 - 03:24 PM

Just to make sure before I start to do anything...in the following thread I created: http://www.bleepingcomputer.com/forums/t/316443/infected-and-not-sure-anymore-what-to-do/

I was told to not make any kind of changes to my computer, however since the time I posted the log I've installed and uninstalled a few programs and deleted common files (images, documents, program files etc.). Should I still proceed as told in your post?

#5 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 16 May 2010 - 05:15 PM

If all you did was uninstall a few things and delete a few files then you should be fine. Proceed with the GMER instructions.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#6 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2010 - 01:04 PM

Here's the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 19:14:09
Windows 5.1.2600 Service Pack 3
Running: n30ch4b2.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awldapod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\imapi.sys entry point in ".rsrc" section [0xF76B0314]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0074000C
.text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC000A
.text C:\WINDOWS\Explorer.EXE[1104] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[1104] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CB000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs B805B400
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A5FEAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSpxoe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSpxoe.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSotpa.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSmupe.dat
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSirxy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSyavu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSSncur.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSqxnr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSehys.dll
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@tdsserrors \systemroot\system32\TDSSwghd.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv\modules@TDSSproc \systemroot\system32\TDSSlubs.log
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)@imagepath \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)\modules@TDSSserv \systemroot\system32\drivers\TDSSpqxt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\TDSSserv.sys)\modules@TDSSl \systemroot\system32\TDSSoiqh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x04 0x47 0x89 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Cookies\desktop.ini 67 bytes
File C:\Documents and Settings\Administrator\Cookies\administrator@zune[2].txt 236 bytes
File C:\Documents and Settings\Administrator\Cookies\administrator@zune[3].txt 238 bytes
File C:\Documents and Settings\Administrator\Cookies\administrator@zune[4].txt 239 bytes
File C:\Documents and Settings\Administrator\Cookies\administrator@zune[6].txt 235 bytes
File C:\Documents and Settings\Administrator\Cookies\administrator@zune[7].txt 235 bytes
File C:\Documents and Settings\Administrator\Cookies\system@ad.yieldmanager[2].txt 0 bytes
File C:\Documents and Settings\Administrator\Cookies\system@snap[2].txt 137 bytes
File C:\Documents and Settings\Administrator\Cookies\index.dat 32768 bytes
File C:\WINDOWS\system32\DRIVERS\imapi.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#7 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 17 May 2010 - 01:05 PM

Hi there,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#8 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 17 May 2010 - 01:23 PM

Should I disconnect myself from the network before disabling all anti virus/malware programs when following the instructions?

#9 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 17 May 2010 - 04:03 PM

QUOTE
Should I disconnect myself from the network

I don't think that will be necessary.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#10 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 18 May 2010 - 01:47 PM

When I ran Combofix it said I was infected and told me it had to reboot the PC, once I did that and waited for it to finish its operations the PC rebooted again...and once I logged in on my PC Combofix continued where it left last with preparing the log etc. However when it did this other programs were running (Nod32, Malwarebytes Anti-Malware etc.) due to the PC rebooting (twice). I don't know if that changes anything though.

Here's the ComboFix log:

ComboFix 10-05-16.06 - Administrator 2010-05-18 20:14:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.2047.1524 [GMT 2:00]
Körs från: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\.COMMgr
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\install.rdf
c:\documents and settings\All Users.\documents\settings
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\w9ybh3ke.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\w9ybh3ke.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome.manifest
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\w9ybh3ke.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome\xulcache.jar
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\w9ybh3ke.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\defaults\preferences\xulcache.js
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\w9ybh3ke.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\install.rdf
c:\documents and settings\LOLOMG1\Application Data\Mozilla\Firefox\Profiles\w7a0sozy.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}
c:\documents and settings\LOLOMG1\Application Data\Mozilla\Firefox\Profiles\w7a0sozy.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome.manifest
c:\documents and settings\LOLOMG1\Application Data\Mozilla\Firefox\Profiles\w7a0sozy.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\chrome\xulcache.jar
c:\documents and settings\LOLOMG1\Application Data\Mozilla\Firefox\Profiles\w7a0sozy.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\defaults\preferences\xulcache.js
c:\documents and settings\LOLOMG1\Application Data\Mozilla\Firefox\Profiles\w7a0sozy.default\extensions\{42be1cbd-2a7f-47cc-8d38-cd4701ea0433}\install.rdf
c:\program files\Internet Explorer\SETBA.tmp
c:\program files\Internet Explorer\SETBB.tmp
c:\program files\Internet Explorer\SETBD.tmp
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Downloaded Program Files\Install.inf
c:\windows\system32\_000002_.tmp.dll
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000004_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\disk.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\WanPacket.dll
c:\windows\system32\VB6KO.DLL
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
C:\xcrashdump.dat

Infekterad kopia av c:\windows\system32\drivers\imapi.sys hittades och desinficerades.
Återställd kopia från - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


(((((((((((((((((((((((( Filer Skapade från 2010-04-18 till 2010-05-18 ))))))))))))))))))))))))))))))
.

2010-05-15 20:09 . 2010-05-15 20:09 -------- d-----w- c:\program files\Hijack
2010-05-15 20:03 . 2010-05-15 20:04 -------- d-----w- c:\program files\ImgBurn
2010-05-15 19:53 . 2010-05-15 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-05-14 12:30 . 2010-05-14 12:30 -------- d-----w- c:\program files\Common Files\DirectX
2010-05-14 12:26 . 2005-01-03 15:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-05-14 12:26 . 2010-05-14 12:26 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-05-14 00:43 . 2010-05-14 00:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-14 00:41 . 2010-05-14 00:41 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2010-05-13 17:42 . 2010-04-27 16:14 294912 ----a-w- c:\windows\system32\glew32.dll
2010-05-12 23:46 . 2010-05-12 23:46 -------- d-----w- c:\program files\Common Files\Java
2010-05-12 23:46 . 2010-05-12 23:46 -------- d-----w- c:\program files\Java
2010-05-12 22:53 . 2010-05-12 23:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-12 21:49 . 2010-05-12 22:26 -------- d-----w- C:\VundoFix Backups
2010-05-12 20:31 . 2010-05-12 20:53 -------- d-----w- c:\temp\ListDlls
2010-05-12 20:22 . 2010-01-27 11:58 212992 ----a-w- c:\windows\system32\PuranDefrag.dll
2010-05-12 20:22 . 2010-02-05 09:45 221184 ----a-w- c:\windows\system32\PuranDC.exe
2010-05-12 20:22 . 2010-02-05 09:45 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe
2010-05-12 20:22 . 2010-02-05 09:45 229376 ----a-w- c:\windows\system32\PuranDefragS.exe
2010-05-12 20:22 . 2010-02-05 09:45 1110016 ----a-w- c:\windows\system32\PuranFD.exe
2010-05-12 20:21 . 2010-05-12 20:22 -------- d-----w- c:\program files\Puran Defrag
2010-05-12 20:20 . 2010-05-12 20:20 -------- d-----w- c:\program files\Defraggler
2010-05-12 20:18 . 2010-05-16 23:03 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-12 20:18 . 2010-05-12 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-12 20:18 . 2010-05-12 20:18 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-12 20:18 . 2010-05-12 20:18 -------- d-----w- c:\program files\CCleaner
2010-05-12 08:13 . 2010-05-11 19:22 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-11 21:03 . 2010-05-11 21:03 2 --shatr- c:\windows\winstart.bat
2010-05-11 19:54 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 19:53 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 19:53 . 2010-05-11 19:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 19:22 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-11 19:19 . 2010-05-11 19:19 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 19:43 . 2009-07-01 14:45 -------- d-----w- c:\program files\Windows Grep
2010-05-15 20:37 . 2007-06-23 14:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\ImgBurn
2010-05-15 20:09 . 2010-05-15 20:09 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-15 15:14 . 2007-04-02 02:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-05-15 15:14 . 2010-01-01 13:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-05-12 22:54 . 2010-05-12 22:54 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-177d06d3-n\msvcp71.dll
2010-05-12 22:54 . 2010-05-12 22:54 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-177d06d3-n\jmc.dll
2010-05-12 22:54 . 2010-05-12 22:54 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-177d06d3-n\msvcr71.dll
2010-05-12 22:54 . 2010-05-12 22:54 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-195ffd3c-n\decora-sse.dll
2010-05-12 22:54 . 2010-05-12 22:54 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-195ffd3c-n\decora-d3d.dll
2010-05-12 22:51 . 2006-12-31 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-12 22:51 . 2006-12-31 19:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-12 22:45 . 2008-07-19 17:35 -------- d-----w- c:\program files\Sun
2010-05-12 20:36 . 2010-04-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-12 18:46 . 2010-04-07 19:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-12 13:23 . 2010-04-16 15:52 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-11 22:48 . 2007-01-01 01:18 -------- d-----w- c:\program files\MSN Messenger
2010-05-11 19:41 . 2010-04-16 21:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-11 19:38 . 2010-05-11 19:38 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-11 19:38 . 2010-05-11 19:38 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-11 19:38 . 2010-05-11 19:38 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-11 19:37 . 2010-04-16 21:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-11 19:36 . 2007-10-12 21:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-11 19:19 . 2010-04-07 20:40 -------- d-----w- c:\program files\Lavasoft
2010-05-11 19:19 . 2010-04-07 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 13:01 . 2009-10-04 18:43 -------- d-----w- c:\program files\MSECache
2010-05-09 13:00 . 2010-03-18 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-04 20:53 . 2007-04-02 01:09 63496 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 19:02 . 2006-12-31 19:06 -------- d-----w- c:\program files\Microsoft Works
2010-04-16 21:10 . 2010-04-16 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-16 15:51 . 2010-04-07 21:26 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-04-16 15:51 . 2010-04-07 21:26 44 ----a-w- c:\windows\system32\statistics.dat
2010-04-16 15:51 . 2010-04-07 21:26 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-04-08 06:28 . 2010-04-08 06:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\EmailNotifier
2010-04-08 06:28 . 2010-04-08 06:28 -------- d-----w- c:\program files\Hamachi
2010-04-08 05:21 . 2009-09-01 13:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 05:20 . 2010-04-08 05:20 -------- d-----w- c:\program files\GetData
2010-04-08 00:01 . 2010-04-08 00:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\nCleaner
2010-04-08 00:01 . 2010-04-08 00:01 -------- d-----w- c:\program files\NKProds
2010-04-06 11:55 . 2008-07-19 21:40 -------- d-----w- c:\program files\Enigma Software Group
2010-03-31 16:38 . 2007-01-03 21:52 -------- d-----w- c:\program files\ffdshow
2010-03-30 13:30 . 2010-03-30 13:30 -------- d-----w- c:\program files\Common Files\Skype
2010-03-21 02:04 . 2010-03-18 23:05 -------- d-----w- c:\program files\Microsoft SQL Server
2010-03-20 15:08 . 2010-03-20 15:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\GrabPro
2010-03-20 14:59 . 2008-05-31 11:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Orbit
2010-03-20 02:16 . 2010-03-18 22:59 1680064 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-03-20 02:10 . 2010-03-18 22:59 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-03-20 02:07 . 2010-03-18 22:45 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-03-19 00:26 . 2010-03-19 00:26 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-19 00:26 . 2010-03-19 00:26 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-19 00:26 . 2010-03-19 00:26 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-19 00:26 . 2010-03-19 00:26 290816 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-18 22:42 . 2010-03-18 22:42 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-03-10 06:15 . 2004-08-10 20:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-02 23:06 . 2010-03-02 23:06 1024 ----a-w- c:\windows\system32\PDF2IMG.dat
2010-02-25 06:24 . 2006-03-04 03:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-01-19 04:26 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 18:07 . 2009-08-15 17:45 85504 ----a-w- c:\windows\system32\ff_vfw.dll
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-11 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-04-18 49152]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-12 5937984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-11 13666408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BankID s„kerhetsprogram.lnk - c:\program files\Personal\bin\Personal.exe [2010-2-4 939920]
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2007-12-28 36864]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2007-12-28 49220]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asc32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AUTORUN_VAL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bredbandsbolaget Servicecenter]
2007-04-16 15:58 184320 ----a-w- c:\program files\Bredbandsbolaget\Servicecenter\Bredbandsbolaget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 14:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 13:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-05-11 64288]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-04-16 93360]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-05-11 304464]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-05-12 15944]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-05-11 20952]
S2 EraserSvc10823;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S2 gzkwyohw;PCI Bus Helper;c:\windows\System32\svchost.exe -k netsvcs [2004-08-10 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-24 1181328]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S4 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-01-12 155136]
S4 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-01-12 5248]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;c:\program files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-11-07 3004416]
S4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2010-05-12 229376]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-01-12 716272]

--- Övriga tjänster/drivrutiner i minnet ---

*NewlyCreated* - HITMANPRO35

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gzkwyohw
.
Innehållet i mappen 'Schemalagda aktiviteter':

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:22]

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:22]

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:22]

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:22]

2010-05-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 19:22]
.
.
------- Extra genomsökning -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://125.206.34.119/SysCamInst.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://125.206.34.118/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvi8l1ym.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- Filassociationer -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,fe,d5,71,76,e7,84,4a,89,25,be,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,fe,d5,71,76,e7,84,4a,89,25,be,\

[HKEY_USERS\S-1-5-21-3044564749-1752736757-1070352177-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,32,8e,88,04,65,17,46,85,e4,e3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7b,32,8e,88,04,65,17,46,85,e4,e3,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]
"D140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Andra processer som körs ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\System32\SCardSvr.exe
c:\windows\System32\snmp.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Sluttid: 2010-05-18 20:32:13 - datorn startades om.
ComboFix-quarantined-files.txt 2010-05-18 18:32

Före genomsökningen: 13 846 028 288 bytes free
Efter genomsökningen: 14 714 818 560 byte ledigt

WindowsXP-KB310994-SP2-Pro-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

Current=4 Default=4 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - D1858B6796F7EAA8140589F9F083A6E7

Edited by Zaftwave, 18 May 2010 - 01:48 PM.


#11 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 19 May 2010 - 12:16 AM

Hi there,

STEP 1 - TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • Kaspersky Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#12 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 20 May 2010 - 03:20 PM

MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4090

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-05-19 23:43:53
mbam-log-2010-05-19 (23-43-53).txt

Scan type: Quick scan
Objects scanned: 146903
Time elapsed: 17 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Kaspersky Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 19, 2010 20:42:01
Records in database: 4138457
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
J:\
K:\
L:\
M:\

Scan statistics:
Objects scanned: 141978
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 21:19:15


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\VundoFix Backups\bfebqkts.dll.bad Infected: Trojan-Downloader.Win32.Agent.dfhk 1
D:\LOLOL\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1

Selected area has been scanned.

#13 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 20 May 2010 - 03:47 PM

Looks good, still having any problems?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#14 Zaftwave

Zaftwave
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 20 May 2010 - 06:16 PM

I've noticed that the attacks are not as frequent anymore. Also since I did the scan with Kaspersky (there did appear one attack from some IP-adress after I finished doing the Malwarebytes AntiMalware but before the Kaspersky scan) no problem has been encountered yet but I haven't tried using google. I'll use my PC some more tomorrow and report back to you if it works fine smile.gif Thanks so far from the help smile.gif

#15 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:18 PM

Posted 21 May 2010 - 11:19 PM

Sure, let me know if you have any problems. smile.gif

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users