Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple malware (i think)


  • This topic is locked This topic is locked
23 replies to this topic

#1 sara_ramsey

sara_ramsey

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 20 May 2010 - 02:56 PM

Hi everybody. I've read the instructions carefully and I think I know what I'm doing but apologies if its a bit non-techie. Or wrong.http://www.bleepingcomputer.com/forums/style_emoticons/default/whistling.gif
I'm running Windows XP on my Samsung laptop. I never never never use internet explorer after discovering firefox. I have what used to be a free Kerio personal firewall, it now appears to be a Sunbelt personal fire wall after more recent updating. I haven't braved Service pack 3 upgrade yet. I run Avast antivirus. I have no partitions set up as I don't really understand where\what\ how and am a KISS girl (Keep it simple stupid).
I have been getting multiple trogan and malware alerts via Avast and a bit of slow running. I initially ignored them, (I hear the sound of face-palm across the IT world sorry) then realised i was getting up to 20 alerts when the laptop was turned on. The major errors were "malicious URL attack denied" Rootkit32/Win-32RTK and many others. If I'd been a bit brighter I'd have noted them all down but thought I could clean it up. Following this, odd things have started happening - internet explorer keeps playing bits of an annoying home fragrance advert, and IE is always running on Task Manager.
I have reinstalled Avast to the most modern free edition, turned off System restore, ran a full boot scan and then Panda antirootkit. Nothing showed, all clean. About ten minutes of pride followed by more virus messages from Avast - Win32:Unruy-G(Tri) along with the odd malicious URL. The only things that are running on Task Manager I don't recognise are kpf4gui.exe, kpf4ss.exe (which I think are Kerio fire wall related according to a brief chat with Dr Google) and hpqtra08.exe and hpqste08.exe. (I do have an HP printer and need to reinstall the software apparently but haven't got round to it.
I have had a brief blue screen episode message IRQL_NOT_LESS_OR_EQUAL but might have had some processing issues tonight and all rebooted fine after a physical memory dump.
Hope this is enough detail.
Here is the DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 18:51:50.56 on 20/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.72 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe
uWinlogon: Shell=c:\documents and settings\me\application data\nisgw.exe,explorer.exe,c:\documents and settings\me\csrss.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [syncman] c:\documents and settings\me\wuaucldt.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-28 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-28 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2004-8-27 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]
S2 qmbbqnzkalu;\??\c:\docu;\??\c:\docume~1\me\locals~1\temp\syjhn.sys --> c:\docume~1\me\locals~1\temp\syjhn.sys [?]
S2 sldroewsdvi;\??\c:\docu;\??\c:\docume~1\me\locals~1\temp\xzctnmyftosltjd.sys --> c:\docume~1\me\locals~1\temp\xzctnmyftosltjd.sys [?]
S2 uotufbbkpp;\??\c:\doc;\??\c:\docume~1\me\locals~1\temp\gloawyqovz.sys --> c:\docume~1\me\locals~1\temp\gloawyqovz.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\me\locals~1\temp\aswarkrn.sys --> c:\docume~1\me\locals~1\temp\aswArKrn.sys [?]
S3 cqfdvkpk;cqfdvkpk;\??\c:\windows\system32\drivers\cqfdvkpk.sys --> c:\windows\system32\drivers\cqfdvkpk.sys [?]
S3 eckhitxh;eckhitxh;\??\c:\windows\system32\drivers\eckhitxh.sys --> c:\windows\system32\drivers\eckhitxh.sys [?]

=============== Created Last 30 ================

2010-05-11 20:13:49 1 ----a-w- c:\documents and settings\me\oashdihasidhasuidhiasdhiashdiuasdhasd
2010-04-28 20:43:22 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-22 19:30:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-05-04 05:13:25 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-04-14 19:09:03 44544 ---h--w- c:\windows\system32\secupdat.dat
2010-04-14 19:09:03 44544 ---h--w- c:\documents and settings\me\secupdat.dat
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2003-08-27 13:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 18:53:44.51 ===============
And the Ark file is attached.
By the way, I'm fairly innocent (stupid) about computers so only know how to remove programmes via the Windows Add or remove thingy. I may need very clear AND LOUD instructions
Thanks for any help.
PS: My Ark file seems to large to attach. I'm embarrassed to say I don't know how to zip it up to send it if that is the term!

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 21 May 2010 - 07:05 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



====================================


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


====================================


Please follow the next instruction only if you do not wish to reformat.



Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.






~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 23 May 2010 - 03:32 PM

Thanks Sempai, Didn't expect a reply so quickly.
I suspect I will end up reformatting but thought Id give Combofix a go. Its not the end of the world to reformat but I don't have another active version of the stats programme I used for research and it'd be a pain to be without it.
Here is the Combofix log
ComboFix 10-05-23.01 - Me 23/05/2010 21:06:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.180 [GMT 1:00]
Running from: c:\documents and settings\Me\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.
ADS - explorer.exe: deleted 55808 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Me\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Me\Application Data\wiaservg.log
c:\documents and settings\Me\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Me\secupdat.dat
c:\windows\system32\lsprst7.dll
c:\windows\system32\secupdat.dat
c:\windows\system32\userini.exe
c:\windows\system32\vb40032.dll
c:\windows\system32\wbem\grpconv.exe

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\drivers\cdrom.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-04-28 20:43 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 20:00 . 2004-08-27 16:05 1033216 ----a-w- c:\windows\explorer.exe
2010-05-23 19:32 . 2009-12-08 21:39 -------- d-----w- c:\documents and settings\Me\Application Data\Skype
2010-05-06 20:59 . 2007-03-06 21:17 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2007-03-06 21:18 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-12-28 18:43 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2007-03-06 21:18 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2007-03-06 21:18 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2007-03-06 21:18 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-12-28 18:43 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2007-03-06 21:18 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 05:13 . 2009-12-21 22:08 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-04-22 19:33 . 2007-03-06 21:17 -------- d-----w- c:\program files\Alwil Software
2010-04-22 19:30 . 2010-04-22 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-22 18:57 . 2009-01-23 19:28 -------- d-----w- c:\program files\Microsoft LifeCam
2010-04-22 18:56 . 2004-08-27 16:34 -------- d-----w- c:\program files\ltmoh
2010-04-14 16:47 . 2007-03-06 21:17 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-10 08:02 . 2004-08-27 16:06 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-08-27 16:06 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-27 16:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-27 16:05 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2003-08-27 13:19 . 2006-09-13 12:28 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
CODE
<pre>
c:\program files\BroadJump\Client Foundation\cfd .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\Java\j2re1.4.2_03\bin\jusched .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\Microsoft LifeCam\lifeexp .exe
c:\program files\Samsung\SENS Keyboard V1 Launcher\senskbd .exe
c:\program files\Sony\SonicStage\ssaad .exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect .exe
c:\windows\sm1bg .exe
c:\windows\vvx1000 .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"syncman"="c:\documents and settings\me\wuaucldt.exe" [N/A]
"userini"="c:\windows\explorer.exe:userini.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 87751]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]
"userini"="c:\windows\explorer.exe:userini.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"userini"="c:\windows\explorer.exe:userini.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [28/12/2008 19:43 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 11:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 11:21 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28/12/2008 19:43 19024]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [27/08/2004 17:34 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 11:21 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/10/2009 22:58 133104]
S2 qmbbqnzkalu;\??\c:\docu;\??\c:\docume~1\Me\LOCALS~1\Temp\syjhn.sys --> c:\docume~1\Me\LOCALS~1\Temp\syjhn.sys [?]
S2 sldroewsdvi;\??\c:\docu;\??\c:\docume~1\Me\LOCALS~1\Temp\xzctnmyftosltjd.sys --> c:\docume~1\Me\LOCALS~1\Temp\xzctnmyftosltjd.sys [?]
S2 uotufbbkpp;\??\c:\doc;\??\c:\docume~1\Me\LOCALS~1\Temp\gloawyqovz.sys --> c:\docume~1\Me\LOCALS~1\Temp\gloawyqovz.sys [?]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\Me\LOCALS~1\Temp\aswArKrn.sys --> c:\docume~1\Me\LOCALS~1\Temp\aswArKrn.sys [?]
S3 cqfdvkpk;cqfdvkpk;\??\c:\windows\System32\Drivers\cqfdvkpk.sys --> c:\windows\System32\Drivers\cqfdvkpk.sys [?]
S3 eckhitxh;eckhitxh;\??\c:\windows\System32\Drivers\eckhitxh.sys --> c:\windows\System32\Drivers\eckhitxh.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-31 21:57]

2010-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-31 21:57]

2010-05-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-27 16:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 21:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-23 21:24:36
ComboFix-quarantined-files.txt 2010-05-23 20:24

Pre-Run: 66,019,581,952 bytes free
Post-Run: 67,941,662,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 89FB90CEE1A1C792C0244AE3EB925780
Let me know what's next.... clapping.gif

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 24 May 2010 - 09:10 AM

Hi,

There's a lot of infections on your log, let's get rid of them.


1. Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



2. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    grpconv.exe
    cdrom.sys
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
http://www.bleepingcomputer.com/forums/t/318005/multiple-malware-i-think/

Collect::
c:\windows\system32\drivers\eckhitxh.sys
c:\windows\system32\drivers\cqfdvkpk.sys
c:\docume~1\me\locals~1\temp\aswArKrn.sys
c:\docume~1\me\locals~1\temp\gloawyqovz.sys
c:\docume~1\me\locals~1\temp\xzctnmyftosltjd.sys
c:\docume~1\me\locals~1\temp\syjhn.sys
c:\documents and settings\me\wuaucldt.exe
c:\program files\internet explorer\wmpscfgs.exe

DDS::
uWinlogon: Shell=c:\documents and settings\me\application data\nisgw.exe,explorer.exe,c:\documents and settings\me\csrss.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syncman"=-
"userini"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"=-
"userini"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"userini"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

Driver::
qmbbqnzkalu
sldroewsdvi
uotufbbkpp
aswArKrn
cqfdvkpk
eckhitxh

RenV::
c:\program files\BroadJump\Client Foundation\cfd .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\Java\j2re1.4.2_03\bin\jusched .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\Microsoft LifeCam\lifeexp .exe
c:\program files\Samsung\SENS Keyboard V1 Launcher\senskbd .exe
c:\program files\Sony\SonicStage\ssaad .exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\mobileconnect .exe
c:\windows\sm1bg .exe
c:\windows\vvx1000 .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxtray .exe


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.  With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Edited by sempai, 24 May 2010 - 09:14 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 24 May 2010 - 04:06 PM

Cheers Sempai,
Here is the Systemlook log
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:11 on 24/05/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "grpconv.exe"
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\grpconv.exe --a--- 39424 bytes [00:12 14/04/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0

Searching for "cdrom.sys"
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\cdrom.sys --a--- 62976 bytes [18:40 13/04/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE

-=End Of File=-
And I've attached the Combofix log (as log 2) - copied it and pasted it as a notepad doc just in case I couldn't find the log on the c-drive- Hope it all worked as it should have - don't think I got a box at the end to click ok on is the only thing
Let me know what's next.....

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 24 May 2010 - 05:43 PM

Hi,

Can you please run another DDS scan and post the latest DDS report. Also please do not attach logs, paste them directly on your reply. Thanks.



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 25 May 2010 - 12:59 AM

Hi Sempai,
DDS run again as requested. Here is the log (sorry about the attachments)

DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 6:52:57.86 on 25/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.131 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-28 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-28 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2004-8-27 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]

=============== Created Last 30 ================

2010-05-23 20:04:40 0 d-sha-r- C:\cmdcons
2010-05-23 20:00:40 98816 ----a-w- c:\windows\sed.exe
2010-05-23 20:00:40 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 20:00:40 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 20:00:40 161792 ----a-w- c:\windows\SWREG.exe
2010-04-28 20:43:22 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-23 20:00:39 1033216 ----a-w- c:\windows\explorer.exe
2010-05-04 05:13:25 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2003-08-27 13:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 6:54:42.96 ===============

What's next? Avast has stopped alarming when I boot up which must be progress. DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 6:52:57.86 on 25/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.131 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-28 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-28 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2004-8-27 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]

=============== Created Last 30 ================

2010-05-23 20:04:40 0 d-sha-r- C:\cmdcons
2010-05-23 20:00:40 98816 ----a-w- c:\windows\sed.exe
2010-05-23 20:00:40 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 20:00:40 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 20:00:40 161792 ----a-w- c:\windows\SWREG.exe
2010-04-28 20:43:22 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-23 20:00:39 1033216 ----a-w- c:\windows\explorer.exe
2010-05-04 05:13:25 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12:23 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12:17 81920 ----a-w- c:\windows\system32\ieencode.dll
2003-08-27 13:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 6:54:42.96 ===============

What's next?

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 25 May 2010 - 09:45 AM

Hi,

1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\system32\MEMIO.SYS
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. Please go to Control Panel > Add Remove programs and uninstall the following:
  1. LiveReg (Symantec Corporation)
  2. LiveUpdate 1.80 (Symantec Corporation)

Then run the Norton Removal tool here => http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=
Choose the appropriate Norton removal tool for the Norton product that you've previously used.



3. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\grpconv.exe | c:\windows\system32\grpconv.exe
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\cdrom.sys | c:\windows\system32\drivers\cdrom.sys


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 25 May 2010 - 02:54 PM

I'm impressed at how much work this has required. Thanks Sempai!
Here is the virscan log
VirSCAN.org Scanned Report :
Scanned time : 2010/05/25 20:03:33 (BST)
Scanner results: Scanners did not find malware!
File Name : MEMIO.SYS
File Size : 4300 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 8a4cb9438571814b128b6dc30d698064
SHA1 : d62d435a5d9b799e36d05fc32237397602b3dd8c
Online report : http://virscan.org/report/40c2228bccf46077...a19596cbe4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.8 20100525000639 2010-05-25 3.46 -
AhnLab V3 2010.05.26.00 2010.05.26 2010-05-26 1.15 -
AntiVir 8.2.1.242 7.10.7.170 2010-05-25 0.31 -
Antiy 2.0.18 20100525.4450001 2010-05-25 0.02 -
Arcavir 2009 201005251410 2010-05-25 0.01 -
Authentium 5.1.1 201005242129 2010-05-24 1.96 -
AVAST! 4.7.4 100525-1 2010-05-25 0.00 -
AVG 8.5.793 271.1.1/2895 2010-05-25 0.34 -
BitDefender 7.90123.6079728 7.31830 2010-05-26 4.49 -
ClamAV 0.96.1 11078 2010-05-25 0.01 -
Comodo 3.13.579 4941 2010-05-25 0.86 -
CP Secure 1.3.0.5 2010.05.26 2010-05-26 0.03 -
Dr.Web 5.0.2.3300 2010.05.25 2010-05-25 9.24 -
F-Prot 4.4.4.56 20100524 2010-05-24 2.06 -
F-Secure 7.02.73807 2010.05.25.05 2010-05-25 0.26 -
Fortinet 4.1.133 11.979 2010-05-25 0.19 -
GData 21.229/21.76 20100525 2010-05-25 7.18 -
ViRobot 20100525 2010.05.25 2010-05-25 0.38 -
Ikarus T3.1.01.84 2010.05.25.75931 2010-05-25 7.13 -
JiangMin 13.0.900 2010.05.24 2010-05-24 1.20 -
Kaspersky 5.5.10 2010.05.25 2010-05-25 0.08 -
KingSoft 2009.2.5.15 2010.5.25.18 2010-05-25 0.65 -
McAfee 5400.1158 5993 2010-05-25 17.34 -
Microsoft 1.5802 2010.05.25 2010-05-25 6.37 -
Norman 6.04.12 6.04.00 2010-05-24 10.05 -
Panda 9.05.01 2010.05.25 2010-05-25 2.01 -
Trend Micro 9.120-1004 7.194.13 2010-05-25 0.00 -
Quick Heal 10.00 2010.05.25 2010-05-25 1.52 -
Rising 20.0 22.49.01.04 2010-05-25 1.23 -
Sophos 3.07.1 4.53 2010-05-26 4.21 -
Sunbelt 3.9.2421.2 6353 2010-05-25 6.55 -
Symantec 1.3.0.24 20100525.003 2010-05-25 0.05 -
nProtect 20100525.01 8480774 2010-05-25 7.61 -
The Hacker 6.5.2.0 v00287 2010-05-25 0.35 -
VBA32 3.12.12.5 20100524.2028 2010-05-24 3.80 -

and the repeat Combofix scan
ComboFix 10-05-24.03 - Me 25/05/2010 20:30:37.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.121 [GMT 1:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\_restore{d5fffa500b1b}
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\grpconv.exe --> c:\windows\system32\grpconv.exe
c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\cdrom.sys --> c:\windows\system32\drivers\cdrom.sys
.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 19:30 . 2010-05-25 19:30 -------- d-----w- c:\windows\LastGood
2010-05-25 19:30 . 2004-08-03 21:59 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-25 19:30 . 2004-08-03 21:59 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-25 19:30 . 2004-08-04 12:00 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-25 19:30 . 2004-08-04 12:00 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-24 20:09 . 2010-05-24 20:09 -------- d-----w- c:\program files\ERUNT
2010-04-28 20:43 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 06:01 . 2009-12-08 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-05-24 20:37 . 2009-01-23 19:28 -------- d-----w- c:\program files\Microsoft LifeCam
2010-05-24 20:37 . 2004-08-27 16:34 -------- d-----w- c:\program files\ltmoh
2010-05-23 20:00 . 2004-08-27 16:05 1033216 ----a-w- c:\windows\explorer.exe
2010-05-06 20:59 . 2007-03-06 21:17 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2007-03-06 21:18 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-12-28 18:43 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2007-03-06 21:18 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2007-03-06 21:18 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2007-03-06 21:18 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-12-28 18:43 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2007-03-06 21:18 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 05:13 . 2009-12-21 22:08 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-04-22 19:33 . 2007-03-06 21:17 -------- d-----w- c:\program files\Alwil Software
2010-04-22 19:30 . 2010-04-22 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-14 16:47 . 2007-03-06 21:17 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-10 08:02 . 2004-08-27 16:06 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:12 . 2004-08-27 16:06 662016 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:12 . 2004-08-27 16:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2003-08-27 13:19 . 2006-09-13 12:28 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-23_20.18.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-27 16:28 . 2010-05-25 19:29 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-27 16:28 . 2010-05-25 19:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-27 16:28 . 2010-05-23 20:13 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-09-13 12:28 . 2003-08-27 13:20 94208 c:\windows\sm1bg.exe
+ 2010-05-25 19:30 . 2008-04-14 00:12 39424 c:\windows\LastGood\system32\grpconv.exe
+ 2010-05-25 19:30 . 2008-04-13 18:40 62976 c:\windows\LastGood\system32\drivers\cdrom.sys
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-24 20:22 . 2010-05-24 20:22 25214 c:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe
+ 2010-05-24 20:10 . 2010-05-24 20:10 90112 c:\windows\ERDNT\24-05-2010\Users\00000002\UsrClass.dat
+ 2009-01-23 19:30 . 2007-04-10 21:46 709992 c:\windows\vvx1000.exe
+ 2004-08-27 16:31 . 2003-07-09 19:25 155648 c:\windows\system32\igfxtray.exe
+ 2004-08-27 16:31 . 2003-07-09 19:13 114688 c:\windows\system32\hkcmd.exe
+ 2010-05-24 20:10 . 2005-10-20 11:02 163328 c:\windows\ERDNT\24-05-2010\ERDNT.EXE
+ 2010-05-24 20:22 . 2010-05-24 20:22 1235968 c:\windows\Installer\113cea.msi
+ 2010-05-24 20:10 . 2010-05-24 20:10 4042752 c:\windows\ERDNT\24-05-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 87751]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [28/12/2008 19:43 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 11:21 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 11:21 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [28/12/2008 19:43 19024]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [27/08/2004 17:34 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 11:21 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 16:32 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/10/2009 22:58 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-31 21:57]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-31 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 20:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-25 20:44:45
ComboFix-quarantined-files.txt 2010-05-25 19:44
ComboFix2.txt 2010-05-24 21:00
ComboFix3.txt 2010-05-23 20:24

Pre-Run: 67,654,631,424 bytes free
Post-Run: 67,624,546,304 bytes free

- - End Of File - - 38901A43F178F83FA7FBAD4A92F4F459
Have removed the files as requested but the Norton removal tool didn't do anything. Double clicked etc but nothing ran, tried to run it but got a message to say it was already running. Was listed on task manager, but listed as 00 processes

What's next?

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 25 May 2010 - 05:43 PM

Hi,

We need to make sure that you're PC is clean. Though logs are healthy now, let's look for possible remnants.


1. I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push



2. Please run another DDS scan and post the latest DDS.txt and attach the attach.txt for my final review.



3. Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.




If the above scans are all clean, we can start the housekeeping. smile.gif


Thanks for your patience,
~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 27 May 2010 - 02:58 PM

Oh no! Win32:ruy is back according to Avast and some others on the Eset scan.
Eset
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir a variant of Win32/TrojanDownloader.Unruy.BR trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\userini.exe.vir Win32/SpamTool.Tedroo.AF trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir a variant of Win32/Kryptik.EKV trojan
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe a variant of Win32/TrojanDownloader.Unruy.BR trojan
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe a variant of Win32/TrojanDownloader.Unruy.BR trojan
C:\System Volume Information\_restore{E5F6064A-676D-4C62-8D5D-213AE57ED007}\RP1\A0000858.exe a variant of Win32/Kryptik.EKV trojan
Operating memory a variant of Win32/TrojanDownloader.Unruy.BR trojan

DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 20:09:10.61 on 27/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.152 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-28 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-28 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2004-8-27 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]

=============== Created Last 30 ================

2010-05-27 16:42:57 0 d-----w- c:\program files\ESET
2010-05-25 19:30:31 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-25 19:30:31 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-25 19:30:30 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-25 19:30:30 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-23 20:04:40 0 d-sha-r- C:\cmdcons
2010-05-23 20:00:40 98816 ----a-w- c:\windows\sed.exe
2010-05-23 20:00:40 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 20:00:40 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 20:00:40 161792 ----a-w- c:\windows\SWREG.exe
2010-04-28 20:43:22 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-05-23 20:00:39 1033216 ----a-w- c:\windows\explorer.exe
2010-05-04 05:13:25 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2003-08-27 13:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 20:10:48.80 ===============

And the Ark file attached as its huge...Hop[e this is ok
I'm feeling really daft that some things are back. Firewall is on and haven't been using this lapop for anything other than fixing work - hope I've not undone all your hard work....

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 27 May 2010 - 05:42 PM

Hi,


1. Now we need to use the Recovery Console. Please print or make a copy of the next steps so you will not make any mistakes.
  1. Please restart your computer.
  2. During restart, you will see an option on which operating system to use.
  3. Please use arrow key and choose Microsoft Windows Recovery Console and hit enter.
  4. The Recovery Console will start and ask you which Windows installation you would like to log onto.
    Note: If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
  5. It will then prompt you for the Administrator's password. If there is no password, simply press enter.
  6. You will now be presented with a C:\Windows> prompt
  7. Please type the bolded text below and hit enter key:
    fixmbr
  8. type exit to exit the command prompt and restart your computer normally.



2. Please run another DDS scan and post the latest report.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sara_ramsey

sara_ramsey
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:03 AM

Posted 29 May 2010 - 10:12 AM

Here is the DDS following the restart with the recovery console

DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 16:02:15.46 on 29/05/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.220 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
svchost.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Me\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ntlworld.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\me\applic~1\mozilla\firefox\profiles\hlg5kvuc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-28 164048]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-28 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2004-8-27 4300]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2008-10-9 14336]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-22 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-31 133104]

=============== Created Last 30 ================

2010-05-27 16:42:57 0 d-----w- c:\program files\ESET
2010-05-25 19:30:31 49536 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-05-25 19:30:31 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-25 19:30:30 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-05-25 19:30:30 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-05-23 20:04:40 0 d-sha-r- C:\cmdcons
2010-05-23 20:00:40 98816 ----a-w- c:\windows\sed.exe
2010-05-23 20:00:40 77312 ----a-w- c:\windows\MBR.exe
2010-05-23 20:00:40 256512 ----a-w- c:\windows\PEV.exe
2010-05-23 20:00:40 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-05-23 20:00:39 1033216 ----a-w- c:\windows\explorer.exe
2010-05-04 05:13:25 778 ----a-w- c:\windows\system32\drivers\fwdrv.err
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2003-08-27 13:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

============= FINISH: 16:04:04.16 ===============

Glad you mentioned housekeeping - will be quite keen to prevent this happening again!
Sara

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 29 May 2010 - 12:27 PM

Hi,

Your DDS log is so much better now, but we still need to do some more scans just to be sure that your PC is indeed clean. Please be patient we are almost done. smile.gif


==================================


1. Please delete your copy of ComboFix (Do not uninstall) then run a new copy.

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.




2. Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:06:03 PM

Posted 07 June 2010 - 09:26 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users