Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Win32.Trojan.Sasfis


  • This topic is locked This topic is locked
14 replies to this topic

#1 ahammad

ahammad

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 21 May 2010 - 08:29 PM

Hello,

I tried several programs to remove this, but they all resulted in failure. The programs (Ad-Aware and Malwarebytes Anti Malware) detect it and removes it, but it pops up when i restart. Ad-Aware's Live Watch picks it up and I get a "Ad-Aware has stopped a malicious process from running" or something along those lines. When I scan again, the trojan appears and is removed. This cycle just keeps on repeating.

Below is the DDS log

QUOTE
DDS (Ver_10-03-17.01) - NTFSx86
Run by PC-Vista at 18:11:49.35 on 21/05/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1918.1216 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\conime.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\PC-Vista\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [igkcomka] c:\users\pc-vista\igkcomka.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [isCfgWiz] "c:\program files\common files\symantec shared\opc\{c86ea115-facd-4aa8-bfa2-398c677d0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\pc-vista\appdata\roaming\mozilla\firefox\profiles\vg804mij.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-19 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-8-24 149864]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-2-26 493568]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-19 1245064]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20070823.002\IDSvix86.sys [2008-2-19 180272]

=============== Created Last 30 ================

2010-05-21 22:10:04 0 ----a-w- c:\users\pc-vista\defogger_reenable
2010-05-20 12:36:13 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 12:35:45 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-20 12:35:45 15360 ----a-w- c:\windows\system32\pacerprf.dll
2010-05-20 12:35:43 147456 ----a-w- c:\windows\system32\Faultrep.dll
2010-05-20 12:35:43 125952 ----a-w- c:\windows\system32\wersvc.dll
2010-05-20 12:34:51 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2010-05-20 12:34:50 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-05-20 12:34:50 45056 ----a-w- c:\windows\system32\dataclen.dll
2010-05-20 12:34:50 36864 ----a-w- c:\windows\system32\cdd.dll
2010-05-20 12:34:50 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-05-20 12:34:38 90112 ----a-w- c:\windows\system32\wshext.dll
2010-05-20 12:34:38 180224 ----a-w- c:\windows\system32\scrobj.dll
2010-05-20 12:34:38 172032 ----a-w- c:\windows\system32\scrrun.dll
2010-05-20 12:34:38 155648 ----a-w- c:\windows\system32\wscript.exe
2010-05-20 12:34:38 135168 ----a-w- c:\windows\system32\wshom.ocx
2010-05-20 12:34:38 135168 ----a-w- c:\windows\system32\cscript.exe
2010-05-20 07:34:08 0 d-----w- C:\PerfLogs
2010-05-20 04:30:43 0 d-----w- c:\programdata\Sun
2010-05-20 04:30:00 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 00:19:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-20 00:19:49 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-20 00:13:35 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-19 23:58:26 0 d-sh--w- C:\$RECYCLE.BIN
2010-05-19 23:48:52 0 d-----w- C:\ComboFix
2010-05-19 04:01:20 39424 ----a-w- c:\users\pc-vista\igkcomka.exe
2010-04-24 23:26:58 98816 ----a-w- c:\windows\sed.exe
2010-04-24 23:26:58 77312 ----a-w- c:\windows\MBR.exe
2010-04-24 23:26:58 256512 ----a-w- c:\windows\PEV.exe
2010-04-24 23:26:58 161792 ----a-w- c:\windows\SWREG.exe
2010-04-24 00:38:16 0 d-----w- c:\users\pc-vista\appdata\roaming\Malwarebytes
2010-04-24 00:37:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 00:37:42 0 d-----w- c:\programdata\Malwarebytes
2010-04-24 00:37:41 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 00:37:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 00:16:18 0 d-----w- C:\!KillBox

==================== Find3M ====================

2010-05-20 07:46:46 174 --sha-w- c:\program files\desktop.ini
2010-05-20 07:44:10 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-20 07:44:10 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-20 07:44:10 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-20 07:34:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-20 04:50:52 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-20 04:50:46 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-20 00:19:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-09 16:28:40 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-04 18:54:51 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-02-19 20:41:46 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:13:42.48 ===============





I attempted to get the gmer thing going. After a 2-3 hour scan, I stepped away from the computer to do something. When I came back, the computer had restarted by itself, so I don't have the logs. I can attempt to run it again if required. I also ran ComboFix (I know I'm not supposed to, but I had nothing to lose). Below is the log for that

QUOTE
ComboFix 10-05-19.02 - PC-Vista 19/05/2010 19:50:43.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.1918.971 [GMT -4:00]
Running from: c:\users\PC-Vista\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\PC-Vista\AppData\Roaming\00C58238AC8200EDEAA5FAE4800D2815
c:\users\PC-Vista\AppData\Roaming\00C58238AC8200EDEAA5FAE4800D2815\gotnewupdate000.exe
c:\windows\system32\AbaleZip.dll
c:\windows\system32\drivers\wawxvku.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 23:56 . 2010-05-19 23:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-19 23:56 . 2010-05-19 23:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-19 04:01 . 2010-05-19 04:12 -------- d-----w- c:\users\PC-Vista\AppData\Local\hldtqbjym
2010-05-19 04:01 . 2010-05-19 04:01 39424 ----a-w- c:\users\PC-Vista\igkcomka.exe
2010-05-10 23:10 . 2010-05-10 23:28 -------- d-----w- c:\users\PC-Vista\AppData\Local\ejesaobaq
2010-04-25 04:34 . 2010-05-19 23:56 -------- d-----w- c:\users\PC-Vista\AppData\Local\temp
2010-04-24 00:38 . 2010-04-24 00:38 -------- d-----w- c:\users\PC-Vista\AppData\Roaming\Malwarebytes
2010-04-24 00:37 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\programdata\Malwarebytes
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 00:37 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 00:16 . 2010-04-24 00:16 -------- d-----w- C:\!KillBox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 23:31 . 2010-03-03 13:42 439816 ----a-w- c:\users\PC-Vista\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-06 14:36 . 2009-10-02 15:52 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-15 07:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-27 14:42 . 2008-02-19 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 14:42 . 2009-07-10 17:45 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-22 01:21 . 2009-01-26 12:43 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-09 16:54 . 2010-03-31 02:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:50 . 2010-03-31 02:49 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-09 16:50 . 2010-03-31 02:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:50 . 2010-03-31 02:49 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2010-03-09 16:48 . 2010-03-31 02:49 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-09 14:17 . 2010-03-31 02:49 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 12:43 . 2010-03-31 02:49 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-04 19:24 . 2010-04-14 12:40 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:38 . 2008-05-13 04:39 109200 ----a-w- c:\users\PC-Vista\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 13:14 . 2010-04-14 12:41 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 13:14 . 2010-04-14 12:41 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 13:14 . 2010-04-14 12:41 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 23:54 . 2010-03-11 08:01 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51 . 2010-03-11 08:01 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:30 . 2010-03-11 08:01 396800 ----a-w- c:\windows\system32\drivers\http.sys
2007-08-24 13:52 . 2008-05-17 03:00 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-02-19 20:41 . 2008-02-19 20:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-05-17 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 2159104]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"igkcomka"="c:\users\PC-Vista\igkcomka.exe" [2010-05-19 39424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-02-19 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 51048]
"isCfgWiz"="c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [2007-08-23 607624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-04 185896]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-22 524632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-03-22 1029456]
R3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20070823.002\IDSvix86.sys [2007-08-15 180272]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-27 64160]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2007-08-24 149864]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 01:20]

2010-05-19 c:\windows\Tasks\User_Feed_Synchronization-{8C24C26F-3546-4597-948A-D37B27E689A5}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\PC-Vista\AppData\Roaming\Mozilla\Firefox\Profiles\vg804mij.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 19:56
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-19 19:58:22
ComboFix-quarantined-files.txt 2010-05-19 23:58
ComboFix2.txt 2010-04-25 04:34
ComboFix3.txt 2010-04-24 23:51

Pre-Run: 82,564,255,744 bytes free
Post-Run: 82,537,922,560 bytes free

- - End Of File - - 0838296D115C56C148BA72B300410A12



I hope I have everything. I read the instructions on what I needed to do. Let me know if I missed something.

Thank you very much for the help.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 23 May 2010 - 04:30 PM

Hi ahammad,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/318284/help-with-win32trojansasfis/

    Collect::[4]
    c:\users\PC-Vista\igkcomka.exe

    Folder::
    c:\users\PC-Vista\AppData\Local\hldtqbjym
    c:\users\PC-Vista\AppData\Local\ejesaobaq

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igkcomka"=-

    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.


#3 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 23 May 2010 - 05:03 PM

Thank you for your response.

I ran ComboFix like instructed. Please note that at about step 5 of the process, I got a message from Windows saying that "PEV.exe has stopped working". Not sure if this is relevant.

Running ComboFix did upload some information to the servers. I tried posting the log but the message board complained about how it was too long. I will be posting the log in chunks.

I have a quick question about ComboFix. I know that it says "use at your own risk" in the disclaimer. My question is how secure is it? Especially when sending files to a server for analysis.

BTW, I will not make any changes to the system.

Thanks once again.

#4 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 23 May 2010 - 05:09 PM

Part 1 attached

Attached Files



#5 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 23 May 2010 - 05:13 PM

I apologize, but the post cannot take more than 512k of attachments. I attached the full log using Megaupload.

If you would like me to use a different location to upload please let me know.

Link to log:
http://www.megaupload.com/?d=5LI4W5R1

P.S. Disregard my last post, this file has the whole log.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 23 May 2010 - 05:15 PM

Thanks for the feedback and for letting the upload to take place.

ComboFix is a great but a powerful tool. It should be run under supervision of a trained helper to avoid unwanted problems.

The upload is to BC server. It is a file we are pretty sure is a malware and instead of just removing it we upload it to add it to the data base for future detection. If we don't we have to remove each malware file manually.

I see your latest post, I'll get back to you ASAP.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 23 May 2010 - 05:21 PM

This is the shortened log:

ComboFix 10-05-23.04 - PC-Vista 23/05/2010 17:46:19.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.1918.878 [GMT -4:00]
Running from: c:\users\PC-Vista\Desktop\bleepincomputer\ComboFix.exe
Command switches used :: c:\users\PC-Vista\Desktop\bleepincomputer\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\users\PC-Vista\igkcomka.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\PC-Vista\AppData\Local\ejesaobaq
c:\users\PC-Vista\AppData\Local\hldtqbjym
c:\users\PC-Vista\igkcomka.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 21:52 . 2010-05-23 21:52 -------- d-----w- c:\users\PC-Vista\AppData\Local\temp
2010-05-23 21:52 . 2010-05-23 21:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-23 21:52 . 2010-05-23 21:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-21 22:48 . 2010-05-21 22:48 -------- d-----w- c:\programdata\WindowsSearch
2010-05-20 12:36 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 12:35 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2010-05-20 12:35 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-20 12:35 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2010-05-20 12:35 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2010-05-20 12:34 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2010-05-20 12:34 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2010-05-20 12:34 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-05-20 12:34 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2010-05-20 12:34 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-05-20 12:34 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2010-05-20 12:34 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2010-05-20 12:34 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2010-05-20 12:34 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2010-05-20 12:34 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2010-05-20 07:34 . 2010-05-20 07:34 -------- d-----w- C:\PerfLogs
2010-05-20 04:30 . 2010-05-20 04:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 00:19 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-20 00:19 . 2010-05-20 00:19 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-20 00:13 . 2010-05-20 00:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-20 00:13 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-04-24 00:38 . 2010-04-24 00:38 -------- d-----w- c:\users\PC-Vista\AppData\Roaming\Malwarebytes
2010-04-24 00:37 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\programdata\Malwarebytes
2010-04-24 00:37 . 2010-04-24 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 00:37 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 00:16 . 2010-04-24 00:16 -------- d-----w- C:\!KillBox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-20 22:32 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-20 11:27 . 2008-02-19 21:18 -------- d-----w- c:\programdata\NVIDIA
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-20 07:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-20 07:34 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-20 04:50 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-20 04:50 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-20 04:30 . 2008-02-19 21:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 04:29 . 2008-02-19 21:26 -------- d-----w- c:\program files\Java
2010-05-20 00:19 . 2009-01-26 12:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-20 00:13 . 2009-01-26 02:18 -------- d-----w- c:\program files\Lavasoft
2010-05-19 23:31 . 2010-03-03 13:42 439816 ----a-w- c:\users\PC-Vista\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-05-12 15:21 . 2009-10-02 15:52 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-27 14:42 . 2008-02-19 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 14:42 . 2009-07-10 17:45 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-09 16:28 . 2010-03-31 02:49 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 02:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 02:49 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-04 18:54 . 2010-04-14 12:40 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:38 . 2008-05-13 04:39 109200 ----a-w- c:\users\PC-Vista\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 11:32 . 2010-04-14 12:41 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:32 . 2010-04-14 12:41 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:32 . 2010-04-14 12:41 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-08-24 13:52 . 2008-05-17 03:00 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-02-19 20:41 . 2008-02-19 20:36 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-05-19_23.56.30 )))))))))))))))))))))))))))))))))))))))))
.
The section is cut to fit it to reply.
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 51048]
"isCfgWiz"="c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [2007-08-23 607624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-04 185896]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-05-20 840416]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-05-20 1314704]
R3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20070823.002\IDSvix86.sys [2007-08-15 180272]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-02-04 64288]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2007-08-24 149864]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2008-02-26 493568]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{8C24C26F-3546-4597-948A-D37B27E689A5}.job
- c:\windows\system32\msfeedssync.exe [2008-06-10 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\PC-Vista\AppData\Roaming\Mozilla\Firefox\Profiles\vg804mij.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 17:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-23 17:54:56
ComboFix-quarantined-files.txt 2010-05-23 21:54
ComboFix2.txt 2010-05-19 23:58
ComboFix3.txt 2010-04-25 04:34
ComboFix4.txt 2010-04-24 23:51

Pre-Run: 140,078,116,864 bytes free
Post-Run: 140,073,717,760 bytes free

- - End Of File - - 72A8D25B7F1EB035C714965C8281DFFF
Upload was successful


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 23 May 2010 - 05:25 PM

  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, it is normal.

  2. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  3. Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


#9 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 24 May 2010 - 11:20 AM

Hello farbar,

I followed your instructions, and the MBAM logs came back clean:

QUOTE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4138

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

24/05/2010 12:18:24 PM
mbam-log-2010-05-24 (12-18-24).txt

Scan type: Quick scan
Objects scanned: 122269
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The contents of the text file:
QUOTE
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.5
Age of Empires III Trial
AppCore
ArcSoft Panorama Maker 4
ArcSoft Scan-n-Stitch Deluxe
µTorrent
AutoUpdate
Cards_Calendar_OrderGift_DoMorePlugout
ccCommon
Compatibility Pack for the 2007 Office system
Component Framework
CyberLink DVD Suite Deluxe
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Enhanced Multimedia Keyboard Solution
GIMP 2.6.4
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Total Care Advisor
HP Update
HPPhotoSmartPhotobookWebPack1
Java Auto Updater
Java™ 6 Update 20
Java™ SE Runtime Environment 6 Update 1
KB408682
LabelPrint
LightScribe System Software 1.10.16.1
LightScribe Template Labeler
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office Home and Student 60 day trial
Microsoft Office Live Add-in 1.3
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.9)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Notepad++
NVIDIA Drivers
Picasa 3
Power2Go
PowerDirector
PSSWCORE
Python 2.5
RealPlayer
Realtek High Definition Audio Driver
Snapfish Picture Mover
Soft Data Fax Modem with SmartCP
SolSuite 2009 v9.6
SPBBC 32bit
Symantec Real Time Storage Protection Component
SymNet
TortoiseSVN 1.6.1.16129 (32 bit)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Ventrilo Client
VGA USB Camera
VideoLAN VLC media player 0.8.6h
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WeatherBug Gadget
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
World of Warcraft
Yahoo! Toolbar


Just wondering what the batch file does. Is it something that I would need to reverse later on?

Thanks again smile.gif

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 24 May 2010 - 12:10 PM

QUOTE
Just wondering what the batch file does. Is it something that I would need to reverse later on?

You don't need to reverse it as it removes the following proxy settings in IE which is added by the malware:
QUOTE
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java™ SE Runtime Environment 6 Update 1

  2. Tell me also how is your computer running.



#11 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 25 May 2010 - 05:50 PM

Hello,

I uninstalled the old version of Java.

I am aware of the dangers of P2P, but I haven't used one in years. Maybe it's still installed, but it hasn't been used.

My computer is now running normally. I don't see any funny processes running. I will restart the computer and run another MBAM scan, just to see if the trojan reappears (that's what used to happen). If something appears, I will update this thread with the appropriate logs. Either way, I will update the thread to let you know what happened.

Thank you very much for your insight. Out of curiosity, which part of the disinfecting process got rid of the trojan? Something tells me that it was ComboFix...

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 25 May 2010 - 06:01 PM

Looks good to wait for your update. We will round off with proper removing the tools then. thumbup2.gif

ComboFix of course did the job. When you run it it deleted some of them but there was one left which was not known and had a loading point. The one we uploaded and at the same time deleted it and its loading point.



#13 ahammad

ahammad
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:59 PM

Posted 26 May 2010 - 06:44 PM

Hello farbar,

I ran the scan one more time, and it came back clean smile.gif I suppose we can proceed now.

Cheers

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 26 May 2010 - 06:56 PM

Hi ahammad,

Looks good. thumbup2.gif
  1. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  2. Also remove any tool or log we used from your computer.


Happy Surfing. smile.gif

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:59 PM

Posted 30 May 2010 - 06:00 AM



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users