Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Green shield with white check mark trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 ben77

ben77

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 14 July 2010 - 11:03 AM

Hello,
Before I go on i just want to say that i am a complete novice when it comes to computers and these sorts of things so please keep that in mind when reading my description. A few days ago i had what i thought was a nasty virus on my computer that was characterised by a a green shield with a white check mark in the task bar which started up a fake antivirus program that wanted me to buy it to get rid of the problem. Also sites like viagra.com and others were popping up randomly. I was not able to open any programs such as malwarebytes or avira antivirus so it was impossible for me to get rid of it. Anyway after reading information on this site i used Rkill to close any background programs and then used malwarebytes and avira to scan my system and luckily they were able to find the problem and get rid of it. After the symptoms went away- e.g. no more green shield as mentioned above etc. and i haven't had any problems. This being said however, the trojan seemed that bad that i thought that i must get a second opion from the people who helped me get rid of the thing (you guys!) so i have followed the instructions and included some information from my system- e.g. the dds logs, malwarebytes logs (that found the infection) and avira anitvirus logs (that found the infection). I wasnt able to obtain the gmer logs becuase my system rebooted when i ran the program (no sure the cause of this). I would really appreciate if you could have a look and let me know if i should be worried about anything reoccuring and if it is safe to use my system for online requirements where i enter secure passwords etc. Thank you in advance for your help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by me at 1:26:59.04 on Thu 15/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229682349656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229682170953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: routew - routew.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-25 11608]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-25 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-25 60936]

=============== Created Last 30 ================

2010-07-14 15:25:05 0 ----a-w- c:\documents and settings\me\defogger_reenable
2010-07-12 14:12:40 0 d-----w- c:\windows\system32\NtmsData
2010-07-12 13:02:17 0 d-----w- c:\docume~1\me\applic~1\Avira

==================== Find3M ====================

2009-06-24 22:48:33 46460752 ----a-w- c:\program files\mpnexwin106ea23-2.exe
2009-06-19 15:09:59 3006976 ----a-w- c:\program files\TvantsSetup.exe
2006-06-23 04:48:54 32768 ----a-w- c:\windows\inf\UpdateUSB.exe
2008-05-14 15:10:58 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-14 15:10:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-11 14:31:22 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
2008-05-14 15:10:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051520080516\index.dat
2008-05-14 15:10:58 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 1:27:13.70 ===============




Avira AntiVir Personal
Report file date: Tuesday, 13 July 2010 20:13

Scanning for 2336583 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HOME

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 22/04/2010 00:19:15
AVSCAN.DLL : 10.0.3.0 46440 Bytes 22/04/2010 00:19:15
LUKE.DLL : 10.0.2.3 104296 Bytes 7/03/2010 07:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 12:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 20:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 16:57:40
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 11:46:57
VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 05:11:56
VBASE004.VDF : 7.10.4.203 1579008 Bytes 5/03/2010 02:20:35
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 04:36:20
VBASE006.VDF : 7.10.7.218 2294784 Bytes 2/06/2010 06:20:04
VBASE007.VDF : 7.10.7.219 2048 Bytes 2/06/2010 06:20:05
VBASE008.VDF : 7.10.7.220 2048 Bytes 2/06/2010 06:20:05
VBASE009.VDF : 7.10.7.221 2048 Bytes 2/06/2010 06:20:06
VBASE010.VDF : 7.10.7.222 2048 Bytes 2/06/2010 06:20:06
VBASE011.VDF : 7.10.7.223 2048 Bytes 2/06/2010 06:20:06
VBASE012.VDF : 7.10.7.224 2048 Bytes 2/06/2010 06:20:07
VBASE013.VDF : 7.10.8.37 270336 Bytes 10/06/2010 05:36:58
VBASE014.VDF : 7.10.8.69 138752 Bytes 14/06/2010 07:10:59
VBASE015.VDF : 7.10.8.102 130560 Bytes 16/06/2010 07:11:00
VBASE016.VDF : 7.10.8.135 152064 Bytes 21/06/2010 07:19:43
VBASE017.VDF : 7.10.8.163 432128 Bytes 23/06/2010 07:19:46
VBASE018.VDF : 7.10.8.194 133632 Bytes 27/06/2010 11:01:23
VBASE019.VDF : 7.10.8.220 134656 Bytes 29/06/2010 11:01:29
VBASE020.VDF : 7.10.8.252 171520 Bytes 4/07/2010 02:39:55
VBASE021.VDF : 7.10.9.19 131072 Bytes 6/07/2010 11:25:57
VBASE022.VDF : 7.10.9.36 297472 Bytes 7/07/2010 06:55:45
VBASE023.VDF : 7.10.9.60 150016 Bytes 11/07/2010 09:44:57
VBASE024.VDF : 7.10.9.61 2048 Bytes 11/07/2010 09:44:58
VBASE025.VDF : 7.10.9.62 2048 Bytes 11/07/2010 09:44:58
VBASE026.VDF : 7.10.9.63 2048 Bytes 11/07/2010 09:44:58
VBASE027.VDF : 7.10.9.64 2048 Bytes 11/07/2010 09:44:59
VBASE028.VDF : 7.10.9.65 2048 Bytes 11/07/2010 09:44:59
VBASE029.VDF : 7.10.9.66 2048 Bytes 11/07/2010 09:45:00
VBASE030.VDF : 7.10.9.67 2048 Bytes 11/07/2010 09:45:00
VBASE031.VDF : 7.10.9.73 67072 Bytes 13/07/2010 09:45:01
Engineversion : 8.2.4.10
AEVDF.DLL : 8.1.2.0 106868 Bytes 25/04/2010 07:23:36
AESCRIPT.DLL : 8.1.3.39 1335674 Bytes 7/07/2010 11:26:12
AESCN.DLL : 8.1.6.1 127347 Bytes 17/05/2010 06:27:25
AESBX.DLL : 8.1.3.1 254324 Bytes 25/04/2010 07:23:37
AERDL.DLL : 8.1.4.6 541043 Bytes 16/04/2010 04:36:43
AEPACK.DLL : 8.2.2.5 430453 Bytes 25/06/2010 07:20:07
AEOFFICE.DLL : 8.1.1.6 201081 Bytes 7/07/2010 11:26:05
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 25/06/2010 07:20:05
AEHELP.DLL : 8.1.11.6 242038 Bytes 25/06/2010 07:19:57
AEGEN.DLL : 8.1.3.13 381300 Bytes 7/07/2010 11:26:04
AEEMU.DLL : 8.1.2.0 393588 Bytes 25/04/2010 07:23:32
AECORE.DLL : 8.1.15.3 192886 Bytes 17/05/2010 06:27:22
AEBB.DLL : 8.1.1.0 53618 Bytes 25/04/2010 07:23:31
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 01:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 01:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 05:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 22/04/2010 00:19:15
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 22/04/2010 00:19:15
AVARKT.DLL : 10.0.0.14 227176 Bytes 22/04/2010 00:19:15
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 25/01/2010 22:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 01:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 04:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 03:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 02:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 22/04/2010 00:19:15

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: Tuesday, 13 July 2010 20:13

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg\8
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\nodeslots
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\3\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\mrulistex
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\License information\datasecu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\License information\rkeysecu
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'PhotoSnapViewer.exe' - '40' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '59' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '66' Module(s) have been scanned
Scan process 'avcenter.exe' - '61' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '130' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'wscntfy.exe' - '18' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '50' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '36' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '42' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '38' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '19' Module(s) have been scanned
Scan process 'avgnt.exe' - '50' Module(s) have been scanned
Scan process 'jusched.exe' - '20' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '43' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '29' Module(s) have been scanned
Scan process 'avguard.exe' - '53' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '36' Module(s) have been scanned
Scan process 'Explorer.EXE' - '152' Module(s) have been scanned
Scan process 'WgaTray.exe' - '51' Module(s) have been scanned
Scan process 'sched.exe' - '45' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'aawservice.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '160' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '50' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '67' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '448' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\me\Local Settings\Temp\48.tmp
[DETECTION] Is the TR/Agent.aaqo.92672 Trojan
C:\Documents and Settings\me\Local Settings\Temp\74590e65.exe
[DETECTION] Is the TR/Fake.SecSui.O Trojan
C:\System Volume Information\_restore{68215F6B-43BC-4B18-BA44-39FA256EC901}\RP372\A0092218.sys
[DETECTION] Is the TR/Patched.Gen Trojan

Beginning disinfection:
C:\System Volume Information\_restore{68215F6B-43BC-4B18-BA44-39FA256EC901}\RP372\A0092218.sys
[DETECTION] Is the TR/Patched.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4e0ce7e1.qua'.
C:\Documents and Settings\me\Local Settings\Temp\74590e65.exe
[DETECTION] Is the TR/Fake.SecSui.O Trojan
[NOTE] The file was moved to the quarantine directory under the name '5686c84a.qua'.
C:\Documents and Settings\me\Local Settings\Temp\48.tmp
[DETECTION] Is the TR/Agent.aaqo.92672 Trojan
[NOTE] The file was moved to the quarantine directory under the name '04c292a6.qua'.


End of the scan: Tuesday, 13 July 2010 20:43
Used time: 29:43 Minute(s)

The scan has been done completely.

5004 Scanned directories
273761 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
3 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
273758 Files not concerned
2091 Archives were scanned
0 Warnings
3 Notes
302878 Objects were scanned with rootkit scan
9 Hidden objects were found





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

13/07/2010 7:58:41 PM
mbam-log-2010-07-13 (19-58-41).txt

Scan type: Quick scan
Objects scanned: 126930
Time elapsed: 14 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vrmohrcb (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vrmohrcb (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\me\Local Settings\Application Data\pbjfaoabr\uslusymtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.



Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 19 July 2010 - 07:20 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 19 July 2010 - 10:34 PM

Hi Mole,
I was eagerly awaiting your reply- thanks for looking into this stuff for me. One thing i want to add- a day after I added my post on here and was waiting for you to get back to me i ran a avira scan which found another trojan that was once again deleted but it makes me think there may still be something that needs to be addressed here.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 20 July 2010 - 06:44 PM

I think the rogue AntivirusSuite (found on the MBAM scan) may still be present in some form.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 20 July 2010 - 11:52 PM

Hi,
Thank you so much for letting me know what to do- i'm so grateful. I just ran the combofix check and have included the log. My computer seems a lot faster just in the last few minutes anyway which is great but hopefully everything is now clear. I just had a quick question for you rgarding combofix. I had installed combofix a few days ago to my desktop but later moved it to a folder in mydocuments but then i read where you said it is important that it was saved to the desktop. I installed it again onto my desktop so now i have two combofix's on my computer, one on the desktop and one in my documents. Is anything going to happen because of this? Can i delete them or should i leave them for future reference. Please let me know.



ComboFix 10-07-20.01 - me 21/07/2010 15:10:20.1.2 - x86
Microsoft Windows XP Professional [GMT 10:00]
Running from: c:\documents and settings\me\Desktop\comfix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rhs.bin

.
((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-13 02:43 . 2010-07-13 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-12 14:12 . 2010-07-15 06:00 -------- d-----w- c:\windows\system32\NtmsData
2010-07-12 13:02 . 2010-07-12 13:02 -------- d-----w- c:\documents and settings\me\Application Data\Avira
2010-07-12 12:28 . 2010-07-13 09:58 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\pbjfaoabr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 00:39 . 2008-07-07 03:24 -------- d-----w- c:\program files\EA Sports
2010-07-13 10:29 . 2009-01-10 00:54 -------- d-----w- c:\program files\LimeWire
2010-07-13 09:37 . 2009-12-25 09:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-13 23:14 . 2010-06-13 23:14 -------- d-----w- c:\program files\Eureka
2010-06-13 23:14 . 2008-05-11 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 05:39 . 2009-12-25 09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 05:39 . 2009-12-25 09:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 22:48 . 2009-06-24 22:48 46460752 ----a-w- c:\program files\mpnexwin106ea23-2.exe
2009-06-19 15:09 . 2009-06-19 15:09 3006976 ----a-w- c:\program files\TvantsSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"nwiz"="nwiz.exe" [2007-09-16 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-01 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25/12/2009 8:37 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-21 15:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,e2,a1,f9,0c,0b,cb,b5,8a,ca,b2,6e,db,37,cb,48,93,7e,8b,b6,10,5e,e4,
b8,85,2d,34,e8,03,3c,76,6c,86,93,a3,ef,6c,2d,5c,50,6b,ec,49,fc,e4,db,b6,dc,\
"??"=hex:e9,1a,bd,64,2d,44,9b,ef,5a,98,4f,07,b5,d7,e1,a1

[HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:bf,f0,3b,d2,2c,93,81,cd,8f,5f,43,3d,8a,09,1e,3d,58,d4,80,c0,04,
fa,4c,1a,43,e5,56,39,8d,3c,d0,b4,aa,d3,af,50,32,fd,81,c0,12,e5,54,de,0d,74,\
"rkeysecu"=hex:26,aa,95,22,7f,89,7b,27,8f,3f,e5,84,e7,2b,88,ab
.
Completion time: 2010-07-21 15:13:50
ComboFix-quarantined-files.txt 2010-07-21 05:13

Pre-Run: 305,422,913,536 bytes free
Post-Run: 305,506,361,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 95A86B2EC030190CC8771AFDFA066A7E


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 21 July 2010 - 05:29 PM

Let's rerun Combofix as below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\me\Local Settings\Application Data\pbjfaoabr


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Next

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#7 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 22 July 2010 - 03:53 AM

Hey Mole,
I just performed the tasks you required taks and have included the combofix log and malwarebytes (which i already had but needed updating) log below. I was just wondering if the reason you needed me to run the combofix scan again meant that something was wrong or you had found something that just wasn't right?

ComboFix 10-07-21.02 - me 22/07/2010 18:13:07.2.2 - x86
Microsoft Windows XP Professional [GMT 10:00]
Running from: c:\documents and settings\me\Desktop\comfix.exe.exe
Command switches used :: c:\documents and settings\me\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-13 02:43 . 2010-07-13 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-12 14:12 . 2010-07-15 06:00 -------- d-----w- c:\windows\system32\NtmsData
2010-07-12 13:02 . 2010-07-12 13:02 -------- d-----w- c:\documents and settings\me\Application Data\Avira
2010-07-12 12:28 . 2010-07-13 09:58 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\pbjfaoabr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 00:39 . 2008-07-07 03:24 -------- d-----w- c:\program files\EA Sports
2010-07-13 10:29 . 2009-01-10 00:54 -------- d-----w- c:\program files\LimeWire
2010-07-13 09:37 . 2009-12-25 09:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-13 23:14 . 2010-06-13 23:14 -------- d-----w- c:\program files\Eureka
2010-06-13 23:14 . 2008-05-11 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 05:39 . 2009-12-25 09:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 05:39 . 2009-12-25 09:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-24 22:48 . 2009-06-24 22:48 46460752 ----a-w- c:\program files\mpnexwin106ea23-2.exe
2009-06-19 15:09 . 2009-06-19 15:09 3006976 ----a-w- c:\program files\TvantsSetup.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-21_05.12.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-21 19:02 . 2010-07-21 19:02 16384 c:\windows\Temp\Perflib_Perfdata_290.dat
+ 2001-08-23 12:00 . 2010-07-21 19:06 40952 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-07-18 04:37 40952 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-07-21 19:06 314816 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-07-18 04:37 314816 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 16126464]
"SkyTel"="SkyTel.EXE" [2007-04-04 1822720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-16 8491008]
"nwiz"="nwiz.exe" [2007-09-16 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-16 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-01 282792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [25/12/2009 8:37 PM 135336]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-22 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:57,e2,a1,f9,0c,0b,cb,b5,8a,ca,b2,6e,db,37,cb,48,93,7e,8b,b6,10,5e,e4,
b8,85,2d,34,e8,03,3c,76,6c,86,93,a3,ef,6c,2d,5c,50,6b,ec,49,fc,e4,db,b6,dc,\
"??"=hex:e9,1a,bd,64,2d,44,9b,ef,5a,98,4f,07,b5,d7,e1,a1

[HKEY_USERS\S-1-5-21-1177238915-1960408961-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:bf,f0,3b,d2,2c,93,81,cd,8f,5f,43,3d,8a,09,1e,3d,58,d4,80,c0,04,
fa,4c,1a,43,e5,56,39,8d,3c,d0,b4,aa,d3,af,50,32,fd,81,c0,12,e5,54,de,0d,74,\
"rkeysecu"=hex:26,aa,95,22,7f,89,7b,27,8f,3f,e5,84,e7,2b,88,ab
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3708)
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-07-22 18:17:08
ComboFix-quarantined-files.txt 2010-07-22 08:17
ComboFix2.txt 2010-07-21 05:13

Pre-Run: 305,454,497,792 bytes free
Post-Run: 305,494,474,752 bytes free

- - End Of File - - A7E4019754E8344902CC2C1FFAE57771




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4337

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

22/07/2010 7:10:34 PM
mbam-log-2010-07-22 (19-10-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 170651
Time elapsed: 22 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 22 July 2010 - 04:50 PM

The reason we needed to rerun Combofix was because there was a malware folder which Combofix didn't recognise and we needed to manually add it in. MBAM was run to make sure nothing had returned through other means.


Please run ESET next, this is to see if there are any stray files left.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Posted Image
m0le is a proud member of UNITE

#9 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 24 July 2010 - 04:24 AM

Hey Mole,
I just ran the ESET scan and it found no threats so therefore did not construct a report. Where do we go from here?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 24 July 2010 - 04:39 PM

From here we head for the exit... tongue.gif

Are there any symptoms remaining from the attack?
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 26 July 2010 - 07:29 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 27 July 2010 - 03:58 AM

Hi Mole,
I am still very interested in your help. Please forgive me for not replying as I have been unable to access my computer for the last few days. I have had no symptoms with the computer since performing the combofix scan. Please let me know what to do from here and if there are any further scans you would like me to run. Thank you so much for all your help once again.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 27 July 2010 - 04:35 PM

You're not getting any symptoms because...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it ben77, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 ben77

ben77
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 28 July 2010 - 01:00 AM

Hi Mole,
I can't believe it's all done- you've saved me a lot of stresses and fluffing around by not knowing what i was doing exactly- thanks so much once again for all your help. Before you close this topic off i just want to ask one more thing- i mentioned in an earlier post that i had initially installed combofix to my desktop but then mistakingly moved it from my desktop to a folder in mydocuments. When you asked me to run combofix I installed it again and saved it onto my desktop but i still had the combofix saved in mydocuments as well as on my desktop (so i had two versions). So now after you asked me to uninstall combofix the one from my desktop has been removed but it still remains in mydocuments. What can i do about this- simply deleting it won't do will it? Please let me know the steps i need to perform to remove it from my documents as well. Thanks look forward to hearing from you!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 AM

Posted 28 July 2010 - 05:58 PM

Hi Ben,

Actually you can simply delete the program from your My Documents. thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users