Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help| Infected an Cannot remove the virus (Used: ComboFix, Malwarebytes' Anti-Malware and more)


  • Please log in to reply
2 replies to this topic

#1 shai.m

shai.m

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 23 July 2010 - 08:33 PM

Hi,

My computer is infected, and no matter what I did (Working on it 2 days already), the problem still occurs.

Problem description:
1. An error message is popping up after windows finish loading. This is the message - "RUNDLL | Error loading augry.vko. The specified module could not be found"

Problem 2. When I open a folder for example "c:\my folder's\mymusic", the folder/window is getting closed and desktop disappears and appears again.
Which means that I can't use the files in this folder.

I tried to "Clean" this infection by doing many many things:
1. Used Hiren's cd and run different tests like: Malwarebytes' Anti-Malware, Spybot - Search & Destroy. Also Microsoft Security Essentials, AVG scan, NOD32 online scan etc.
2. I did the scans above also in SAFE MODE and in XP mini OS (Available in Hiren's CD).

These scans did find many infections and I think that also cleaned all of them.. (Sort of..)

3. I run also ComboFix but the problem still occurs.
ComboFix showed me this 2 messages:

System file is infected !! Attempting to restore
"X:\i386\system32\lpk.dll"

System file is infected !! Attempting to restore
"X:\i386\system32\imm32.dll"

But in the second Scan I did with ComboFix - It didn't show it anymore.

4. I did restored the com via the Microsoft "Restore point" method.

But the problem/VIRUS still occurs!

This is the ComboFix logs:

QUOTE
**Log number 1:ComboFix 10-07-23.01 - Shai.m 07/24/2010 3:21.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.958.746 [GMT 3:00]
Running from: c:\documents and settings\Shai.m\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\Shared

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 01:35 . 2010-07-24 01:38 -------- d-----w- C:\Hiren cd
2010-07-23 23:28 . 2010-07-23 23:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-22 18:24 . 2010-07-22 18:24 54016 ----a-w- c:\windows\system32\drivers\vvptwoik.sys
2010-07-22 17:42 . 2010-07-22 17:42 -------- d-----w- c:\program files\Trend Micro
2010-07-22 17:34 . 2010-07-22 17:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-22 17:32 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-22 13:25 . 2010-07-22 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-22 13:25 . 2010-07-22 13:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-21 11:16 . 2010-07-21 11:16 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-21 11:16 . 2010-07-21 11:16 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-20 22:49 . 2010-07-20 22:49 22662 ----a-w- c:\windows\msyuv.dll
2010-07-15 18:45 . 2010-07-15 18:45 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 18:45 . 2010-07-15 18:45 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 18:45 . 2010-07-15 18:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 18:43 . 2010-07-15 18:43 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 18:43 . 2010-07-15 18:43 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-15 18:43 . 2010-07-15 18:43 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 18:43 . 2010-07-15 18:43 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-13 20:32 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-09 19:23 . 2010-07-09 19:23 -------- d-----w- c:\windows\system32\winrm
2010-07-09 19:23 . 2010-07-09 19:24 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 23:37 . 2008-12-10 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2010-07-23 23:17 . 2008-11-27 22:21 -------- d-----w- c:\program files\palmOne
2010-07-23 23:12 . 2009-01-29 16:53 -------- d-----w- c:\program files\LogMeIn
2010-07-23 17:38 . 2010-01-08 20:41 -------- d-----w- c:\documents and settings\Shai.m\Application Data\Malwarebytes
2010-07-23 17:38 . 2010-01-08 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-22 18:54 . 2008-11-27 22:47 -------- d-----w- c:\documents and settings\Shai.m\Application Data\vlc
2010-07-21 11:12 . 2008-11-28 17:06 -------- d-----w- c:\documents and settings\Shai.m\Application Data\Skype
2010-07-16 20:41 . 2008-11-28 00:34 -------- d-----w- c:\documents and settings\Shai.m\Application Data\dvdcss
2010-07-15 18:45 . 2010-02-05 20:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 18:44 . 2010-02-05 20:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-14 13:42 . 2010-02-05 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-09 19:28 . 2008-11-27 22:52 -------- d-----w- c:\program files\Microsoft.NET
2010-06-19 04:28 . 2010-06-19 04:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-14 14:31 . 2008-11-27 21:13 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
2010-06-09 12:35 . 2008-07-24 16:45 13408 ----a-w- c:\windows\system32\drivers\radpms.sys
2010-06-09 12:35 . 2009-01-29 16:53 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 12:35 . 2009-01-29 16:53 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 12:35 . 2009-01-29 16:53 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-04 18:53 . 2009-11-06 15:35 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-03 06:02 . 2010-02-05 20:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-29 16:52 . 2008-12-09 15:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 12:33 . 2008-12-09 15:23 -------- d-----w- c:\program files\Google
2010-05-14 13:26 . 2003-02-21 04:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-05-14 13:26 . 2003-03-18 20:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-06 20:12 . 2010-05-06 20:12 366 ----a-w- c:\windows\MMD.MSP
2010-05-04 17:20 . 2001-08-18 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-07-18 10:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 08:14 . 2008-11-28 00:57 89240 ----a-w- c:\documents and settings\Shai.m\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 05:22 . 2001-08-18 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2006-10-09 176128]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"NPSStartup"="" [BU]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 18:45 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-06-18 11:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 12:35 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Push Client.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Push Client.LNK
backup=c:\windows\pss\Push Client.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^ESET NOD32 Antivirus.lnk]
path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\ESET NOD32 Antivirus.lnk
backup=c:\windows\pss\ESET NOD32 Antivirus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shai.m^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Shai.m\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-05-18 09:10 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2008-12-10 17:46 2841824 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 03:42 110592 ------w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverMax]
c:\program files\Innovative Solutions\DriverMax\devices.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 14:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-11-11 08:57 1451520 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 21:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-26 22:16 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aswUpdSv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Nero\\Nero 7\\ODD Toolkit\\ODDUpdate.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc 1
"5800:TCP"= 5800:TCP:vnc 2
"5662:TCP"= 5662:TCP:Emule TCP Port
"5672:UDP"= 5672:UDP:Emule UDP Port
"5672:TCP"= 5672:TCP:Emule tcp Port-5672
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [14/09/2009 02:11 28672]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/02/2010 23:48 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/02/2010 23:48 243024]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [18/08/2008 14:27 34312]
S1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [18/06/2008 14:46 2235760]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 21:45 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [18/06/2008 14:46 47504]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [13/11/2009 17:20 233472]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 19:46 12856]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [18/06/2008 14:46 121136]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [18/06/2008 14:46 673872]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [13/11/2009 17:20 36608]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [09/04/2008 10:28 80256]
S3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [04/04/2008 08:30 70016]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [24/07/2008 19:45 13408]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 15:37 26624]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [18/08/2001 15:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 gupdate;שירות Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2010 13:57 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-26 10:57]

2010-07-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
TCP: {6494B30A-7D47-4DD9-9B7F-A8DBBCD331F3} = 192.115.106.35,62.219.186.7
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.mekusharim.co.il/ImageUploader5.cab
FF - ProfilePath - c:\documents and settings\Shai.m\Application Data\Mozilla\Firefox\Profiles\Shai_Profile\
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com/
FF - prefs.js: keyword.URL - hxxp://www.google.co.il/search?q=
FF - component: c:\documents and settings\Shai.m\Application Data\Mozilla\Firefox\Profiles\Shai_Profile\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1708537768-179605362-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FEBC97D3-1007-547F-1E1D-A6B1BE24AEE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(240)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-24 03:33:55
ComboFix-quarantined-files.txt 2010-07-24 00:33

Pre-Run: 9,946,996,736 bytes free
Post-Run: 9,912,045,568 bytes free

- - End Of File - - 10AD2FE20DD9CEB2D6EE7572C8E76529

Screenshots of the viruses which has been found by several Anti virus/malware softwares:

1. The error message:


2. Malwarebytes' Anti-Malware - Result from one on the tests I had run:


3. Spybot - Search & Destroy - Results:


4. Microsoft Security Essentials - Results:


I uploaded a RAR folder which contains the Log files, and Screenshots of some of my experience since 3 days ago.
http://www.multiupload.com/6LJ6PMTAMK

Attached the HijackThis log file.


Thanks Fr helping me!
Shai

Attached Files


Edited by shai.m, 23 July 2010 - 08:52 PM.


BC AdBot (Login to Remove)

 


#2 shai.m

shai.m
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 24 July 2010 - 09:38 AM

Anyone can help me please?

EDIT: Please be patient. There are over 480 unanswered topics in this forum at present and the current average wait time to receive help is 6 days. ~BP

Edited by Budapest, 24 July 2010 - 07:36 PM.


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:27 AM

Posted 31 July 2010 - 10:13 AM

Hello shai.m

Welcome to BleepingComputer smile.gif
It is not a good idea to use Combofix unless given the ok by a trusted helper.

==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users