Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Hide and Seek Botnet Adds Infection Vector for Android Devices

Featured Deal: Get 92% off The Complete Cisco Network Certification Training Bundle

Win32/Olmarik Trojan

Started by pedroski , Aug 11 2010 02:01 PM

This topic is locked

2 replies to this topic

#1 pedroski

Members
1 posts
OFFLINE

Local time:06:10 AM

Posted 11 August 2010 - 02:01 PM

Pls LMK if I have the all clear... Thnx Pedro

ComboFix 10-08-10.07 - pete 08/11/2010 11:31:37.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3454.3067 [GMT -7:00]
Running from: c:\documents and settings\pete\Desktop\Desk Top\Spyware - Smitfraud removal tools\3 Combofix\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\pete\Application Data\.#

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-04 15:26 . 2010-06-18 23:48 535176 ----a-w- c:\documents and settings\pete\Application Data\Mozilla\Firefox\Profiles\ijnhqixd.default\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
2010-08-04 15:10 . 2010-08-11 18:21 -------- d-----w- c:\documents and settings\pete\Application Data\Abine
2010-08-04 15:10 . 2010-06-18 23:48 535176 ----a-w- c:\documents and settings\pete\Application Data\Mozilla\Firefox\Profiles\2um2a2tu.Pedro\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 17:52 . 2004-08-12 13:17 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-08-11 16:17 . 2010-06-13 01:09 63488 ----a-w- c:\documents and settings\pete\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-11 16:17 . 2010-06-13 01:09 117760 ----a-w- c:\documents and settings\pete\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-11 15:58 . 2004-08-12 13:17 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.copy
2010-08-11 06:06 . 2009-07-26 19:23 -------- d-----w- c:\documents and settings\pete\Application Data\R-Wipe&Clean
2010-08-11 06:06 . 2009-07-27 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\R-Wipe&Clean
2010-08-09 19:16 . 2009-05-14 08:32 -------- d-----w- c:\documents and settings\pete\Application Data\WIPE
2010-08-09 17:08 . 2009-05-29 08:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-07 20:05 . 2009-07-26 19:23 -------- d-----w- c:\program files\R-Wipe&Clean
2010-07-24 22:28 . 2009-12-24 23:45 -------- d-----w- c:\program files\Dl_cats
2010-07-24 01:49 . 2009-05-14 06:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 05:45 . 2009-05-14 08:32 -------- d-----w- c:\program files\Wipe
2010-07-08 19:12 . 2009-06-13 18:55 -------- d-----w- c:\program files\CCleaner
2010-06-21 18:52 . 2010-06-21 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-21 18:52 . 2010-06-03 16:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 01:09 . 2010-06-13 01:09 52224 ----a-w- c:\documents and settings\pete\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-13 01:09 . 2010-06-13 01:09 -------- d-----w- c:\documents and settings\pete\Application Data\SUPERAntiSpyware.com
.

((((((((((((((((((((((((((((( SnapShot@2010-01-12_04.55.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 05:39 . 2008-04-14 00:12 57344 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll
+ 2010-01-12 05:39 . 2008-04-14 00:12 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
- 2009-05-17 05:18 . 2007-01-19 20:15 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll
- 2004-08-12 13:31 . 2004-08-12 13:31 50688 c:\windows\twain_32.dll
+ 2004-08-12 13:31 . 2008-04-14 00:12 50688 c:\windows\twain_32.dll
+ 2010-08-11 18:29 . 2010-08-11 18:29 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
- 2009-05-14 02:07 . 2004-08-12 13:35 11776 c:\windows\system32\xolehlp.dll
+ 2009-05-14 02:07 . 2008-04-14 00:12 11776 c:\windows\system32\xolehlp.dll
- 2004-08-12 13:35 . 2004-08-12 13:35 50176 c:\windows\system32\xmlprovi.dll
+ 2004-08-12 13:35 . 2008-04-14 00:12 50176 c:\windows\system32\xmlprovi.dll
+ 2004-08-12 13:34 . 2008-04-14 00:12 30720 c:\windows\system32\xcopy.exe

Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-26 335872]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [11/16/2009 10:03 AM 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 10:04 AM 735960]
S2 0148731258584309mcinstcleanup;McAfee Application Installer Cleanup (0148731258584309);c:\windows\TEMP\014873~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\014873~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=1234:1234
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\pete\Application Data\Mozilla\Firefox\Profiles\2um2a2tu.Pedro\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\pete\Application Data\Mozilla\Firefox\Profiles\2um2a2tu.Pedro\extensions\optout@dubfire.net\lib\WINNT\ff3\AbineComponent.dll
FF - plugin: c:\documents and settings\pete\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dlla

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 suebaby41

W.A.M. (Women Against Malware)

Malware Response Team
6,248 posts
OFFLINE

Gender:Female
Location:South Carolina, USA
Local time:09:10 AM

Posted 19 August 2010 - 06:22 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Please post the contents of log.txt.

Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:

Reply to this thread; do not start another!
Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
Do not run any other tool until instructed to do so!
Let me know if any of the links do not work or if any of the tools do not work.
Tell me about problems or symptoms that occur during the fix.
Do not run any other programs or open any other windows while doing a fix.
Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.

Thanks.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate
Posted Image

Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

Back to top

#3 suebaby41

W.A.M. (Women Against Malware)

Malware Response Team
6,248 posts
OFFLINE

Gender:Female
Location:South Carolina, USA
Local time:09:10 AM

Posted 31 August 2010 - 02:00 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate
Posted Image

Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.