Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot.


  • This topic is locked This topic is locked
2 replies to this topic

#1 pm2397

pm2397

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 13 November 2010 - 08:52 PM

I use an HP Pavilion DV6516TX Notebook with standard configuration. The OS is Windows Vista Home Premium with Service Pack installed. I am using fully updated Microsoft Security Essentials as the Anti-Virus and Anti-Malware engine thereon. I almost always use Mozilla Firefox (latest version) as my Internet browser and only rarely use IE8.

I am facing the subject issue with details mentioned below:

MBAM full scan (with fully updated latest definitions) of the C: (OS installed) drive with Default Scanner Settings in normal boot (Administrator) mode detects Worm P2P (Bot.exe) in the C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.tmp folder. MBAM detects the Worm.P2P 'always' at the fag end of the scan while MBAM is 'scanning additional objects'. On deleting it by selecting the Worm.P2P and pressing 'Remove selected', the MBAM Full Scan log is displayed and saved and a message comes up to the effect that some objects could not be deleted. Next a window comes up directing to reboot the system. I respond 'Yes' to that. After rebooting in normal boot mode and another full MBAM scan (again with fully updated latest definitions) again redetects the same Worm.P2P (Bot.exe) in the same location while MBAM is 'scanning additional objects' at the fag end of the MBAM full scan. This happens on every reboot and every MBAM Full rescan with Default Scanner Settings.

When the above malware was first detected on my system by MBAM i immediately uninstalled the only P2P client Utorrent on my system and uninstalled almost all the applications downloaded through it on my system together with the deletion of the Setup files of those applications and the related torrent files from my system.

Some intriguing points that i have of late noticed in reference to the MBAM full scan on my system:

1. When i do it in normal boot mode, the bot.exe in the above IXP000.TMP folder is always detected at the fag end of the MBAM scan while MBAM is 'scanning additional items on your system' as mentioned in the MBAM window, but no malware is at all detected while MBAM is scanning the 'as displayed during the scan' all the various different folder paths of the system or while scanning Memory objects or even while scanning of Registry objects.

2. The funny thing is that there is no IXP000.TMP folder in the so referred detected location on my system or for that matter in any other location on my system. The only similar folder in that detected path is IXP499.TMP but that is completely empty.

3. When i do the full MBAM scan in 'safe mode' using 'exactly the same settings in MBAM' as used for the normal boot mode scan, surprisingly, the full scan completes without MBAM detecting absolutely any malware whatsoever anywhere on my system including that bot.exe in the same folder path in which the bot.exe was detected in the IXP000.TMP folder during the normal boot mode scan.

4. When i could not find any IXP000.TMP folder anywhere on my system, i used the find option in regedit.exe (opened in elevated mode) to check for 'IXP000.TMP'. Therein i could find references to IXP000.TMP in the MBAM detected folder path in the right pane in at least two different subkeys. But of course no reference there of bot.exe .

Request please help to resolve the issue to permanently remove the above Worm P2P from my system.

Please find below the outputs in sequence.

1. MBAM Latest Full Scan Log: Copied and pasted below

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5088

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/11/2010 01:56:15
mbam-log-2010-11-11 (01-56-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 426145
Time elapsed: 5 hour(s), 10 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.TMP\bot.exe (Worm.P2P) -> Delete on reboot.

---------------------------------------------------------------------------------------------------------------------------------------
Used Defogger and disabled CD Drive Emulation Software.

2. DDS.txt: Copied and pasted below.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Prashant Mujumdar at 13:21:18.81 on Sat 11/13/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2046.840 [GMT 5.5:30]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: AntispywareBot *disabled* (Updated) {FC32BC04-9055-4E1E-A2E3-8BDD5295340F}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\KC Softwares\SUMo\SUMo.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Aerofoil\Aerofoil.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Prashant Mujumdar\Desktop\Defogger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Prashant Mujumdar\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.in/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {D6F180CB-E683-41A3-8CD2-C53DBAA0530D} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [VistaBatterySaver] "c:\program files\sharpsoft\vista battery saver\VistaBatterySaver.exe"
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUMo] "c:\program files\kc softwares\sumo\SUMo.exe" /minimized
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [Skype] c:\program files\skype\\phone\Skype.exe /nosplash /minimized
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [CognizanceTS] "rundll32.exe" c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule
mRun: [ThreatFire] "c:\program files\threatfire\TFTray.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [RtHDVCpl] "c:\program files\realtek\audio\hda\RtHDVCpl.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [Yahoo Messenger]
mRun: [SynTPEnh] "%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe"
mRun: [<NO NAME>]
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [NoAutorun] "c:\users\prashant mujumdar\downloads\noautorun-win32-bin-1.1.1.21\NoAutorun.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [DivXUpdate] c:\program files\divx\divx update\DivXUpdate.exe /CHECKNOW
mRun: [GrooveMonitor] c:\program files\microsoft office\office12\GrooveMonitor.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\IAAnotif.exe
mRun: [LanguageShortcut] c:\program files\cyberlink\powerdvd\language\Language.exe
mRun: [PDVD9LanguageShortcut] c:\program files\cyberlink\powerdvd9\language\Language.exe
mRun: [PikyAgent] c:\program files\conceptworld\pikysuite\PikyAgent.exe /Startup
mRun: [QuickTime Task] c:\program files\quicktime\QTTask.exe -atboottime
mRun: [RemoteControl] c:\program files\cyberlink\powerdvd\PDVDServ.exe
mRun: [RemoteControl9] c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\aerofoil.lnk - c:\program files\aerofoil\Aerofoil.exe
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\sftus.one
Trusted Zone: symantec.com\security
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {7A0756D7-96FB-4353-970F-57DCA7FF8C33} = 218.248.255.194
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli ASWLNPkg
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\prasha~1\appdata\roaming\mozilla\firefox\profiles\m9ii0iwu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\prashant mujumdar\appdata\roaming\mozilla\firefox\profiles\m9ii0iwu.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 pah4wydq;Vba32 Armour Driver;c:\windows\system32\drivers\pah4wydq.sys [2010-11-2 35904]
R0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2010-11-7 35816]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-1-15 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-1-15 59664]
R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2010-7-25 41928]
R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2010-7-25 11776]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/22 09:15:05];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-7-25 2806000]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-5-18 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-5-18 21504]
R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-7-25 72808]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-1-15 33552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-9 498432]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 6\DfSdkS.exe [2010-9-22 406016]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 Normandy;Normandy SR2;c:\windows\system32\drivers\Normandy.sys [2010-11-2 34560]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-11-9 24416]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2010-9-9 27192]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\zteusbser.sys [2007-10-30 98432]

=============== Created Last 30 ================

2010-11-12 20:58:28 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{5e5b91a7-03ed-433f-ab65-afd6a9de1d0c}\mpengine.dll
2010-11-12 20:36:40 -------- d-----w- c:\users\prasha~1\appdata\roaming\EurekaLog
2010-11-12 10:24:57 -------- d-----w- c:\program files\Spiceworks
2010-11-10 14:08:43 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-11-10 08:48:06 -------- d-----w- c:\progra~2\SafeReturner
2010-11-09 04:30:02 -------- d-----w- c:\progra~2\NoVirusThanks
2010-11-09 04:05:09 -------- d-----w- c:\program files\Bonjour
2010-11-09 03:17:44 -------- d-----w- c:\program files\NoVirusThanks Anti-Rootkit
2010-11-09 00:07:33 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-08 19:41:37 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-11-08 14:18:04 -------- d-----w- c:\program files\VirusTotalUploader2
2010-11-08 12:16:42 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-11-08 04:31:24 -------- d-----w- c:\program files\iPod
2010-11-08 04:31:17 -------- d-----w- c:\program files\iTunes
2010-11-08 04:31:17 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-08 04:25:42 -------- d-----w- c:\program files\Bonjour(0)
2010-11-06 21:49:10 -------- d-----w- C:\Backreg
2010-11-06 21:24:13 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-11-06 21:24:12 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-11-06 21:23:46 2 --shatr- c:\windows\winstart.bat
2010-11-06 21:22:02 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-11-06 21:20:45 -------- d-----w- c:\program files\UnHackMe
2010-11-05 05:18:44 8704 ----a-w- c:\windows\system32\ctfmon.exe.backup
2010-11-05 05:12:53 -------- d-----w- c:\users\prasha~1\appdata\roaming\SuperAdBlocker.com
2010-11-05 05:09:24 -------- d-----w- c:\windows\system32\URTTemp
2010-11-05 05:09:03 -------- d-----w- c:\program files\SuperAdBlocker.com
2010-11-05 00:12:14 -------- d-----w- c:\program files\CCleaner
2010-11-02 21:08:24 -------- d-----w- C:\PrevxCSI
2010-11-02 14:07:03 -------- d-----w- c:\program files\NoVirusThanks
2010-11-02 07:02:56 35904 ----a-w- c:\windows\system32\drivers\pah4wydq.sys
2010-11-02 05:55:23 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-11-01 18:48:51 -------- d-----w- c:\windows\system32\Adobe
2010-11-01 14:52:17 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2010-11-01 14:50:24 -------- d-----w- c:\program files\common files\xing shared
2010-11-01 14:49:06 151776 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2010-11-01 14:47:46 100352 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2010-11-01 11:56:52 -------- d-----w- c:\users\prasha~1\appdata\local\Mozilla
2010-11-01 11:54:59 98304 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
2010-11-01 11:54:59 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
2010-11-01 11:54:58 646104 ----a-w- c:\program files\mozilla firefox\nss3.dll
2010-11-01 11:54:58 343000 ----a-w- c:\program files\mozilla firefox\nssckbi.dll
2010-11-01 11:54:57 203736 ----a-w- c:\program files\mozilla firefox\nspr4.dll
2010-11-01 11:54:56 719832 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
2010-11-01 11:54:47 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2010-11-01 11:54:44 1018840 ----a-w- c:\program files\mozilla firefox\js3250.dll
2010-11-01 11:54:43 912344 ----a-w- c:\program files\mozilla firefox\firefox.exe
2010-11-01 11:54:43 249856 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2010-11-01 11:54:43 107480 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2010-11-01 11:54:42 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2010-10-30 15:14:33 -------- d-----w- c:\users\prasha~1\appdata\roaming\SUPERAntiSpyware.com
2010-10-30 15:13:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-29 14:40:16 -------- d-----w- c:\users\prasha~1\appdata\local\Deployment
2010-10-27 02:45:01 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 02:44:49 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 02:44:40 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 05:00:58 -------- d-----w- c:\users\prasha~1\appdata\local\Sophos
2010-10-26 01:19:41 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-10-25 17:10:34 -------- d-----w- c:\progra~2\Sophos
2010-10-25 06:33:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-25 06:01:40 -------- d-----w- c:\progra~2\MFAData
2010-10-25 03:14:44 -------- d-----w- c:\program files\Sun
2010-10-23 13:28:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-23 13:28:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-23 13:28:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 05:53:44 -------- d-----w- c:\progra~2\InstallMate
2010-10-23 04:29:13 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-10-23 01:05:59 -------- d-----w- c:\progra~2\{8D274659-3D84-4410-A197-C170D180BC76}
2010-10-23 00:02:33 1419232 ----a-w- c:\windows\system32\drivers\wdfcoinstaller01005.dll
2010-10-23 00:02:32 16768 ----a-w- c:\windows\system32\drivers\HpqKbFiltr.sys
2010-10-22 23:11:39 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-10-22 19:18:07 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{15492e9f-6117-4e59-9116-1c37e2a66d87}\mpengine.dll
2010-10-22 00:45:38 -------- d-----w- c:\windows\en
2010-10-22 00:41:17 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 00:33:20 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-22 00:01:57 -------- d-----w- c:\program files\MSN Toolbar
2010-10-22 00:00:50 -------- d-----w- c:\program files\Bing Bar Installer
2010-10-22 00:00:22 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 00:00:22 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 00:00:21 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-21 23:58:26 469256 ----a-w- c:\program files\common files\windows live\.cache\d56595ad1cb717b06\InstallManager_WLE_WLE.exe
2010-10-21 23:57:59 15712 ----a-w- c:\program files\common files\windows live\.cache\c8f70f1d1cb717b05\MeshBetaRemover.exe
2010-10-21 23:57:54 94040 ----a-w- c:\program files\common files\windows live\.cache\c55f1b4d1cb717b04\DSETUP.dll
2010-10-21 23:57:54 525656 ----a-w- c:\program files\common files\windows live\.cache\c55f1b4d1cb717b04\DXSETUP.exe
2010-10-21 23:57:54 1691480 ----a-w- c:\program files\common files\windows live\.cache\c55f1b4d1cb717b04\dsetup32.dll
2010-10-21 23:57:48 94040 ----a-w- c:\program files\common files\windows live\.cache\c0748fcd1cb717b03\DSETUP.dll
2010-10-21 23:57:48 525656 ----a-w- c:\program files\common files\windows live\.cache\c0748fcd1cb717b03\DXSETUP.exe
2010-10-21 23:57:48 1691480 ----a-w- c:\program files\common files\windows live\.cache\c0748fcd1cb717b03\dsetup32.dll
2010-10-21 23:57:02 -------- d-----w- c:\users\prasha~1\appdata\local\Windows Live
2010-10-21 23:53:29 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 11:34:32 -------- d-----w- c:\users\prasha~1\appdata\roaming\Softplicity
2010-10-21 11:13:10 -------- d-----w- c:\users\prasha~1\appdata\roaming\NCH Software
2010-10-21 11:08:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-21 02:28:49 -------- d-----w- c:\program files\ESET
2010-10-18 01:31:34 -------- d-----w- c:\users\prasha~1\appdata\local\WindowsUpdate
2010-10-17 03:52:02 -------- d-----w- c:\windows\RegBak
2010-10-14 09:09:58 -------- d-----w- c:\users\prasha~1\appdata\roaming\KillProcess

==================== Find3M ====================

2010-11-06 00:46:15 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-11-01 14:46:51 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-15 07:07:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-22 19:17:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 19:02:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-20 11:11:16 200704 ----a-w- c:\windows\bcmC215.tmp
2010-09-20 11:11:16 135168 ----a-w- c:\windows\bcmC1E5.tmp
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:47:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 05:47:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe

============= FINISH: 13:36:02.55 ===============

3. Attached herewith please find Attach.zip (81 KB) that consists of Attach.txt from the DDS Output and GMER Output in the form of ARK.txt (with IAT/EAT unticked, Show All unticked, and only C: drive (OS installed Drive) ticked in the GMER Window and having then pressed the Scan button therein)Attached File  Attach.zip   80.31KB   1 downloads



pm2397

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 22 November 2010 - 07:38 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:32 PM

Posted 02 December 2010 - 07:07 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users