Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with IE after malware removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 kenia84

kenia84

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 17 January 2011 - 02:07 AM

Hi there,

I had malware infection, some nasty program disguised as AV, which name i forgot to notice.
It was resembling one i was dealing with earlier, which was called Personal Protector and was deleted by MBAM.
This new malware was killing every process trying to run ( task manager for instance ) popping warnings about infection, and changed desktop to some kind of security warning. ( similar as PP )

I've removed system access to its starting folder by removing read/write permissions, and afterwards removed it with MBAM from safe mode.

I thought it should be enough, but my real problem started afterward.

After cleaning this malware i logged to my account just to find out that after initial startup of all programs, IE6 starts to open new windows with address not know to me because it was instantly blocked by proxy.

Closing those windows didn't help, after 2-3 sec another 5-10 windows popped up virtually disabling computer - they have "always on top" option and every new window is instantly becoming active.

This goes as long as my computer is connected to network, i found out that disconnecting cable stops this process (IE doesn't behave so in safe mode).

Tried to find what is going on by using many different programs but i ran out of ideas.

Unfortunaltely, i have already used Combofix, and some other like :
TFC, DDS, GMER, HJT, RootRepeal, Dr. Web CureIt, tdsskiller, and of course MBAM

I know it wasn't too wise but i was in need of my laptop, and as they say haste isn't a good advisor.

Each of those found some threats, but none of them was the one responsible for irrational IE behaviour.
I have reports for most of those programs if neccesary.

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 15:45:45,07 on 2011-01-14
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1033.18.3318.2950 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://portal.e.corpintra.net
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DataCardMonitor] c:\program files\blueconnect\DataCardMonitor.exe
mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [vptray] c:\progra~1\sav\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ROVATray] c:\program files\quintech\rova\rovatray.exe
mRun: [PSUtility] c:\addon\fujitsu\psutility\TrayManager.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TvOutSwitch] c:\addon\fujitsu\dispswitch\DispSwitchLauncher.exe
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoSimpleNetIDList = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: covisint.com
Trusted Zone: ehrportal.eu
Trusted Zone: covisint.com
Trusted Zone: dctss.com
Trusted Zone: dctss.de
Trusted Zone: ehrportal.eu
Trusted Zone: mercedes-benz.t-online.de
Trusted Zone: unimog-extranet.com
Trusted Zone: unimog-extranet.de
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mobile.emea.corpinter.net/dana-cached/sc/JuniperSetupClient.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: FJWSEL - FJWSWNP.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PSUTY - PSUWNP.dll
Notify: rovalogn - c:\windows\system32\rovalogn.dll
AppInit_DLLs: c:\progra~1\netinst\NiAMH.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {400B22EA-2CC5-4E85-ADD3-F9B1F4AA2ED9} - c:\windows\system32\reg.exe import "c:\program files\internet explorer\EMEAIE.reg"
mASetup: {6760850E-2185-4843-88D0-1E39A98CADAF} - c:\program files\daimlerchrysler\pcinfo\User_Icon.EXE
mASetup: {9D3FE31C-4115-4047-A034-63174522646D} - c:\windows\CorporateDesktop.exe
mASetup: {AC76BA86-7AD7-1033-7B44-A81200000003} - c:\program files\adobe\reader 8.0\Adobe_AcrobatReader_812_ENU_404.EXE

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-7-23 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-7-23 35456]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2008-10-22 4864]
S1 SAVRT;SAVRT;c:\program files\sav\savrt.sys [2011-1-11 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\sav\Savrtpel.sys [2011-1-11 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-30 192104]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-30 169576]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-7-27 87416]
S2 NiExServ;NetInstall Executive;c:\program files\netinst\NiExServ.exe [2008-7-23 198136]
S2 ROVA_Srvc;ROVA Service;c:\program files\quintech\rovaupdate\rovasrvc.exe [2008-2-3 128328]
S2 SavRoam;SAVRoam;c:\program files\sav\SavRoam.exe [2011-1-11 116928]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\sav\Rtvscan.exe [2011-1-11 1821376]
S2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-7-23 9176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-12-27 6016]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-13 102448]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
S3 kvnet;Kerio Virtual Network Adapter;c:\windows\system32\drivers\kvnet.sys [2009-3-23 29696]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-12-27 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-12-27 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-12-27 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-12-27 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-12-27 9472]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110113.002\naveng.sys [2011-1-14 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110113.002\navex15.sys [2011-1-14 1360760]
S3 NIAIServ;NetInstall Service;c:\program files\netinst\NiAiServ.exe [2008-7-23 198136]
S3 ServiceOMC;ServiceOMC;c:\windows\system32\ServiceOMC.exe [2008-8-20 73728]
S3 TF1D091010;TF1D091010;c:\windows\system32\drivers\TF1D091010.sys [2008-2-1 99968]
S4 gupdate;Usługa Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 136176]

=============== Created Last 30 ================

2011-01-14 11:44:17 -------- d-----w- c:\documents and settings\administrator\DoctorWeb
2011-01-14 09:58:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Toshiba
2011-01-14 09:39:23 98816 ----a-w- c:\windows\sed.exe
2011-01-14 09:39:23 89088 ----a-w- c:\windows\MBR.exe
2011-01-14 09:39:23 256512 ----a-w- c:\windows\PEV.exe
2011-01-14 09:39:23 161792 ----a-w- c:\windows\SWREG.exe
2011-01-14 09:16:27 -------- d-----w- c:\program files\Trend Micro
2011-01-11 11:10:10 1409 ----a-w- c:\windows\QTFont.for
2011-01-11 09:42:09 -------- d-----w- c:\program files\SAV
2011-01-11 08:34:33 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-01-07 22:25:16 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2011-01-07 22:25:16 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-01-07 22:25:16 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-01-07 22:25:16 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-12-30 13:00:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\motorola
2010-12-28 13:02:35 -------- d-----w- c:\program files\Motorola Media Link
2010-12-28 11:16:28 -------- d-----w- C:\3cd4a2ca6470ebc33d536173e9
2010-12-27 13:47:18 -------- d-----w- c:\program files\Motorola
2010-12-27 13:45:32 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2010-12-27 13:45:32 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2010-12-27 13:45:32 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2010-12-27 13:45:31 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
2010-12-27 13:45:30 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2010-12-27 13:45:30 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2010-12-27 13:45:30 42752 ----a-w- c:\windows\system32\drivers\motodrv.sys
2010-12-27 13:45:30 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2010-12-27 13:45:30 15616 ----a-w- c:\windows\system32\mot_ci.dll
2010-12-27 13:45:13 -------- d-----w- c:\program files\common files\Motorola Shared
2010-12-27 07:32:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\TomTom
2010-12-27 07:30:20 -------- d-----w- c:\program files\TomTom HOME 2
2010-12-27 07:21:55 -------- d-----w- c:\program files\TomTom DesktopSuite

==================== Find3M ====================


============= FINISH: 15:46:55,71 ===============



Thanks in advance for any help

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 AM

Posted 23 January 2011 - 08:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 24 January 2011 - 05:03 AM

Hi

I haven't done anything further to solve my problems, yet below i attach current scans from DDS and Gmer


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 15:45:45,07 on 2011-01-14
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1033.18.3318.2950 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://portal.e.corpintra.net
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DataCardMonitor] c:\program files\blueconnect\DataCardMonitor.exe
mRun: [WinVNC] "c:\program files\ultravnc\winvnc.exe" -servicehelper
mRun: [vptray] c:\progra~1\sav\VPTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ROVATray] c:\program files\quintech\rova\rovatray.exe
mRun: [PSUtility] c:\addon\fujitsu\psutility\TrayManager.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TvOutSwitch] c:\addon\fujitsu\dispswitch\DispSwitchLauncher.exe
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoSimpleNetIDList = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: covisint.com
Trusted Zone: ehrportal.eu
Trusted Zone: covisint.com
Trusted Zone: dctss.com
Trusted Zone: dctss.de
Trusted Zone: ehrportal.eu
Trusted Zone: mercedes-benz.t-online.de
Trusted Zone: unimog-extranet.com
Trusted Zone: unimog-extranet.de
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mobile.emea.corpinter.net/dana-cached/sc/JuniperSetupClient.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: FJWSEL - FJWSWNP.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: PSUTY - PSUWNP.dll
Notify: rovalogn - c:\windows\system32\rovalogn.dll
AppInit_DLLs: c:\progra~1\netinst\NiAMH.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {400B22EA-2CC5-4E85-ADD3-F9B1F4AA2ED9} - c:\windows\system32\reg.exe import "c:\program files\internet explorer\EMEAIE.reg"
mASetup: {6760850E-2185-4843-88D0-1E39A98CADAF} - c:\program files\daimlerchrysler\pcinfo\User_Icon.EXE
mASetup: {9D3FE31C-4115-4047-A034-63174522646D} - c:\windows\CorporateDesktop.exe
mASetup: {AC76BA86-7AD7-1033-7B44-A81200000003} - c:\program files\adobe\reader 8.0\Adobe_AcrobatReader_812_ENU_404.EXE

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-7-23 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-7-23 35456]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2008-10-22 4864]
S1 SAVRT;SAVRT;c:\program files\sav\savrt.sys [2011-1-11 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\sav\Savrtpel.sys [2011-1-11 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-30 192104]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-30 169576]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2007-7-27 87416]
S2 NiExServ;NetInstall Executive;c:\program files\netinst\NiExServ.exe [2008-7-23 198136]
S2 ROVA_Srvc;ROVA Service;c:\program files\quintech\rovaupdate\rovasrvc.exe [2008-2-3 128328]
S2 SavRoam;SAVRoam;c:\program files\sav\SavRoam.exe [2011-1-11 116928]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\sav\Rtvscan.exe [2011-1-11 1821376]
S2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-7-23 9176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-12-27 6016]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-9-13 102448]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys --> c:\windows\system32\drivers\ewusbdev.sys [?]
S3 kvnet;Kerio Virtual Network Adapter;c:\windows\system32\drivers\kvnet.sys [2009-3-23 29696]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-12-27 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-12-27 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-12-27 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-12-27 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-12-27 9472]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110113.002\naveng.sys [2011-1-14 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110113.002\navex15.sys [2011-1-14 1360760]
S3 NIAIServ;NetInstall Service;c:\program files\netinst\NiAiServ.exe [2008-7-23 198136]
S3 ServiceOMC;ServiceOMC;c:\windows\system32\ServiceOMC.exe [2008-8-20 73728]
S3 TF1D091010;TF1D091010;c:\windows\system32\drivers\TF1D091010.sys [2008-2-1 99968]
S4 gupdate;Usługa Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-23 136176]

=============== Created Last 30 ================

2011-01-14 11:44:17 -------- d-----w- c:\documents and settings\administrator\DoctorWeb
2011-01-14 09:58:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Toshiba
2011-01-14 09:39:23 98816 ----a-w- c:\windows\sed.exe
2011-01-14 09:39:23 89088 ----a-w- c:\windows\MBR.exe
2011-01-14 09:39:23 256512 ----a-w- c:\windows\PEV.exe
2011-01-14 09:39:23 161792 ----a-w- c:\windows\SWREG.exe
2011-01-14 09:16:27 -------- d-----w- c:\program files\Trend Micro
2011-01-11 11:10:10 1409 ----a-w- c:\windows\QTFont.for
2011-01-11 09:42:09 -------- d-----w- c:\program files\SAV
2011-01-11 08:34:33 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-01-07 22:25:16 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2011-01-07 22:25:16 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2011-01-07 22:25:16 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-01-07 22:25:16 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-12-30 13:00:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\motorola
2010-12-28 13:02:35 -------- d-----w- c:\program files\Motorola Media Link
2010-12-28 11:16:28 -------- d-----w- C:\3cd4a2ca6470ebc33d536173e9
2010-12-27 13:47:18 -------- d-----w- c:\program files\Motorola
2010-12-27 13:45:32 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2010-12-27 13:45:32 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2010-12-27 13:45:32 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2010-12-27 13:45:31 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
2010-12-27 13:45:30 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2010-12-27 13:45:30 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2010-12-27 13:45:30 42752 ----a-w- c:\windows\system32\drivers\motodrv.sys
2010-12-27 13:45:30 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2010-12-27 13:45:30 15616 ----a-w- c:\windows\system32\mot_ci.dll
2010-12-27 13:45:13 -------- d-----w- c:\program files\common files\Motorola Shared
2010-12-27 07:32:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\TomTom
2010-12-27 07:30:20 -------- d-----w- c:\program files\TomTom HOME 2
2010-12-27 07:21:55 -------- d-----w- c:\program files\TomTom DesktopSuite

==================== Find3M ====================


============= FINISH: 15:46:55,71 ===============

Scans were done from Safe Mode, i'm not using normal mode since my problems started.

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 25 January 2011 - 01:39 AM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Some questions
1. why are you still at SP3 - microsoft does not support SP2 anymore
2. why are you still using IE6 it is very outdated and very unsecure


Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I would like to get a new Combofix scan

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 25 January 2011 - 03:42 AM

Hey Gringo

I made what You asked me for and here's log from CF

ComboFix 11-01-24.02 - Administrator 2011-01-25 8:53.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1250.48.1033.18.3318.2908 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\nkiepur\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\nkiepur\Application Data\Adobe\plugs
E:\Autorun.inf

----- BITS: Możliwe zainfekowane strony -----

hxxp://SEDCS200:8899
.
((((((((((((((((((((((((( Pliki utworzone od 2010-12-25 do 2011-01-25 )))))))))))))))))))))))))))))))
.

2011-01-24 12:11 . 2011-01-24 12:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sun
2011-01-21 10:19 . 2011-01-21 10:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2011-01-20 08:03 . 2011-01-20 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-01-18 12:13 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-18 12:13 . 2011-01-18 12:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-18 12:13 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-18 07:12 . 2011-01-18 07:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Lotus
2011-01-14 11:44 . 2011-01-14 11:44 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2011-01-14 09:58 . 2011-01-14 09:58 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Toshiba
2011-01-14 09:16 . 2011-01-14 09:16 -------- d-----w- c:\program files\Trend Micro
2011-01-11 11:10 . 2011-01-11 11:10 1409 ----a-w- c:\windows\QTFont.for
2011-01-11 09:42 . 2011-01-14 12:46 -------- d-----w- c:\program files\SAV
2011-01-11 08:34 . 2011-01-11 10:33 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-01-07 22:25 . 2008-09-26 17:01 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2011-01-07 22:25 . 2008-09-26 17:01 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2011-01-07 22:25 . 2008-09-26 17:01 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2011-01-07 22:25 . 2008-09-26 17:00 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-12-30 13:00 . 2010-12-30 13:00 -------- d-----w- c:\documents and settings\nkiepur\Application Data\motorola
2010-12-30 13:00 . 2010-12-30 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\motorola
2010-12-28 13:02 . 2011-01-11 11:01 -------- d-----w- c:\program files\Motorola Media Link
2010-12-28 13:02 . 2010-12-28 13:02 -------- d-----w- c:\documents and settings\nkiepur\Local Settings\Application Data\Motorola
2010-12-28 11:16 . 2010-12-28 11:16 -------- d-----w- C:\3cd4a2ca6470ebc33d536173e9
2010-12-27 13:47 . 2010-12-27 13:47 -------- d-----w- c:\program files\Motorola
2010-12-27 13:45 . 2010-04-01 13:31 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2010-12-27 13:45 . 2010-01-25 18:56 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2010-12-27 13:45 . 2009-01-29 16:11 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2010-12-27 13:45 . 2009-10-27 11:02 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
2010-12-27 13:45 . 2009-12-21 13:42 15616 ----a-w- c:\windows\system32\mot_ci.dll
2010-12-27 13:45 . 2009-06-19 15:59 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
2010-12-27 13:45 . 2009-05-08 10:56 42752 ----a-w- c:\windows\system32\drivers\motodrv.sys
2010-12-27 13:45 . 2009-01-29 16:18 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2010-12-27 13:45 . 2007-11-02 14:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2010-12-27 13:45 . 2010-12-27 13:45 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-12-27 07:32 . 2010-12-27 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2010-12-27 07:30 . 2010-12-27 09:56 -------- d-----w- c:\program files\TomTom HOME 2
2010-12-27 07:21 . 2010-12-27 07:21 -------- d-----w- c:\program files\TomTom DesktopSuite

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataCardMonitor"="c:\program files\blueconnect\DataCardMonitor.exe" [2009-08-07 249856]
"WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2006-06-18 712704]
"vptray"="c:\progra~1\Sav\VPTray.exe" [2011-01-11 125632]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 794713]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-08 16377344]
"ROVATray"="c:\program files\Quintech\ROVA\rovatray.exe" [2009-02-03 148808]
"PSUtility"="c:\addon\Fujitsu\PSUtility\TrayManager.exe" [2006-07-05 118784]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-08 131072]
"LoadFujitsuQuickTouch"="c:\program files\Fujitsu\Application Panel\QuickTouch.exe" [2005-11-01 353792]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2005-11-01 61440]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-08 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"AGRSMMSG"="AGRSMMSG.exe" [2008-01-08 89541]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TvOutSwitch"="c:\addon\Fujitsu\DispSwitch\DispSwitchLauncher.exe" [2006-08-02 81920]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-10-25 380928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\nkiepur\Start Menu\Programs\Startup\
Lotus Notes Archive Init.lnk - c:\windows\system32\KIX32.EXE [1980-1-1 253952]

c:\documents and settings\cbeyer\Start Menu\Programs\Startup\
Lotus Notes Archive Init.lnk - c:\windows\system32\KIX32.EXE [1980-1-1 253952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-8-2 2760704]
Hardcopy.lnk - c:\program files\Hardcopy\hardcopy.exe [2008-7-23 790528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoSimpleNetIDList"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FJWSEL]
2006-06-29 13:45 32768 ----a-w- c:\windows\system32\FJWSWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PSUTY]
2006-06-02 15:04 32768 ----a-w- c:\windows\system32\PSUWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rovalogn]
2009-02-03 07:00 247112 ----a-w- c:\windows\system32\rovalogn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\NetInst\NiAMH.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2007-07-17 10:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-06-25 13:12 1414144 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 03:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-04-01 18:49 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"gupdate"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"<Firewall Prog ADD>"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<Firewall Port ADD>"=
"5900:TCP"= 5900:TCP:UVNCServer
"2004:TCP"= 2004:TCP:Remedy Benachrichtigungsport

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-07-23 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-07-23 35456]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2008-10-22 4864]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [2007-07-27 87416]
S2 NiExServ;NetInstall Executive;c:\program files\NetInst\NiExServ.exe [2008-07-23 198136]
S2 ROVA_Srvc;ROVA Service;c:\program files\Quintech\ROVAUpdate\rovasrvc.exe [2008-02-03 128328]
S2 SavRoam;SAVRoam;c:\program files\SAV\SavRoam.exe [2011-01-11 116928]
S2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-07-23 9176]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-12-27 6016]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-09-13 102448]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 kvnet;Kerio Virtual Network Adapter;c:\windows\system32\drivers\kvnet.sys [2009-03-23 29696]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\DRIVERS\kwflower.sys --> c:\windows\system32\DRIVERS\kwflower.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-12-27 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-12-27 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-12-27 42752]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-12-27 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-12-27 9472]
S3 NIAIServ;NetInstall Service;c:\program files\NetInst\NiAiServ.exe [2008-07-23 198136]
S3 ServiceOMC;ServiceOMC;c:\windows\system32\ServiceOMC.exe [2008-08-20 73728]
S3 TF1D091010;TF1D091010;c:\windows\system32\drivers\TF1D091010.sys [2008-02-01 99968]
S4 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 136176]

--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - fwdirfog

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{400B22EA-2CC5-4E85-ADD3-F9B1F4AA2ED9}]
2004-08-04 14:00 50176 ----a-w- c:\windows\system32\reg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6760850E-2185-4843-88D0-1E39A98CADAF}]
2007-06-06 07:40 121534 ---ha-w- c:\program files\DaimlerChrysler\PCInfo\User_Icon.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9D3FE31C-4115-4047-A034-63174522646D}]
2007-12-19 09:28 121048 ----a-w- c:\windows\CorporateDesktop.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{AC76BA86-7AD7-1033-7B44-A81200000003}]
2008-04-16 05:54 120724 ----a-w- c:\program files\Adobe\Reader 8.0\Adobe_AcrobatReader_812_ENU_404.EXE
.
Zawartość folderu 'Zaplanowane zadania'

2010-05-26 c:\windows\Tasks\classicftpSevenDaysInit.job
- c:\program files\NCH Software\ClassicFTP\classicftp.exe [2010-05-26 05:33]

2010-10-27 c:\windows\Tasks\classicftpShakeIcon.job
- c:\program files\NCH Software\ClassicFTP\classicftp.exe [2010-05-26 05:33]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 09:06]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 09:06]
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: covisint.com
Trusted Zone: ehrportal.eu
Trusted Zone: covisint.com
Trusted Zone: dctss.com
Trusted Zone: dctss.de
Trusted Zone: ehrportal.eu
Trusted Zone: mercedes-benz.t-online.de
Trusted Zone: unimog-extranet.com
Trusted Zone: unimog-extranet.de
.
- - - - USUNIĘTO PUSTE WPISY - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-25 08:57
Windows 5.1.2600 Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\blueconnect\DataCardMonitor.exe?p?:\program files\Java\?? ?????0???????????????????????!???????????x???\jre1.5.0_12\?KSWFILE=c:\documents and settings\Administrator\Application Data\SapWorkDir\KSW_Muster.doc?KSWPATH=C:\Documents and Settin

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\FJWSWNP.dll
c:\windows\system32\PSUWNP.dll
c:\windows\system32\rovalogn.dll
c:\windows\system32\igfxdev.dll
c:\windows\system32\hnetcfg.dll
.
Czas ukończenia: 2011-01-25 08:58:40
ComboFix-quarantined-files.txt 2011-01-25 07:58
ComboFix2.txt 2011-01-14 10:02

Przed: 20 727 185 408 bytes free
Po: 20 755 759 104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4898970F9ADDCCF9E7D61E1F60A4B184


I have installed recovery console.

I have both SP2 and IE6 because of corporate pre-installed package - even though i have necessary rights to upgrade them i have to avoid doing so.
Normally i use Opera, because most pages don't display correctly under IE6 anymore.

I had one problem during scan. CF said that Symantec AV is running, but i was using safe mode and i'm sure SAV does not run in safe mode.
Double checked if it's running and then continued.
Error message popped up but with no text at all, then CF did scan without any further problems.

After restart i tried using normal work mode but after boot up ( which took ca. 10 minutes, much longer then usually) 10 IE6 windows popped up instantly - so nothing has changed.
Because i have to use proxy, all those connections were dropped on it - i don't know where thay were going to connect and i prefer not to try getting this knowledge.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 25 January 2011 - 03:55 AM

hello

try this for now

Method 2: Microsoft Internet Explorer 6.x Repair for Windows XP

•From the Start menu, select Search, select All Files and Folders.
•Select More Advanced Options and place a checkmark beside Search Hidden Files and Folders option.
•Ensure that Search System Folders and Search Subfolders are also checked.
•In the All or Part of the File Name box, type ie.inf
•In the Look In drop-down menu, select C: or the letter of the hard drive that contains the Windows folder.
•Click the Search button.
•In the search results pane, find the ie.inf file located in Windows\Inf folder.
•Right click the ie.inf file and click Install on the context menu.
•Reboot the computer when the file copy process is complete.


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 25 January 2011 - 06:15 AM

I run ie.inf, copied most of files from WinXP CD except of one (iedw.exe, i took it from program files on HDD).
Didn't help, still sluggish boot and multiple IE windows popping at once.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 25 January 2011 - 11:38 AM

hello

ok now go to this page and follow all the instructions there

http://www.malwarehelp.org/how-to-reset-internet-explorer-6-to.html


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 26 January 2011 - 02:53 AM

Hi Gringo

I did everything as it was described in reset manual but nothing changed.
There is one thing which is not exactly as it was written in manual: some functions might be greyed out because they're locked by registry settings, not because they're set to default.

I know how it works because i've once tried to lock "proxy settings" in IE and i did it, i even have script to do so.

I'm almost sure that "security" tab in my version of IE is locked, so i wasn't able to apply all settings.
Yesterday new IE8 package was approved - maybe i can try installing it?
Still i'm not sure if it overrides all previous IE6 settings, so it might not really help.

EDIT: This problem might be connected with Skype, i made small research and found out that this problem occurs when Skype connects to its server

Edited by kenia84, 26 January 2011 - 03:35 AM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 26 January 2011 - 08:49 AM

Hello

Yesterday new IE8 package was approved - maybe i can try installing it?
yes even if it is not the problem it is very much needed for the security of the computer


what about SP3 has it been approved?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 26 January 2011 - 10:40 AM

Hello

As far as i know,my company does not plan to implement SP3 for XP - they'll switch to Win7 instead.
I can try to upgrade IE, but i'm not sure if i can run NetInstall in safe mode - if not i'll run pure MS version.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 26 January 2011 - 12:05 PM

Ok upgrade IE and see what we get


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 kenia84

kenia84
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 27 January 2011 - 03:15 AM

Hey Gringo

It seems that upgrade did work out, no more overwhelming popups from IE.
Thanks for Your help

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 27 January 2011 - 09:15 AM

I understand you have restrictions so do what you can below and send me the reports when you can



Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.2
Java 2 Runtime Environment, SE v1.4.2_15
Java™ 6 Update 7


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:28 AM

Posted 30 January 2011 - 02:55 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users