Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan\TDL3Mem-B infection on ntdll.dll


  • This topic is locked This topic is locked
9 replies to this topic

#1 putnik

putnik

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 21 February 2011 - 08:55 AM

Hello and thank you in advance for your assistance,

1) I scanned my computer with Sophos 9.5 package. It detected 3 Troj/TDL3Mem-B viruses:

C:\Windows\System32\ntdll.dll:pid:00000d74 infected with Troj/TDL3Mem-B
C:\Windows\System32\ntdll.dll:pid:000001c4 infected with Troj/TDL3Mem-B
C:\Windows\System32\ntdll.dll:pid:000006c0 infected with Troj/TDL3Mem-B

2) Scanning is going just to 2% and then is hanging there. I tried to do
full scan (for viruses and spyware) and it was hanging at 2% a whole
night at "scaning drive, physicaldrive0". Then I unticked all
spyware/PUA and now is hanging again at 2% at "registry scanning". It
finds Troj/TDL3Mem-B before starts hanging.

3) When I start my computer, I got the message (which may not be part of the problem): "Title has encountered a problem and needs to close"


4) I prepared DDS and GMER logs according to the instructions in this forum, and am sending/attaching it as it's advised:

DDS.txt:


DDS (Ver_10-12-12.02) - NTFSx86
Run by user at 13:16:39.00 on 21/02/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1790.929 [GMT 0:00]

AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\NETGEAR\Stora Desktop Applications\HipServAgent\HipServAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAME.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAME.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://flvdirect.iamwired.net/
uSearch Page = hxxp://search.live.com
uSearch Bar = hxxp://search.live.com/sphome.aspx
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.live.com/sphome.aspx
uURLSearchHooks: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - Softonic-Eng7 Toolbar
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX640 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiame.exe /fu "c:\windows\temp\E_S65.tmp" /EF "HKCU"
uRun: [SystemStartup] c:\documents and settings\user\local settings\temp\krapapa.exe
uRun: [\\192.168.1.50\Stora] c:\windows\system32\spool\drivers\w32x86\3\e_fatiame.exe /fu "c:\windows\temp\E_S21.tmp" /EF "HKCU"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [EPSON Stylus Photo RX640 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAME.EXE /P40 "EPSON Stylus Photo RX640 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX640"
mRun: [HipServ Agent] c:\program files\netgear\stora desktop applications\hipservagent\HipServAgent.exe
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\utility\ColorVisionStartup.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ngtks8rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ucd.ie/geophysics/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\{e7f7b7dc-7dec-4e84-9a87-ece02e8a160a}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\nokia\nokia pc suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: TranslatorBar 3.3 Community Toolbar: {e7f7b7dc-7dec-4e84-9a87-ece02e8a160a} - %profile%\extensions\{e7f7b7dc-7dec-4e84-9a87-ece02e8a160a}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64288]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2011-2-20 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2011-2-20 24064]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-24 4300]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-2-21 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-2-21 97520]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-2-21 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-2-21 806912]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-2-21 1541360]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S2 BitKinex;BitKinex File Transfer Service; [x]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-10 1684736]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-2-13 36608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2010-2-24 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2010-2-24 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2010-2-24 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2010-2-24 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2010-2-24 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2010-2-24 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2010-2-24 109736]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-2-21 23928]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-2-13 233472]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-28 136176]
S4 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-2-24 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-2-21 14976]

=============== Created Last 30 ================

2011-02-21 11:34:42 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
2011-02-21 11:34:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos Web Intelligence
2011-02-21 11:33:54 -------- d-----w- c:\program files\common files\Cisco Systems
2011-02-21 11:33:48 28912 ----a-w- c:\windows\system32\SophosBootTasks.exe
2011-02-21 11:32:21 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-02-21 11:32:15 23928 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2011-02-21 11:31:11 -------- d-----w- c:\program files\Sophos
2011-02-21 11:30:53 -------- d-----w- C:\SAVSCFXP
2011-02-20 19:58:13 24064 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2011-02-20 19:57:54 153344 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2011-02-18 15:13:41 -------- d-----w- c:\program files\TuneUpMedia
2011-02-18 15:13:24 -------- d-----w- c:\docume~1\user\applic~1\TuneUpMedia
2011-02-18 15:13:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2011-02-15 10:24:24 30016 ----a-w- c:\windows\system32\uxt5.tmp
2011-02-15 10:24:01 -------- d-----w- c:\program files\TuneUp Utilities 2010
2011-02-15 10:23:19 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-02-14 23:19:08 -------- d-----w- c:\program files\BitKinex
2011-02-14 14:59:17 -------- d-----w- c:\program files\uTorrent
2011-02-13 21:30:20 -------- d-----w- c:\docume~1\user\applic~1\TuneUp Software
2011-02-13 21:30:13 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-02-13 21:29:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2011-02-13 21:29:06 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-02-13 21:17:03 -------- d-----w- c:\docume~1\user\applic~1\tidysongs16
2011-02-12 00:53:57 -------- d-----w- c:\docume~1\user\applic~1\Mp3tag
2011-02-12 00:53:28 -------- d-----w- c:\program files\Mp3tag
2011-02-11 23:56:27 -------- d-----w- c:\program files\iTunes
2011-02-11 23:42:28 -------- d-----w- c:\program files\GoodSync
2011-02-11 21:41:55 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-11 21:22:50 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-02-11 21:19:11 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-11 21:18:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-11 21:17:45 -------- d-----w- c:\program files\AVG
2011-02-11 21:15:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-11 12:47:15 -------- d-----w- c:\program files\MSECache
2011-02-09 23:15:29 -------- d-----w- c:\docume~1\user\applic~1\CloneSpy
2011-02-09 23:15:17 -------- d-----w- c:\program files\CloneSpy
2011-02-09 23:12:33 -------- d-----w- c:\docume~1\user\locals~1\applic~1\DuplicateCleaner
2011-02-09 23:12:19 -------- d-----w- c:\program files\Duplicate Cleaner
2011-02-09 14:20:19 -------- d-----w- c:\docume~1\user\locals~1\applic~1\SmartSync Software
2011-02-09 13:40:22 -------- d-----w- c:\program files\SmartSync Software
2011-02-09 13:39:50 -------- d-----w- c:\program files\Allway Sync
2011-02-09 12:46:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-09 12:46:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-09 12:45:34 -------- d-----w- c:\program files\MagicDVDCopier
2011-02-09 12:38:44 -------- d-----w- c:\program files\PC Connectivity Solution
2011-02-09 12:38:39 -------- d-----w- c:\program files\ConduitEngine
2011-02-09 12:38:39 -------- d-----w- c:\docume~1\user\locals~1\applic~1\ConduitEngine
2011-02-09 12:38:37 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Softonic-Eng7
2011-02-09 12:38:35 -------- d-----w- c:\program files\RealVNC
2011-02-09 12:38:02 -------- d-----w- c:\program files\Conduit
2011-02-09 01:33:11 -------- d-----w- c:\program files\ConduitEngine(2)
2011-02-08 22:19:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\GoodSync
2011-02-08 22:19:29 -------- d-----w- c:\docume~1\user\applic~1\GoodSync
2011-02-08 22:19:17 -------- d-----w- c:\program files\Siber Systems
2011-02-08 02:33:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartSync Software
2011-02-08 01:09:31 -------- d-sh--w- C:\RECYCLER(2)
2011-02-07 20:49:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sync App Settings
2011-02-06 10:20:24 -------- d-----w- c:\program files\MagicDVDCopier(2)
2011-02-05 14:06:02 -------- d-----w- c:\docume~1\user\applic~1\DesktopMirror
2011-02-04 22:48:27 -------- d-----w- c:\program files\NETGEAR
2011-02-04 22:47:23 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{E3979175-E95F-4825-8578-0FDE82F0F253}
2011-02-02 01:41:48 -------- d-----w- c:\program files\common files\PCSuite
2011-02-02 01:41:45 -------- d-----w- c:\program files\common files\Nokia
2011-02-02 01:40:02 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 17:43:15 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2008-04-15 09:58:44 188918 ----a-w- c:\program files\common files\IssProc.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHZ2320BH_G2 rev.00000009 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHZ2320BH_G2____________________00000009#5&20d99448&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9D057B
user & kernel MBR OK

============= FINISH: 13:22:36.90 ===============




I would really appreciate if you could help me with removing TDL3 from my computer, as I use it for online banking, paying etc.
Thank you in advance and best regards

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:26 AM

Posted 21 February 2011 - 03:52 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 putnik

putnik
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 21 February 2011 - 07:03 PM

Hi Noviciate,

Thanks for your quick reply. I followed your instructions and Combofix apparently removed a rootkit it found. My computer behaves fine so far.
The log is attached below. Thanks a million for the help.

ComboFix 11-02-20.03 - user 21/02/2011 23:40:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1790.1315 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\game.exe
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\hpe5F.dll
c:\documents and settings\All Users\Application Data\Zwunzi
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\About RelevantKnowledge.lnk
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\Privacy Policy and User License Agreement.lnk
c:\documents and settings\All Users\Start Menu\Programs\RelevantKnowledge\Support.lnk
c:\documents and settings\user\Application Data\data.dat
c:\documents and settings\user\Application Data\inst.exe
c:\documents and settings\user\Application Data\local.exe
c:\documents and settings\user\Application Data\PriceGong
c:\documents and settings\user\Application Data\PriceGong\Data\1.xml
c:\documents and settings\user\Application Data\PriceGong\Data\a.xml
c:\documents and settings\user\Application Data\PriceGong\Data\b.xml
c:\documents and settings\user\Application Data\PriceGong\Data\c.xml
c:\documents and settings\user\Application Data\PriceGong\Data\d.xml
c:\documents and settings\user\Application Data\PriceGong\Data\e.xml
c:\documents and settings\user\Application Data\PriceGong\Data\f.xml
c:\documents and settings\user\Application Data\PriceGong\Data\g.xml
c:\documents and settings\user\Application Data\PriceGong\Data\h.xml
c:\documents and settings\user\Application Data\PriceGong\Data\i.xml
c:\documents and settings\user\Application Data\PriceGong\Data\J.xml
c:\documents and settings\user\Application Data\PriceGong\Data\k.xml
c:\documents and settings\user\Application Data\PriceGong\Data\l.xml
c:\documents and settings\user\Application Data\PriceGong\Data\m.xml
c:\documents and settings\user\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\user\Application Data\PriceGong\Data\n.xml
c:\documents and settings\user\Application Data\PriceGong\Data\o.xml
c:\documents and settings\user\Application Data\PriceGong\Data\p.xml
c:\documents and settings\user\Application Data\PriceGong\Data\q.xml
c:\documents and settings\user\Application Data\PriceGong\Data\r.xml
c:\documents and settings\user\Application Data\PriceGong\Data\s.xml
c:\documents and settings\user\Application Data\PriceGong\Data\t.xml
c:\documents and settings\user\Application Data\PriceGong\Data\u.xml
c:\documents and settings\user\Application Data\PriceGong\Data\v.xml
c:\documents and settings\user\Application Data\PriceGong\Data\w.xml
c:\documents and settings\user\Application Data\PriceGong\Data\x.xml
c:\documents and settings\user\Application Data\PriceGong\Data\y.xml
c:\documents and settings\user\Application Data\PriceGong\Data\z.xml
c:\documents and settings\user\Application Data\PrivacyControl
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 01_49_53 AM_062.log
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 01_49_54 AM_890.log
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 01_49_55 AM_359.log
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 01_50_12 AM_156.log
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 01_50_12 AM_421.log
c:\documents and settings\user\Application Data\PrivacyControl\Log\2009 Dec 14 - 02_05_48 AM_171.log
c:\documents and settings\user\Application Data\PrivacyControl\Settings\CustomScan.stg
c:\documents and settings\user\Application Data\PrivacyControl\Settings\IgnoreList.stg
c:\documents and settings\user\Application Data\PrivacyControl\Settings\ScanInfo.stg
c:\documents and settings\user\Application Data\PrivacyControl\Settings\SelectedFolders.stg
c:\documents and settings\user\Application Data\PrivacyControl\Settings\Settings.stg
c:\documents and settings\user\Application Data\upgrader.exe
c:\documents and settings\user\g2mdlhlpx.exe
c:\program files\PrivacyControl
c:\program files\PrivacyControl\File_ID.Diz
c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAME.exe
c:\windows\system32\twunk_32.exe

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Legacy_ZWUNZI_SERVICE
-------\Service_SSHNAS


((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))
.

2011-02-21 23:26 . 2011-02-21 23:26 -------- d-----w- C:\32788R22FWJFW
2011-02-21 11:34 . 2011-02-21 11:32 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
2011-02-21 11:34 . 2011-02-21 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos Web Intelligence
2011-02-21 11:33 . 2011-02-21 11:33 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-02-21 11:33 . 2011-02-21 11:32 28912 ----a-w- c:\windows\system32\SophosBootTasks.exe
2011-02-21 11:32 . 2011-02-21 11:32 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-02-21 11:32 . 2011-02-21 11:32 23928 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2011-02-21 11:31 . 2011-02-21 11:31 -------- d-----w- c:\program files\Sophos
2011-02-21 11:30 . 2011-02-02 12:42 -------- d-----w- C:\SAVSCFXP
2011-02-20 19:58 . 2011-02-21 11:32 24064 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2011-02-20 19:57 . 2011-02-21 11:32 153344 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2011-02-18 15:13 . 2011-02-18 15:14 -------- d-----w- c:\program files\TuneUpMedia
2011-02-18 15:13 . 2011-02-19 13:14 -------- d-----w- c:\documents and settings\user\Application Data\TuneUpMedia
2011-02-18 15:13 . 2011-02-21 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2011-02-15 12:00 . 2011-02-15 12:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2011-02-15 10:24 . 2010-09-30 15:09 30016 ----a-w- c:\windows\system32\uxt5.tmp
2011-02-15 10:24 . 2011-02-17 21:11 -------- d-----w- c:\program files\TuneUp Utilities 2010
2011-02-15 10:23 . 2011-02-15 10:23 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-02-14 23:19 . 2011-02-14 23:28 -------- d-----w- c:\program files\BitKinex
2011-02-14 14:59 . 2011-02-14 14:59 -------- d-----w- c:\program files\uTorrent
2011-02-13 21:30 . 2011-02-13 21:30 -------- d-----w- c:\documents and settings\user\Application Data\TuneUp Software
2011-02-13 21:30 . 2011-02-14 21:40 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-02-13 21:29 . 2011-02-15 10:23 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2011-02-13 21:29 . 2011-02-13 21:29 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-02-13 21:17 . 2011-02-13 21:17 -------- d-----w- c:\documents and settings\user\Application Data\tidysongs16
2011-02-12 00:53 . 2011-02-12 00:58 -------- d-----w- c:\documents and settings\user\Application Data\Mp3tag
2011-02-12 00:53 . 2011-02-12 00:53 -------- d-----w- c:\program files\Mp3tag
2011-02-11 23:56 . 2011-02-14 22:58 -------- d-----w- c:\program files\iTunes
2011-02-11 23:42 . 2011-02-11 23:42 -------- d-----w- c:\program files\GoodSync
2011-02-11 21:41 . 2011-02-11 21:41 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-11 21:22 . 2011-02-11 21:22 -------- d-----w- c:\documents and settings\user\Application Data\AVG10
2011-02-11 21:19 . 2011-02-11 21:19 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-11 21:18 . 2011-02-11 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-11 21:17 . 2011-02-11 21:17 -------- d-----w- c:\program files\AVG
2011-02-11 21:15 . 2011-02-11 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-11 12:47 . 2011-02-11 12:47 -------- d-----w- c:\program files\MSECache
2011-02-09 23:15 . 2011-02-09 23:26 -------- d-----w- c:\documents and settings\user\Application Data\CloneSpy
2011-02-09 23:15 . 2011-02-09 23:15 -------- d-----w- c:\program files\CloneSpy
2011-02-09 23:12 . 2011-02-09 23:58 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\DuplicateCleaner
2011-02-09 23:12 . 2011-02-09 23:12 -------- d-----w- c:\program files\Duplicate Cleaner
2011-02-09 14:20 . 2011-02-09 14:20 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\SmartSync Software
2011-02-09 13:40 . 2011-02-15 11:55 -------- d-----w- c:\program files\SmartSync Software
2011-02-09 13:39 . 2011-02-15 11:39 -------- d-----w- c:\program files\Allway Sync
2011-02-09 12:46 . 2011-02-09 12:46 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-09 12:45 . 2011-02-09 12:45 -------- d-----w- c:\program files\MagicDVDCopier
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\program files\Microsoft Silverlight
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\program files\PC Connectivity Solution
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\ConduitEngine
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Softonic-Eng7
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\program files\RealVNC
2011-02-09 12:38 . 2011-02-09 12:38 -------- d-----w- c:\program files\Conduit
2011-02-08 22:19 . 2011-02-08 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\GoodSync
2011-02-08 22:19 . 2011-02-20 19:23 -------- d-----w- c:\documents and settings\user\Application Data\GoodSync
2011-02-08 22:19 . 2011-02-08 22:19 -------- d-----w- c:\program files\Siber Systems
2011-02-08 02:33 . 2011-02-08 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSync Software
2011-02-08 01:09 . 2011-02-09 12:41 -------- d-----w- C:\RECYCLER(2)
2011-02-07 23:54 . 2011-02-07 23:54 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-02-07 20:49 . 2011-02-07 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Sync App Settings
2011-02-05 14:06 . 2011-02-05 14:06 -------- d-----w- c:\documents and settings\user\Application Data\DesktopMirror
2011-02-04 22:48 . 2011-02-04 22:48 -------- d-----w- c:\program files\NETGEAR
2011-02-04 22:47 . 2011-02-04 22:47 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\{E3979175-E95F-4825-8578-0FDE82F0F253}
2011-02-02 01:41 . 2011-02-02 01:41 -------- d-----w- c:\program files\Common Files\PCSuite
2011-02-02 01:41 . 2011-02-02 01:41 -------- d-----w- c:\program files\Common Files\Nokia
2011-02-02 01:40 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-09-03 19:55 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-09-03 19:33 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-09-03 20:03 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-09-03 19:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2002-09-03 20:03 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2002-09-03 19:58 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2008-11-13 18:42 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26 . 2002-09-03 19:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30 . 2008-11-13 18:42 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2002-09-03 19:50 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2002-09-03 19:50 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 17:43 . 2010-11-28 17:43 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2008-04-15 09:58 . 2008-11-14 13:23 188918 ----a-w- c:\program files\Common Files\IssProc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-17 17880576]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"HipServ Agent"="c:\program files\NETGEAR\Stora Desktop Applications\HipServAgent\HipServAgent.exe" [2009-12-11 2437376]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\ColorVision\Utility\ColorVisionStartup.exe [2006-1-31 385024]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OnlineMeter.lnk]
backup=c:\windows\pss\OnlineMeter.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryBooster

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2008-03-06 14:56 61440 ----a-r- c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
2009-01-22 09:36 98304 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 05:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Transfer Monitor]
2009-09-15 17:47 479232 ----a-w- c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
"OMSI download service"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AgereModemAudio"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\SSH Communications Security\\SSH Secure Shell\\SshClient.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\POWERPNT.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\EasyChat\\EasyChat.exe"=
"c:\\bin\\rsync.exe"=
"c:\\Program Files\\NETGEAR\\Stora Desktop Applications\\DesktopMirror\\rsync.exe"=
"c:\\Program Files\\NETGEAR\\Stora Desktop Applications\\DesktopMirror\\ssh.exe"=
"c:\\Program Files\\NETGEAR\\Stora Desktop Applications\\QuickConnect\\AxentraPicturesWizard.exe"=
"c:\\Program Files\\NETGEAR\\Stora Desktop Applications\\QuickConnect\\AxentraSmartShortcut.exe"=
"c:\\Program Files\\NETGEAR\\Stora Desktop Applications\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55731:TCP"= 55731:TCP:Incoming TCP listen port
"63000:UDP"= 63000:UDP:UDP listen port
"5900:TCP"= 5900:TCP:VNC

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [24/12/2009 01:52 64288]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [20/02/2011 19:57 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [20/02/2011 19:58 24064]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [24/11/2008 03:41 4300]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [21/02/2011 11:31 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/02/2011 11:32 97520]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [21/02/2011 11:32 1541360]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S2 BitKinex;BitKinex File Transfer Service; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [10/08/2009 20:24 1684736]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 19:01 30208]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [13/02/2010 11:53 36608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [24/02/2010 16:00 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [24/02/2010 16:00 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [24/02/2010 16:00 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [24/02/2010 16:00 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [24/02/2010 16:00 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [24/02/2010 16:00 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [24/02/2010 16:00 109736]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [21/02/2011 11:32 23928]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [13/02/2010 11:53 233472]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/10/2010 14:46 136176]
S4 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [24/02/2010 16:00 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [21/02/2011 11:32 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-02-21 c:\windows\Tasks\UCD IT Services Recommended Weekly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-02-21 11:32]

2009-05-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-21 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://flvdirect.iamwired.net/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\ngtks8rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ucd.ie/geophysics/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: TranslatorBar 3.3 Community Toolbar: {e7f7b7dc-7dec-4e84-9a87-ece02e8a160a} - %profile%\extensions\{e7f7b7dc-7dec-4e84-9a87-ece02e8a160a}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
BHO-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
Toolbar-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
WebBrowser-{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} - (no file)
HKCU-Run-\\192.168.1.50\Stora - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAME.EXE
HKLM-Run-EPSON Stylus Photo RX640 Series (Copy 1) - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAME.EXE
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-21 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:86,94,9e,46,c9,2d,4d,bc,25,77,70,7e,71,52,a1,5d,f5,00,70,a0,44,
e8,ba,eb,26,e7,f5,7a,0e,7b,fb,cf,f7,48,57,fe,60,a4,71,25,79,42,10,ab,14,c7,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:86,94,9e,46,c9,2d,4d,bc,25,77,70,7e,71,52,a1,5d,f5,00,70,a0,44,
e8,ba,eb,26,e7,f5,7a,0e,7b,fb,cf,f7,48,57,fe,60,a4,71,25,79,42,10,ab,14,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Sophos\Remote Management System\RouterNT.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\Samsung\Easy Display Manager\dmhkcore.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-02-21 23:54:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-21 23:54

Pre-Run: 12,768,714,752 bytes free
Post-Run: 12,971,040,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - D0EAB1FB8F2E903A75F823BD5355B2D8

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:26 AM

Posted 22 February 2011 - 03:04 PM

Good evening. :)

A little online scan to double check for any leftovers and then a tidy-up and you're done.

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.
Will you throw in a fresh DDS log as well.

So long, and thanks for all the fish.

 

 


#5 putnik

putnik
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 23 February 2011 - 11:11 AM

Hi there,

Good day:)

I turned off my sophos on-access-scanning and ran ESAT scanner. Unfortunatelly, it found 6 threats. I'm sending you the log below. Below the ESET log, I copied DDS log. I also attached DDS attach file.

Am looking forward to hear form you with further instructions.
thanks,

1) ESET log:
C:\Documents and Settings\user\Application Data\EA35CA161951D52F56A5506DD7B11CD7\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\user\Application Data\EA35CA161951D52F56A5506DD7B11CD7\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\user\Application Data\OpenCandy\OpenCandy_8A10F46135694D27B32B14F2CFB7E9FE\registrybooster31.exe a variant of Win32/RegistryBooster application
C:\Program Files\RegistryFix\RegistryFix.exe a variant of Win32/Adware.ErrorClean application
C:\Program Files\Sony\Vegas Pro 8.0\Keygen.exe a variant of Win32/Keygen.AR application
C:\System Volume Information\_restore{34F125EF-A645-48AF-BD79-3C4C08C1DC3B}\RP724\A0686395.exe a variant of MSIL/Injector.DR trojan



2)DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by user at 16:03:42.93 on 23/02/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1790.841 [GMT 0:00]

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\NETGEAR\Stora Desktop Applications\HipServAgent\HipServAgent.exe
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
E:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [HipServ Agent] c:\program files\netgear\stora desktop applications\hipservagent\HipServAgent.exe
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\utility\ColorVisionStartup.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ngtks8rm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ucd.ie/geophysics/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\{e7f7b7dc-7dec-4e84-9a87-ece02e8a160a}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ngtks8rm.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\sony\media go\npmediago.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\program files\nokia\nokia pc suite 7\bkmrksync
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - Ext: vShare Plugin: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: TranslatorBar 3.3 Community Toolbar: {e7f7b7dc-7dec-4e84-9a87-ece02e8a160a} - %profile%\extensions\{e7f7b7dc-7dec-4e84-9a87-ece02e8a160a}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-24 64288]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2011-2-20 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2011-2-20 24064]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-24 4300]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-2-21 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-2-21 97520]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-2-21 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-2-21 806912]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2011-2-21 1541360]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
S2 BitKinex;BitKinex File Transfer Service; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-10 1684736]
S3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-2-13 36608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver; [x]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2010-2-24 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2010-2-24 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2010-2-24 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2010-2-24 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2010-2-24 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2010-2-24 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2010-2-24 109736]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-2-21 23928]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-2-13 233472]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-28 136176]
S4 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-2-24 90112]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-2-21 14976]

=============== Created Last 30 ================

2011-02-23 14:19:16 -------- d-----w- c:\program files\ESET
2011-02-21 23:30:09 -------- d-sha-r- C:\cmdcons
2011-02-21 23:27:02 98816 ----a-w- c:\windows\sed.exe
2011-02-21 23:27:02 89088 ----a-w- c:\windows\MBR.exe
2011-02-21 23:27:02 256512 ----a-w- c:\windows\PEV.exe
2011-02-21 23:27:02 161792 ----a-w- c:\windows\SWREG.exe
2011-02-21 23:26:52 -------- d-----w- C:\game
2011-02-21 11:34:42 131824 ----a-w- c:\windows\system32\sdccoinstaller.dll
2011-02-21 11:34:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos Web Intelligence
2011-02-21 11:33:54 -------- d-----w- c:\program files\common files\Cisco Systems
2011-02-21 11:33:48 28912 ----a-w- c:\windows\system32\SophosBootTasks.exe
2011-02-21 11:32:21 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-02-21 11:32:15 23928 ----a-w- c:\windows\system32\drivers\sdcfilter.sys
2011-02-21 11:31:11 -------- d-----w- c:\program files\Sophos
2011-02-21 11:30:53 -------- d-----w- C:\SAVSCFXP
2011-02-20 19:58:13 24064 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2011-02-20 19:57:54 153344 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2011-02-18 15:13:41 -------- d-----w- c:\program files\TuneUpMedia
2011-02-18 15:13:24 -------- d-----w- c:\docume~1\user\applic~1\TuneUpMedia
2011-02-18 15:13:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2011-02-15 10:24:24 30016 ----a-w- c:\windows\system32\uxt5.tmp
2011-02-15 10:24:01 -------- d-----w- c:\program files\TuneUp Utilities 2010
2011-02-15 10:23:19 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-02-14 23:19:08 -------- d-----w- c:\program files\BitKinex
2011-02-14 14:59:17 -------- d-----w- c:\program files\uTorrent
2011-02-13 21:30:20 -------- d-----w- c:\docume~1\user\applic~1\TuneUp Software
2011-02-13 21:30:13 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-02-13 21:29:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2011-02-13 21:29:06 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-02-13 21:17:03 -------- d-----w- c:\docume~1\user\applic~1\tidysongs16
2011-02-12 00:53:57 -------- d-----w- c:\docume~1\user\applic~1\Mp3tag
2011-02-12 00:53:28 -------- d-----w- c:\program files\Mp3tag
2011-02-11 23:56:27 -------- d-----w- c:\program files\iTunes
2011-02-11 23:42:28 -------- d-----w- c:\program files\GoodSync
2011-02-11 21:41:55 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-02-11 21:22:50 -------- d-----w- c:\docume~1\user\applic~1\AVG10
2011-02-11 21:19:11 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-02-11 21:18:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-02-11 21:17:45 -------- d-----w- c:\program files\AVG
2011-02-11 21:15:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-02-11 12:47:15 -------- d-----w- c:\program files\MSECache
2011-02-09 23:15:29 -------- d-----w- c:\docume~1\user\applic~1\CloneSpy
2011-02-09 23:15:17 -------- d-----w- c:\program files\CloneSpy
2011-02-09 23:12:33 -------- d-----w- c:\docume~1\user\locals~1\applic~1\DuplicateCleaner
2011-02-09 23:12:19 -------- d-----w- c:\program files\Duplicate Cleaner
2011-02-09 14:20:19 -------- d-----w- c:\docume~1\user\locals~1\applic~1\SmartSync Software
2011-02-09 13:40:22 -------- d-----w- c:\program files\SmartSync Software
2011-02-09 13:39:50 -------- d-----w- c:\program files\Allway Sync
2011-02-09 12:46:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-09 12:46:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-09 12:45:34 -------- d-----w- c:\program files\MagicDVDCopier
2011-02-09 12:38:44 -------- d-----w- c:\program files\PC Connectivity Solution
2011-02-09 12:38:39 -------- d-----w- c:\program files\ConduitEngine
2011-02-09 12:38:39 -------- d-----w- c:\docume~1\user\locals~1\applic~1\ConduitEngine
2011-02-09 12:38:37 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Softonic-Eng7
2011-02-09 12:38:35 -------- d-----w- c:\program files\RealVNC
2011-02-09 12:38:02 -------- d-----w- c:\program files\Conduit
2011-02-09 01:33:11 -------- d-----w- c:\program files\ConduitEngine(2)
2011-02-08 22:19:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\GoodSync
2011-02-08 22:19:29 -------- d-----w- c:\docume~1\user\applic~1\GoodSync
2011-02-08 22:19:17 -------- d-----w- c:\program files\Siber Systems
2011-02-08 02:33:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartSync Software
2011-02-08 01:09:31 -------- d-----w- C:\RECYCLER(2)
2011-02-07 20:49:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sync App Settings
2011-02-06 10:20:24 -------- d-----w- c:\program files\MagicDVDCopier(2)
2011-02-05 14:06:02 -------- d-----w- c:\docume~1\user\applic~1\DesktopMirror
2011-02-04 22:48:27 -------- d-----w- c:\program files\NETGEAR
2011-02-04 22:47:23 -------- d-----w- c:\docume~1\user\locals~1\applic~1\{E3979175-E95F-4825-8578-0FDE82F0F253}
2011-02-02 01:41:48 -------- d-----w- c:\program files\common files\PCSuite
2011-02-02 01:41:45 -------- d-----w- c:\program files\common files\Nokia
2011-02-02 01:40:02 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15:52 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-28 17:43:15 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2008-04-15 09:58:44 188918 ----a-w- c:\program files\common files\IssProc.dll

============= FINISH: 16:04:32.23 ===============

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:26 AM

Posted 23 February 2011 - 03:43 PM

Good evening. :)

You can delete this folder for starters:

C:\Documents and Settings\user\Application Data\EA35CA161951D52F56A5506DD7B11CD7

ESET doesn't seem to like RegistryFix v6.2, so i'd be inclined to uninstall it, but you are free to keep it if you wish - it's not a program I am familiar with.

It also doesn't like the file C:\Documents and Settings\user\Application Data\OpenCandy\OpenCandy_8A10F46135694D27B32B14F2CFB7E9FE\registrybooster31.exe, so i'd be inclined to delete that too, but again as i'm unfamiliar with the file it is up to you.

Finally, C:\Program Files\Sony\Vegas Pro 8.0\Keygen.exe. Keygens are an idea way to infect systems as well as breach copyright - delete it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#7 putnik

putnik
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 23 February 2011 - 04:41 PM

Hi,

Thanks a lot for lots of valuable information. I did what you said.
Could you just answer please my two questions:

1) As regards RegistryFix program, I bought it a long time ago. I can uninstall it if you suggest so, but would you have any sufggestion what program to run from time to time when registry becomes messed up because of installing/uninstalling program? I'm trying not to do it anymore, but sometimes I have to as all of us:)

2) I'm running up to date Sophos 9.5 on my computer. This new package can identify rootkit and PUA along with the viruses, but am not sure how efficient it is. Would you recommend to install SpyBot or something like that to run besides the Sophos?

Thanks a lot man, I owe you a few beers. As I dont even know where you are, at least can say Cheers, for long life and good health:)

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:26 AM

Posted 23 February 2011 - 05:45 PM

As regards RegistryFix program, I bought it a long time ago. I can uninstall it if you suggest so, but would you have any sufggestion what program to run from time to time when registry becomes messed up because of installing/uninstalling program? I'm trying not to do it anymore, but sometimes I have to as all of us:)

The use of registry cleaning tools causes excited debate in certain circles - I guess geeks need exercise like normal people!
Along with a sizeable number of people I think that there is very little justification for running a registry cleaner as it has the potential for far more problems to be created rather than solved and in the worse of cases you bork Windows.
I wouldn't run a registry tool on my system unless I was on the point of reinstalling Windows and had nothing to lose and in that case i'd reinstall Windows anyway and skip the registry tool.

2) I'm running up to date Sophos 9.5 on my computer. This new package can identify rootkit and PUA along with the viruses, but am not sure how efficient it is. Would you recommend to install SpyBot or something like that to run besides the Sophos?

I can't recall ever playing with Sophos, so I can't comment on it as an anti-virus tool - I run NOD32 on one machine and Microsoft Security Essentials on the rest.
If you want a stand-alone scanner to act as a second opinion I recommned MalwareBytes Anti Malware. There's a handy tutorial here. It may be a little old, but you'll get the idea. The free version has no active protection, so you would need to pay for that if you wanted it. You can ask any questions about it on their forum here.
Spybot is a good choice for some active protection, or if you'd like an alternative, try WinPatrol available here.

If you have any further questions about the above, ask.

So long, and thanks for all the fish.

 

 


#9 putnik

putnik
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 28 February 2011 - 11:28 AM

Hi there,

Everything seems to be fine, so we can close this topic.

Thanks a mill

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:26 AM

Posted 28 February 2011 - 02:44 PM

Always a pleasure, or thereabouts. As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users