Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Diagnosis of further infection please (poss RK?)


  • This topic is locked This topic is locked
16 replies to this topic

#1 joolz_red

joolz_red

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 25 February 2011 - 06:51 PM

Hi folks, boopme got me through initial treatment for malware infection that was preventing Avira AV from updating and has asked me to post here to try to get my PC as clean as possible. Many thanks in advance for your help

For about a week I had been receiving the occasional A-AV alert about D: autoruns being blocked and TR viruses (trash.gen & kazy (??)) but I always quarantined, deleted and regularly updated & scanned.

I also regularly update & scan with MBAM.

Yesterday I couldn't update A-AV from a net connection and so the saga unfolded, with the help of Hijack this I id'd a proxy server hijack in my internet options and host redirects. fixed/deleted those and I could update again. Possible vil.nai(?)

Edit to add: just remembered a couple of odd occurrences whilst using Chrome - clicking on Facebook links to photos/friends etc (not ads) occasionally redirects to google or gmail!

Boopme says I have further infection and should post here for help!

I can also provide HT!, MBAM & A-AV logs if required.

previous thread here: http://www.bleepingcomputer.com/forums/topic381297.html

Please bear in mind I am only averagely tech-minded.

I've done all the steps detailed in Preparation Guide which took me a while but I think I've done it as I should.



DDS txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Compaq_Owner at 22:47:04.04 on 25/02/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.98 [GMT 0:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Dell V105\dldnMsdMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {47FB5317-7420-7527-CA76-FD6A1E87CF7B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [dldnmon.exe] "c:\program files\dell v105\dldnmon.exe"
mRun: [dldnamon] "c:\program files\dell v105\dldnamon.exe"
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229591667968
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229591657000
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-18 11608]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\23945\RapportCerberus_23945.sys [2011-2-24 55224]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-18 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-18 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-18 61960]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
R3 FNETTHJM;Freecom Turbo USB 2.0;c:\windows\system32\drivers\fnetthjm.sys [2010-8-16 24448]
R3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\21923\RapportIaso.sys [2010-12-15 12928]
R3 SDTHelper;Helper driver for SDT-Tool;\??\c:\documents and settings\compaq_owner\desktop\sdthlpr.sys --> c:\documents and settings\compaq_owner\desktop\sdthlpr.sys [?]
S2 Ca50xav;Philips ThumbCam Video Device;c:\windows\system32\drivers\ca50xav.sys [2008-10-17 515803]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b7043a5dd570;Google Update Service (gupdate1c9b7043a5dd570);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe -service --> c:\windows\system32\dldncoms.exe -service [?]
S4 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldnserv.exe [2010-11-26 98984]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-02-24 21:07:35 388096 ----a-r- c:\docume~1\compaq~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-02-24 13:04:17 -------- d-----w- c:\program files\Trend Micro
2011-02-22 11:04:58 -------- d-----w- c:\docume~1\compaq~1\applic~1\Friday's games
2011-02-17 22:34:47 -------- d-----w- c:\docume~1\compaq~1\applic~1\Phantasmat_bf_ce1
2011-02-14 19:24:11 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\Sophos
2011-02-14 18:21:50 -------- d-----w- C:\stdtsa
2011-02-04 05:47:51 -------- d-----w- c:\program files\Mystery Case Files - 13th Skull Collector's Edition
2011-01-30 14:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 12:49:52 292240 ----a-r- c:\windows\system32\cpnprtuk.cid
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0802N/R rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-1f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x85173030]
3 CLASSPNP[0xF76A5FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000062[0x85193318]
5 ACPI[0xF750C620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP4T0L0-17[0x85193030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 156368014 (+255): user != kernel

============= FINISH: 22:48:12.18 ===============


GMER log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-25 23:51:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-17 SAMSUNG_SP0802N/R rev.TK200-04
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\kwpyqaow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xF2034FE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xF2035996]
SSDT F7C47BC6 ZwCreateKey
SSDT F7C47BBC ZwCreateThread
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xF78A89F8]
SSDT F7C47BCB ZwDeleteKey
SSDT F7C47BD5 ZwDeleteValueKey
SSDT F7C47BDA ZwLoadKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xF2035A5A]
SSDT F7C47BA8 ZwOpenProcess
SSDT F7C47BAD ZwOpenThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xF203544C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xF2039476]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xF20393E0]
SSDT F7C47BE4 ZwReplaceKey
SSDT F7C47BDF ZwRestoreKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xF2034F8A]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xF78A8A6C]
SSDT F7C47BD0 ZwSetValueKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xF2034F26]
SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xF78A897E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xF2034EC2]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwQueryValueKey + 34C 8061925C 4 Bytes [62, 77, EB, F9] {BOUND ESI, [EDI-0x15]; STC }
? gcevswqa.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Documents and Settings\Compaq_Owner\Desktop\sdthlpr.sys The system cannot find the file specified. !
? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1380] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414C10 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1380] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1380] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1380] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1380] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 014F7420 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!LdrLoadDll + 1 7C91632E 5 Bytes [22, 00, 68, 71, C3]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!ReadFile 7C801812 6 Bytes JMP 7139000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 7148000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 6 Bytes JMP 714B000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 7142000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!CreateNamedPipeW 7C82F0DD 6 Bytes JMP 713F000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!CancelIo 7C8300E2 6 Bytes JMP 7145000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!CreateIoCompletionPort 7C83138D 6 Bytes JMP 713C000A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 71590022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71500022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] USER32.dll!SetWindowLongW 7E42C2BB 6 Bytes PUSH 71530022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71560022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 715F0022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] GDI32.dll!StretchDIBits 77F1B0AE 6 Bytes PUSH 715C0022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes PUSH 71650022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 714D0022
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes PUSH 71620022; RET
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2276] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3704] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004397C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3704] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3704] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3704] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
.text C:\program files\real\realplayer\update\realsched.exe[10084] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by joolz_red, 26 February 2011 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 04 March 2011 - 08:29 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 04 March 2011 - 10:11 PM

Hi, and thanks for replying m0le :)

I'm here, and appreciate your help!

There might be a delay in replies from my end but I'm suscribed to this thread and will always get back ASAP.

Edited by joolz_red, 04 March 2011 - 10:11 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 06 March 2011 - 05:32 AM

Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 March 2011 - 04:03 PM

Combofix log:


ComboFix 11-03-05.02 - Compaq_Owner 06/03/2011 20:48:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.447.192 [GMT 0:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\comfix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ps2.bat
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-05 05:50 . 2011-03-05 05:50 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ElevatedDiagnostics
2011-03-05 05:42 . 2011-03-05 05:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Deployment
2011-03-05 05:20 . 2011-03-05 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell V105
2011-03-04 14:46 . 2011-03-04 14:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\QB9
2011-03-04 00:52 . 2011-03-04 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-03-04 00:52 . 2011-03-04 00:52 -------- d-----w- c:\program files\bfgclient
2011-03-04 00:50 . 2011-03-04 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-02-26 22:56 . 2011-02-26 22:56 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\ERS Game Studios
2011-02-24 21:07 . 2011-02-24 21:07 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-24 13:04 . 2011-02-24 13:04 -------- d-----w- c:\program files\Trend Micro
2011-02-22 11:04 . 2011-02-22 11:04 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Friday's games
2011-02-17 22:34 . 2011-02-17 22:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Phantasmat_bf_ce1
2011-02-14 19:24 . 2011-02-14 19:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Sophos
2011-02-14 18:21 . 2011-02-14 19:08 -------- d-----w- C:\stdtsa
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 21:40 . 2010-05-02 12:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 19:19 . 2008-11-16 13:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-21 14:44 . 2004-08-04 05:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-11 12:49 . 2008-10-23 23:30 292240 ----a-r- c:\windows\system32\cpnprtuk.cid
2011-01-07 14:09 . 2004-08-04 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 05:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 05:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 18:09 . 2008-11-13 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2008-11-13 23:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 04:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-13 08:40 . 2009-12-18 15:17 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-13 08:40 . 2009-12-18 15:17 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-09 15:15 . 2004-08-04 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 05:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-04 05:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 11:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-13 344064]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-12-18 274608]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-14 14864384]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2009-07-30 668328]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2009-07-30 16040]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Compaq_Owner\\My Documents\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dldncoms.exe"=
"c:\\Program Files\\Dell V105\\dldnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldnjswx.exe"=
"c:\\Program Files\\Dell V105\\frun.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Dell V105\\Diagnostics\\DLDNdiag.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 22:43 59240]
R1 RapportCerberus_23945;RapportCerberus_23945;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys [24/02/2011 16:53 55224]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 22:43 169320]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [18/12/2009 15:17 135336]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [03/10/2010 22:43 767208]
R3 FNETTHJM;Freecom Turbo USB 2.0;c:\windows\system32\drivers\fnetthjm.sys [16/08/2010 13:21 24448]
S2 Ca50xav;Philips ThumbCam Video Device;c:\windows\system32\drivers\ca50xav.sys [17/10/2008 12:04 515803]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S2 gupdate1c9b7043a5dd570;Google Update Service (gupdate1c9b7043a5dd570);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 22:08 133104]
S3 SDTHelper;Helper driver for SDT-Tool;\??\c:\documents and settings\Compaq_Owner\Desktop\sdthlpr.sys --> c:\documents and settings\Compaq_Owner\Desktop\sdthlpr.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
S4 dldn_device;dldn_device;c:\windows\system32\dldncoms.exe -service --> c:\windows\system32\dldncoms.exe -service [?]
S4 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldnserv.exe [26/11/2010 17:20 98984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-06 21:54]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 22:07]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 22:07]
.
2011-03-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3464621081-1059318467-2196694608-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-03-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3464621081-1059318467-2196694608-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
.
2011-03-04 c:\windows\Tasks\User_Feed_Synchronization-{30660315-55E5-4EF3-A3DF-3B8A04F91570}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 20:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP0802N/R rev.TK200-04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-1f
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156368014 (+255): user != kernel
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-03-06 21:00:20
ComboFix-quarantined-files.txt 2011-03-06 21:00
.
Pre-Run: 57,382,027,264 bytes free
Post-Run: 57,392,738,304 bytes free
.
- - End Of File - - FEA2550BF83A034AC9093E69E2DF69EA

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 06 March 2011 - 05:41 PM

Can you run MBRCheck next

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 06 March 2011 - 07:47 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000007fc

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7B35000 \WINDOWS\system32\KDCOM.DLL
0xF7A45000 \WINDOWS\system32\BOOTVID.dll
0xF7506000 ACPI.sys
0xF7B37000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F5000 pci.sys
0xF7635000 isapnp.sys
0xF7645000 ohci1394.sys
0xF7655000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BFD000 pciide.sys
0xF78B5000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B39000 viaide.sys
0xF7B3B000 intelide.sys
0xF7665000 MountMgr.sys
0xF74D6000 ftdisk.sys
0xF78BD000 PartMgr.sys
0xF7675000 VolSnap.sys
0xF74BE000 atapi.sys
0xF7685000 disk.sys
0xF7695000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF749E000 fltmgr.sys
0xF748C000 sr.sys
0xF76A5000 PxHelp20.sys
0xF7475000 KSecDD.sys
0xF7462000 WudfPf.sys
0xF73D5000 Ntfs.sys
0xF73A8000 NDIS.sys
0xF76B5000 RapportKELL.sys
0xF7B3D000 \WINDOWS\System32\Drivers\USBD.SYS
0xF738E000 Mup.sys
0xF7725000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7745000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF68A0000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF688C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF797D000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6868000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7985000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7755000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7765000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7775000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6845000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7AF1000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF681D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF798D000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6809000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7785000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7995000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF799D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF67EB000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF7D34000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7795000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AFD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF67D4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF77A5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77B5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79A5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF67C3000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77C5000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79AD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79B5000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77D5000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79BD000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B6D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6716000 \SystemRoot\system32\DRIVERS\update.sys
0xF7B09000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77E5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7815000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF21D7000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF2113000 \SystemRoot\system32\drivers\portcls.sys
0xF7835000 \SystemRoot\system32\drivers\drmk.sys
0xF7B81000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C4A000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B83000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79FD000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7A05000 \SystemRoot\System32\drivers\vga.sys
0xF7B85000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B87000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7A0D000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7A15000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AE9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF20B8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF205F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF2037000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF2015000 \SystemRoot\System32\drivers\afd.sys
0xF7865000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7A1D000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xF1FEA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF1F99000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF7885000 \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\23945\RapportCerberus_23945.sys
0xF1F29000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7895000 \SystemRoot\System32\Drivers\Fips.SYS
0xF1F03000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF78A5000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF1EDD000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF7735000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7B8F000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF1E91000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7A25000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7A2D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7A35000 \SystemRoot\system32\drivers\fnetthjm.sys
0xF6A0A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7A3D000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF210F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6BBA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF2103000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF20FB000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF1E79000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7BA5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7AD9000 \SystemRoot\System32\drivers\Dxapi.sys
0xF791D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C0D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF051000 \SystemRoot\System32\ati2cqag.dll
0xBF08A000 \SystemRoot\System32\atikvmag.dll
0xBF0BF000 \SystemRoot\System32\ati3duag.dll
0xBF30C000 \SystemRoot\System32\ativvaxx.dll
0xBF39F000 \SystemRoot\System32\ATMFD.DLL
0xEFCA4000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xEFCE1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEF8A7000 \SystemRoot\system32\drivers\wdmaud.sys
0xEFA54000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF8E4000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEF8BC000 \??\C:\WINDOWS\system32\drivers\CDAC15BA.SYS
0xEF351000 \SystemRoot\system32\DRIVERS\srv.sys
0xEF018000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA7D5000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 51):
0 System Idle Process
4 System
600 C:\WINDOWS\system32\smss.exe
812 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
920 C:\WINDOWS\system32\services.exe
932 C:\WINDOWS\system32\lsass.exe
1148 C:\WINDOWS\system32\ati2evxx.exe
1168 C:\WINDOWS\system32\svchost.exe
1484 svchost.exe
1596 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1728 C:\WINDOWS\system32\svchost.exe
1776 C:\WINDOWS\system32\svchost.exe
1940 svchost.exe
2000 svchost.exe
456 C:\WINDOWS\system32\ati2evxx.exe
532 C:\WINDOWS\explorer.exe
632 C:\WINDOWS\system32\spoolsv.exe
716 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1740 C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
1876 C:\WINDOWS\system\hpsysdrv.exe
1896 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
2020 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2044 C:\Program Files\Real\RealPlayer\Update\realsched.exe
172 C:\WINDOWS\RTHDCPL.EXE
200 C:\hp\KBD\kbd.exe
512 C:\Program Files\Common Files\Java\Java Update\jusched.exe
108 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
816 C:\Program Files\Dell V105\dldnmsdmon.exe
1712 C:\Program Files\Java\jre6\bin\jqs.exe
1864 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
292 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1584 C:\WINDOWS\system32\svchost.exe
1468 C:\WINDOWS\system32\svchost.exe
1688 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3196 alg.exe
3764 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
3284 C:\Documents and Settings\Compaq_Owner\Desktop\MBRCheck.exe
2824 <unknown>
3568 <unknown>
3552 <unknown>
3576 <unknown>
3336 <unknown>
3796 <unknown>
3208 <unknown>
1824 <unknown>
2872 <unknown>
4016 <unknown>
2848 <unknown>
3784 <unknown>
2052 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`7fe09e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP0802N/R, Rev: TK200-04
PhysicalDrive1 Model Number: Maxtor6Y080L0, Rev: YAR41BW0
PhysicalDrive6 Model Number: SAMSUNGHM250HI, Rev:

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 1C9AC180E7F9DF3A77948109B434CFCF0B4BF97E
76 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive6 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 06 March 2011 - 08:16 PM

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options
When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump0.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.
Posted Image
m0le is a proud member of UNITE

#9 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 March 2011 - 06:55 AM

Mysterious! Does this mean I'm the proud(!) owner of some new wild malware?

Thanks so much for the walkthrough the tech stuff so far m0le :)

I think I uploaded the file successfully though it looks like it was saved as a media file? (the icon was the same as an mp3 file)

Edited by joolz_red, 07 March 2011 - 07:01 AM.


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 07 March 2011 - 11:17 AM

No, don't panic. Can you please run BitDefender now

Please run a BitDefender QuickScan
  • Click Start Scanner
  • Click Start Scan

    If you are running Firefox you should accept the installation of the Plug-in and restart Firefox
    If you are running Internet Explorer then allow the ActiveX control to install when prompted.


  • Click Start Scan
  • Check the I ACCEPT box on the EULA and click OK
When the scan has finished, it should take about a minute, click View Log and copy and paste the log into your next reply.
Posted Image
m0le is a proud member of UNITE

#11 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 March 2011 - 11:30 AM

Thanks m0le :)

BD log:



QuickScan Beta 32-bit v0.9.9.77
-------------------------------
Scan date: Mon Mar 07 16:27:00 2011
Machine ID: 94A5318C



No infection found.
-------------------



Processes
---------
(unsigned) ATI Desktop Component 1460 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(unsigned) Hewlett-Packard Company KBD EXE 1776 C:\hp\KBD\kbd.exe
(unsigned) hpsysdrv 1436 C:\WINDOWS\system\hpsysdrv.exe
(unsigned) LightScribe 1440 C:\Program Files\Common Files\LightScribe\LSSrvc.exe

(verified) AntiVir Desktop 1576 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(verified) AntiVir Desktop 1860 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(verified) AntiVir Desktop 1344 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(verified) AntiVir Desktop 764 C:\Program Files\Avira\AntiVir Desktop\sched.exe
(verified) ATI External Event Utility for WindowsN 456 C:\WINDOWS\system32\ati2evxx.exe
(verified) ATI External Event Utility for WindowsN 1144 C:\WINDOWS\system32\ati2evxx.exe
(verified) Google Chrome 212 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 5896 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 4440 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 4372 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 2772 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Chrome 2476 C:\Program Files\Google\Chrome\Application\chrome.exe
(verified) Google Update 1532 C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
(verified) Java™ Platform SE 6 U24 760 C:\Program Files\Java\jre6\bin\jqs.exe
(verified) Java™ Platform SE Auto Updater 2 0 612 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Microsoft® Windows Media Player 3208 C:\Program Files\Windows Media Player\wmplayer.exe
(verified) Microsoft® Windows® Operating System 528 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 2780 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 804 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 3500 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 944 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 932 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 596 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 672 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 1496 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1320 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1172 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1744 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1784 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1924 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 2012 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1256 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 840 C:\WINDOWS\system32\winlogon.exe
(verified) Printer Card Transfer Monitor 424 C:\Program Files\Dell V105\dldnmsdmon.exe
(verified) Rapport 1588 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(verified) Rapport 1008 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
(verified) RealPlayer (32-bit) 1664 C:\Program Files\Real\RealPlayer\Update\realsched.exe
(verified) Realtek HD Audio Sound Effect Manager 1672 C:\WINDOWS\RTHDCPL.EXE
(verified) Yahoo! AutoUpdater 1352 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


Network activity
----------------
Process chrome.exe (2476) connected on port 443 (HTTP over SSL) --> 209.85.229.83
Process chrome.exe (2476) connected on port 80 (HTTP) --> 209.85.143.148
Process chrome.exe (2476) connected on port 80 (HTTP) --> 64.233.183.101
Process chrome.exe (2476) connected on port 80 (HTTP) --> 66.102.13.138
Process chrome.exe (2476) connected on port 443 (HTTP over SSL) --> 74.125.230.124
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.10
Process chrome.exe (2476) connected on port 80 (HTTP) --> 66.102.13.101
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.230.155
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.230.155
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.230.155
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.230.155
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.11
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.56
Process chrome.exe (2476) connected on port 80 (HTTP) --> 88.221.84.73
Process chrome.exe (2476) connected on port 443 (HTTP over SSL) --> 74.125.79.101
Process chrome.exe (2476) connected on port 443 (HTTP over SSL) --> 74.125.77.132
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.77.101
Process chrome.exe (2476) connected on port 443 (HTTP over SSL) --> 66.102.13.101
Process chrome.exe (2476) connected on port 80 (HTTP) --> 69.63.190.10
Process chrome.exe (2476) connected on port 80 (HTTP) --> 74.125.43.139
Process chrome.exe (4440) connected on port 80 (HTTP) --> 199.7.52.190
Process chrome.exe (4440) connected on port 80 (HTTP) --> 199.7.48.190
Process chrome.exe (4440) connected on port 80 (HTTP) --> 88.221.84.73
Process chrome.exe (4440) connected on port 80 (HTTP) --> 199.7.51.190

Process svchost.exe (1496) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
(unsigned) ATI Desktop Component C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(unsigned) Hewlett-Packard Company KBD EXE C:\hp\KBD\kbd.exe
(unsigned) hpsysdrv C:\WINDOWS\system\hpsysdrv.exe
(unsigned) Recguard Application C:\WINDOWS\SMINST\RECGUARD.EXE

(verified) Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
(verified) Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(verified) AntiVir Desktop C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(verified) ATI External Event Utility for NT, W2K C:\WINDOWS\system32\ati2evxx.dll
(verified) dldnamon.exe C:\Program Files\Dell V105\dldnamon.exe
(verified) Flash® Player Installer/Uninstaller C:\WINDOWS\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe
(verified) Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
(verified) Google Updater C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
(verified) Java™ Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logon.scr
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
(verified) Printer Device Monitor C:\Program Files\Dell V105\dldnmon.exe
(verified) RealPlayer (32-bit) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(verified) Realtek HD Audio Sound Effect Manager C:\WINDOWS\RTHDCPL.EXE
(verified) RealUpgrade C:\Program Files\Real\RealUpgrade\realupgrade.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\msfeedssync.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
(unsigned) Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) Java™ Platform SE 6 U24 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) RealJukebox NS Plugin c:\program files\real\realplayer\Netscape6\nprjplug.dll
(unsigned) RealPlayer Version Plugin c:\program files\real\realplayer\Netscape6\nprpjplug.dll
(unsigned) RealPlayer™ HTML5VideoShim Plug-In ( C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

(verified) AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(verified) Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
(verified) BitDefender QuickScan C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.77_0\npqscan.dll
(verified) DivX Player Netscape Plugin C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
(verified) DivX Web Player C:\Program Files\DivX\DivX Web Player\npdivx32.dll
(verified) Google Update C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
(verified) Google Updater C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
(verified) HPDEXAXO C:\WINDOWS\Downloaded Program Files\HPDEXAXO.dll
(verified) Java™ Platform SE 6 U24 c:\program files\java\jre6\bin\jp2ssv.dll
(verified) Java™ Platform SE 6 U24 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
(verified) Microsoft Support Diagnostic Tool C:\WINDOWS\Downloaded Program Files\MSDCode.DLL
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
(verified) MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-gb.dll
(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(verified) RealPlayer™ G2 LiveConnect-Enabled P c:\program files\real\realplayer\Netscape6\nppl3260.dll
(verified) Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
(verified) Yahoo Application State Plugin C:\Program Files\Yahoo!\Shared\npYState.dll


Missing files
-------------
File not found: C:\WINDOWS\System32\appmgmts.dll
--> HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"


Scan
----
(unsigned) MD5: a54f0fcf48469993ea095aa38f247007 C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
(unsigned) MD5: 308c9ddbd043903534514b097396e017 C:\hp\KBD\aol.dll
(unsigned) MD5: 261e5e3602941656a1442b255c936b9e C:\hp\KBD\cfg.dll
(unsigned) MD5: c81be1b951c36e97d3da90da745da5f7 C:\hp\KBD\kbd.exe
(unsigned) MD5: f68a3f0d63be926ed65ed1c8c5b03a3d C:\hp\KBD\led.dll
(unsigned) MD5: 205db5a0dd15df2657efd4b64d0cc4a3 C:\hp\KBD\msg.dll
(unsigned) MD5: 60db5561f7b646fa217e9ea6561e6705 C:\hp\KBD\msikbdif.dll
(unsigned) MD5: fb8bfcdf02173e59f8336c3eaece76e5 C:\hp\KBD\Onl.dll
(unsigned) MD5: 5f1ec8079dcc3acb3315966a9a7e2391 C:\hp\KBD\OSD.DLL
(unsigned) MD5: 2ae54f20144b2af570587a8478d02885 C:\hp\KBD\PS2.dll
(unsigned) MD5: 2f420c4dcffacf50f73cab6c27dda901 C:\hp\KBD\sct.dll
(unsigned) MD5: 996fc333026a68a66078a4ab6c9ea54c C:\hp\KBD\url.dll
(unsigned) MD5: f8c008da6f620e822394781c894a06db C:\hp\KBD\usb.dll
(unsigned) MD5: 54328ab5ad902d893f66afb4b3251f7b C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll
(unsigned) MD5: f7c2ac54675fdba935f4013bfd1af5c1 C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll
(unsigned) MD5: 29e8e6b337d61c931b11a90a98310626 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(unsigned) MD5: 83d0bc920f75bf6fb1bfdef04f989b69 C:\Program Files\ATI Technologies\ATI Control Panel\atrpuixx.enu
(unsigned) MD5: afff0fff53ae04747c340868ab1cfa27 C:\Program Files\Avira\AntiVir Desktop\aecore.dll
(unsigned) MD5: ee0477f95aaf614c5cb14f324ca48c3d C:\Program Files\Avira\AntiVir Desktop\aeemu.dll
(unsigned) MD5: 165152efdc31f4046ede52116e403107 C:\Program Files\Avira\AntiVir Desktop\aegen.dll
(unsigned) MD5: 3bcdffbf6f488524abb81c9af96ee18f C:\Program Files\Avira\AntiVir Desktop\aehelp.dll
(unsigned) MD5: 418b956f43c79ebc54eca8bdd4db0fdc C:\Program Files\Avira\AntiVir Desktop\aeheur.dll
(unsigned) MD5: 7895f6999c996ee096f04de0814c2012 C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll
(unsigned) MD5: 7712b7fb8165d848139c48fcf49d0168 C:\Program Files\Avira\AntiVir Desktop\aepack.dll
(unsigned) MD5: d3e64adeecdd041171d9bd09f54cff04 C:\Program Files\Avira\AntiVir Desktop\aerdl.dll
(unsigned) MD5: bd8e5b4b16db2a53709ea74df7b22282 C:\Program Files\Avira\AntiVir Desktop\aesbx.dll
(unsigned) MD5: 864e4cec9f60c25a8a93ad3784da2e64 C:\Program Files\Avira\AntiVir Desktop\aescn.dll
(unsigned) MD5: 24357a599e9240d20bdc4a998317723f C:\Program Files\Avira\AntiVir Desktop\aescript.dll
(unsigned) MD5: 100caaf3542fb51feca9c09db1cb940d C:\Program Files\Avira\AntiVir Desktop\aevdf.dll
(unsigned) MD5: ddf0d660e994d0bb912f37dca7afe8f7 C:\Program Files\Avira\AntiVir Desktop\avevtlog.dll
(unsigned) MD5: dc4075c135ef78f6bc8674bb4c87e0b5 C:\Program Files\Avira\AntiVir Desktop\avgio.dll
(unsigned) MD5: 92ea86876dfde3b9f6b4b6443c8b11fb C:\Program Files\Avira\AntiVir Desktop\avpref.dll
(unsigned) MD5: 7488bce9f9c852f0931d29b0d76292bd C:\Program Files\Avira\AntiVir Desktop\ccgen.dll
(unsigned) MD5: e65e277c50bd5967b5e92c7744dba7bc C:\Program Files\Avira\AntiVir Desktop\ccguard.dll
(unsigned) MD5: 54ceee9d7aa46f3311d247bf57bbee36 C:\Program Files\Avira\AntiVir Desktop\cclic.dll
(unsigned) MD5: 400ab97179f05ba68b755d8971f262f2 C:\Program Files\Avira\AntiVir Desktop\ccmsg.dll
(unsigned) MD5: 7d541c5e5cdfb46d68ac60012c5d7acd C:\Program Files\Avira\AntiVir Desktop\ccupdate.dll
(unsigned) MD5: 47766f6b79a25af04ed3f6f2b02aa4cb C:\Program Files\Avira\AntiVir Desktop\ccwkrlib.dll
(unsigned) MD5: 92d9eb35797530fedc07b1d75533f68e C:\Program Files\Avira\AntiVir Desktop\guardmsg.dll
(unsigned) MD5: 7464c6694036b42ba237eb723a34d0f4 C:\Program Files\Avira\AntiVir Desktop\rcimage.dll
(unsigned) MD5: 13a86ff71b5e57da8c9a6e2316ce1eaa C:\Program Files\Avira\AntiVir Desktop\schedr.dll
(unsigned) MD5: 6e68e520e6f2f5dce97a9ff947038769 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(unsigned) MD5: 0f308fd7005aa6971d62051f65f9a3bd C:\Program Files\Dell V105\app4r.devmons.mcmdevmon.autoplayutil.dll
(unsigned) MD5: 0f5bb2b7c4d182cbaaa4efc2edee6143 C:\Program Files\Dell V105\app4r.devmons.mcmdevmon.dll
(unsigned) MD5: 80e1a522eb11e3a01c4c396534fe059f C:\Program Files\Dell V105\app4r.monitor.common.dll
(unsigned) MD5: 3a9ae1114bfd4471a11b46ae723aef87 C:\Program Files\Dell V105\app4r.monitor.core.dll
(unsigned) MD5: f35a584e947a5b401feb0fe01db4a0d7 C:\Program Files\Dell V105\mfc71.dll
(unsigned) MD5: ad227f006be746a054826da712e4a658 C:\Program Files\Google\Chrome\Application\9.0.597.107\gcswf32.dll
(unsigned) MD5: 5e947691097ba0a9aa4b8e44a4b9feb0 C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) MD5: 4ebb5b4dcabec18b29d01f9f607b0114 C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) MD5: 888aad9a554f21c21a6cfcdec8a6b276 c:\program files\real\realplayer\Netscape6\nprjplug.dll
(unsigned) MD5: c68dcb01f397fdcdeffe7d0c7739e301 c:\program files\real\realplayer\Netscape6\nprpjplug.dll
(unsigned) MD5: 2ef9b6e2218917a988db461b04aac1de C:\Program Files\Trusteer\Rapport\bin\js32.dll
(unsigned) MD5: 5780e648b6b4147d0435bbff49ec05a1 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll
(unsigned) MD5: 6df4c7b4eb81855f19f9ec3f6e15ff24 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\ab688d0f9f333ba117832726bfb589c1\System.Configuration.ni.dll
(unsigned) MD5: 5063b2a1b90b9214bdab3339e980b37c C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\dcc0244092fe52e6885b50be25ef3b31\System.Drawing.ni.dll
(unsigned) MD5: 8ee2fea7aa39e3ec526925a666d4056b C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\439c466b60614915587c5273eaf0ca7f\System.Windows.Forms.ni.dll
(unsigned) MD5: f4292307eb1000ac4779fdccd1c08906 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\a6dbe24cbfe3ab6b318ed3095cc572d8\System.Xml.ni.dll
(unsigned) MD5: 3f64539841a4e243c93f415d3044afcd C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll
(unsigned) MD5: f3eaea279f09a7779c18793c87640794 C:\WINDOWS\SMINST\RECGUARD.EXE
(unsigned) MD5: a53e02a05668e5443fe5a758e3582c9e C:\WINDOWS\system32\ati2sgag.exe
(unsigned) MD5: 82c4c6a2343b592c4fd590f625a724a9 C:\WINDOWS\system32\drivers\CDAC15BA.sys
(unsigned) MD5: 9339335cfaf1ebd80734098ff938b32a C:\WINDOWS\system32\drivers\fnetthjm.sys
(unsigned) MD5: e292f014d08d987d463be19d973fc39f C:\WINDOWS\system32\EBPMON24.DLL
(unsigned) MD5: 06a1ecb63df139ec639e084d4ab3c9d7 C:\WINDOWS\system\hpsysdrv.exe
(unsigned) MD5: 9ae7c68f4a178ad6064cb40f3c5df4a5 F:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
(unsigned) MD5: abb8bf63a793369ad7572e1ff00b2935 F:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\stlport_vc7145.dll


No file uploaded.

Scan finished - communication took 8 sec
Total traffic - 0.05 MB sent, 1.29 KB recvd
Scanned 1140 files and modules - 170 seconds

==============================================================================

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 07 March 2011 - 11:40 AM

Looking good, joolz_red :thumbup2:

How has the machine been running during these scans?
Posted Image
m0le is a proud member of UNITE

#13 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 March 2011 - 12:16 PM

It's been fine - a bit slow but that's normal for my OAP PC!

Only thing that's cropped up is that my Dell v105 printer has gone AWOL as far as the PC is concerned :( think I might have to reinstall it.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:37 PM

Posted 07 March 2011 - 01:13 PM

Reinstalling it should solve the communication difficulties :thumbup2:

In that case...

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it joolz_red, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 joolz_red

joolz_red
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 07 March 2011 - 06:08 PM

You're clean. Good stuff! :thumbup2:


:thumbsup: ace! Thanks for the confirmation - it's the first time in 13yrs I've been caught on the hop by nasties and hopefully not again for a good long time

Really appreciated your help m0le.

The moral of my story - learn how to create guest accounts on my PC so other users don't let the blue meanies in on my admin acct!

(I've sent a little something to molefix, just wish it could be much more but I live with disabilities and everything is tight - am so glad the computer is well again as it's my conduit for practicalities like shopping so thanks Mr M0le!)

Edited by joolz_red, 07 March 2011 - 06:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users