Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe infected with Win32:Hupigon-ONX [Trj]


  • This topic is locked This topic is locked
14 replies to this topic

#1 English Teacher

English Teacher

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 24 March 2011 - 08:52 AM

Hi,

I have been told to come here by cryptodan in the following thread.

www.bleepingcomputer.com/forums/topic386369.html

As you can see I had a problem with AVAST detecting Win32:Hupigon-ONX[Trj] in 3 MP3s. These were sent to Avira where only one was detected and but they said this about it: "The file has been determined to be 'DAMAGED FILE (MALWARE)'. In particular this means that this file is damaged and not working properly. Nevertheless we were able to determine that it contains malicious code fragments."
As for the third file that also came back clean.
I have run the following scans: MBAM = CLEAN, SuperantiSpyware = 2 cookies from a trusted website, AVAST = CLEAN and also Windows Defender = CLEAN. The scans were run as FULL scans with everything being scanned.

I have run CCLEANER (I'm sorry to say, it deleted all my web browsing and yes I had unchecked the History tab. No chance of getting that back again I suppose.)

I have dis-activated my virtual drive and disconnected my external drive.

As for the Firewall, it has blocked these strange IPs 239.255.255.250 and 255.255.255.255 caused by "svchost.exe"

Is there anything else I can do to check the security?

Below is the DDS.txt (it was too big to attach.) and attached is the "Attach" log. NB The "ARK" log was too big to attach. Shall I post it?

Thanks a lot.

Windows XP Pro SP3, Pent 4, 3 Ghz, 512MB RAM (Yes I know not a lot!!)
Firewall: Comodo 5.3.181415.1237
Anti-Virus: AVAST 6.0.1000
Other Security: MBAM 1.50.1.1100 , SUPERAntiSpyware 4.49.1000 , SpywareBlaster 4.4 and recently added Windows Defender Windows Defender Version: 1.1.1593.0 Engine Version: 1.1.6603.0 Definition Version: 1.99.1684.0.

DDS LOG

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Andy at 12:01:31.31 on 24/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.154 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Programmi\Windows Defender\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Programmi\COMODO\COMODO Internet Security\cfp.exe
C:\Programmi\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Secunia\PSI\psi_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\File comuni\Acronis\CDP\afcdpsrv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Secunia\PSI\PSIA.exe
C:\Programmi\Secunia\PSI\sua.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Programmi\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Programmi\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andy\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\programmi\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\programmi\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpeedTouch USB Diagnostics] "c:\programmi\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [TrueImageMonitor.exe] c:\programmi\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programmi\file comuni\acronis\schedule2\schedhlp.exe"
mRun: [Windows Defender] "c:\programmi\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes' Anti-Malware] "c:\programmi\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [COMODO Internet Security] "c:\programmi\comodo\comodo internet security\cfp.exe" -h
mRun: [avast5] "c:\programmi\alwil software\avast5\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\secuni~1.lnk - c:\programmi\secunia\psi\psi_tray.exe
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Stampa ad alta velocità Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: secunia.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\programmi\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\programmi\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programmi\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\andy\datiap~1\mozilla\firefox\profiles\usili4s2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\programmi\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\programmi\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\programmi\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programmi\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: FoxyProxy Standard: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
FF - Ext: SearchPreview: {EF522540-89F5-46b9-B6FE-1829E2B572C6} - %profile%\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
FF - Ext: VTzilla: vtzilla@virustotal.com - %profile%\extensions\vtzilla@virustotal.com
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programmi\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-2-9 28552]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-11-16 911680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-13 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-12 301528]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 27576]
R1 SASDIFSV;SASDIFSV;c:\programmi\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programmi\file comuni\acronis\cdp\afcdpsrv.exe [2010-11-16 2480048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-12 19544]
R2 avast! Antivirus;avast! Antivirus;c:\programmi\alwil software\avast5\AvastSvc.exe [2011-2-12 42184]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\programmi\comodo\comodo internet security\cmdagent.exe [2010-9-10 1803224]
R2 MBAMService;MBAMService;c:\programmi\malwarebytes' anti-malware\mbamservice.exe [2010-12-12 363344]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\programmi\secunia\psi\psia.exe --start-service --> c:\programmi\secunia\psi\PSIA.exe --start-service [?]
R2 Secunia Update Agent;Secunia Update Agent;c:\programmi\secunia\psi\sua.exe --start-service --> c:\programmi\secunia\psi\sua.exe --start-service [?]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-2-18 1517376]
R2 WinDefend;Windows Defender;c:\programmi\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-11-16 160704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-12 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-11-29 10064]
S2 gupdate;Google Update Service (gupdate);c:\programmi\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscvusb.sys [2011-1-22 103552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== Created Last 30 ================
.
2011-03-24 10:01:58 -------- d-----w- c:\programmi\CCleaner
2011-03-23 08:49:08 5943120 ----a-w- c:\docume~1\alluse~1\datiap~1\microsoft\windows defender\definition updates\{023fd866-f18d-4608-9093-7715eed5e1b5}\mpengine.dll
2011-03-19 16:42:41 -------- d-----w- c:\docume~1\andy\datiap~1\f-secure
2011-03-19 16:39:58 -------- d-----w- c:\docume~1\alluse~1\datiap~1\F-Secure
2011-03-19 13:06:52 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-07 16:11:44 -------- d-----w- c:\programmi\DAEMON Tools Lite
2011-03-01 22:13:15 -------- d-----w- c:\docume~1\andy\datiap~1\PrimoPDF
2011-03-01 22:08:17 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2011-03-01 22:07:44 -------- d-----w- c:\programmi\Nitro PDF
2011-02-27 09:33:46 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-02-27 09:33:46 -------- d-----w- c:\programmi\Belarc
2011-02-26 16:00:13 -------- d-----w- c:\programmi\SUPERAntiSpyware
2011-02-26 15:11:58 -------- d-----w- c:\docume~1\andy\impost~1\datiap~1\Identities
2011-02-24 10:20:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-23 17:18:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-23 17:18:23 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-02-24 10:18:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 15:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-18 12:20:04 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-02-09 13:54:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54:04 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 16:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:08 440832 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 22:05:20 0 ----a-w- c:\windows\VDM1AE.tmp
2011-01-20 22:02:50 0 ----a-w- c:\windows\VDM1AC.tmp
2011-01-20 22:01:17 0 ----a-w- c:\windows\VDM1AB.tmp
2011-01-20 22:01:17 0 ----a-w- c:\windows\VDM1AA.tmp
2011-01-20 22:00:38 0 ----a-w- c:\windows\VDM1A9.tmp
2011-01-20 21:56:44 0 ----a-w- c:\windows\VDM1A8.tmp
2011-01-20 21:56:44 0 ----a-w- c:\windows\VDM1A7.tmp
2011-01-20 21:56:38 0 ----a-w- c:\windows\VDM1A5.tmp
2011-01-20 21:55:56 0 ----a-w- c:\windows\VDM1A3.tmp
2011-01-12 08:15:07 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04:16 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 12:04:31.17 ===============

Attached Files


Edited by English Teacher, 24 March 2011 - 08:53 AM.

It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:54 AM

Posted 30 March 2011 - 01:43 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 30 March 2011 - 04:50 PM

Hi,
First of all let me please say Don't Worry about the delay. I'm very thankful for your help here.

For your information, I had a problem with AVAST yesterday and today and had to do a re-install. Sometimes some components of it didn't turn on properly after the computer start-up. I have also noticed that the computer is slightly slower than normal.
NB. I ran the GMER program as told but this time it wouldn't run at all and crashed the computer three times.

Here is the log for DDS. If there are any signs of anything, could you show me which part of the log they are. I'm interested in learning this. Thanks.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Andy at 22:09:40.45 on 30/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.161 [GMT 2:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programmi\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Programmi\Windows Defender\MsMpEng.exe
svchost.exe
svchost.exe
C:\Programmi\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programmi\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\COMODO\COMODO Internet Security\cfp.exe
C:\Programmi\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Secunia\PSI\psi_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\File comuni\Acronis\CDP\afcdpsrv.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Programmi\Secunia\PSI\PSIA.exe
C:\Programmi\Secunia\PSI\sua.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Programmi\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe
C:\Programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Programmi\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Andy\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\programmi\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\programmi\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpeedTouch USB Diagnostics] "c:\programmi\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [TrueImageMonitor.exe] c:\programmi\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programmi\file comuni\acronis\schedule2\schedhlp.exe"
mRun: [Windows Defender] "c:\programmi\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes' Anti-Malware] "c:\programmi\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [COMODO Internet Security] "c:\programmi\comodo\comodo internet security\cfp.exe" -h
mRun: [avast] "c:\programmi\avast software\avast\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\secuni~1.lnk - c:\programmi\secunia\psi\psi_tray.exe
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Stampa ad alta velocit Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: secunia.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\programmi\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\programmi\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programmi\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\andy\datiap~1\mozilla\firefox\profiles\usili4s2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\programmi\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\andy\dati applicazioni\mozilla\firefox\profiles\usili4s2.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\programmi\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\programmi\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\programmi\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programmi\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: FoxyProxy Standard: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
FF - Ext: SearchPreview: {EF522540-89F5-46b9-B6FE-1829E2B572C6} - %profile%\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
FF - Ext: VTzilla: vtzilla@virustotal.com - %profile%\extensions\vtzilla@virustotal.com
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programmi\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-2-9 28552]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [2010-11-16 911680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-30 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-30 301528]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-11 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-11 27576]
R1 SASDIFSV;SASDIFSV;c:\programmi\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programmi\file comuni\acronis\cdp\afcdpsrv.exe [2010-11-16 2480048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-30 19544]
R2 avast! Antivirus;avast! Antivirus;c:\programmi\avast software\avast\AvastSvc.exe [2011-3-30 42184]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\programmi\comodo\comodo internet security\cmdagent.exe [2010-9-11 1803224]
R2 MBAMService;MBAMService;c:\programmi\malwarebytes' anti-malware\mbamservice.exe [2010-12-13 363344]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\programmi\secunia\psi\psia.exe --start-service --> c:\programmi\secunia\psi\PSIA.exe --start-service [?]
R2 Secunia Update Agent;Secunia Update Agent;c:\programmi\secunia\psi\sua.exe --start-service --> c:\programmi\secunia\psi\sua.exe --start-service [?]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\tuneup utilities 2011\TuneUpUtilitiesService32.exe [2011-3-4 1523008]
R2 WinDefend;Windows Defender;c:\programmi\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2010-11-16 160704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-13 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\tuneup utilities 2011\TuneUpUtilitiesDriver32.sys [2010-11-29 10064]
S2 gupdate;Google Update Service (gupdate);c:\programmi\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscvusb.sys [2011-1-22 103552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
.
=============== Created Last 30 ================
.
2011-03-30 15:20:33 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-30 15:13:48 40648 ----a-w- c:\windows\avastSS.scr
2011-03-30 15:09:01 -------- d-----w- c:\programmi\AVAST Software
2011-03-30 15:09:01 -------- d-----w- c:\docume~1\alluse~1\datiap~1\AVAST Software
2011-03-30 10:49:57 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-29 16:31:34 6792528 ----a-w- c:\docume~1\alluse~1\datiap~1\microsoft\windows defender\definition updates\{7e858857-0580-474e-84cd-27f9ea8053b2}\mpengine.dll
2011-03-27 19:35:56 -------- d-----w- C:\Family
2011-03-26 20:12:59 -------- d-----w- c:\docume~1\andy\impost~1\datiap~1\IsolatedStorage
2011-03-26 17:38:51 -------- d-----w- c:\programmi\Microsoft WSE
2011-03-26 16:45:59 -------- d-----w- c:\docume~1\andy\impost~1\datiap~1\Ancestry.com
2011-03-26 16:41:59 -------- d-----w- c:\windows\system32\windows media
2011-03-26 16:40:23 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-26 16:39:54 -------- d-----w- c:\programmi\Windows Media Components
2011-03-26 15:53:04 -------- d-----w- c:\programmi\BCL Technologies
2011-03-26 15:53:03 -------- d-----w- c:\programmi\Family Tree Maker 2010
2011-03-26 11:49:34 -------- d-----w- C:\Mimma
2011-03-24 10:01:58 -------- d-----w- c:\programmi\CCleaner
2011-03-19 16:42:41 -------- d-----w- c:\docume~1\andy\datiap~1\f-secure
2011-03-19 16:39:58 -------- d-----w- c:\docume~1\alluse~1\datiap~1\F-Secure
2011-03-07 16:11:44 -------- d-----w- c:\programmi\DAEMON Tools Lite
2011-03-01 22:13:15 -------- d-----w- c:\docume~1\andy\datiap~1\PrimoPDF
2011-03-01 22:08:17 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2011-03-01 22:07:44 -------- d-----w- c:\programmi\Nitro PDF
.
==================== Find3M ====================
.
2011-03-24 20:28:53 90112 ----a-w- c:\windows\DUMP6e7f.tmp
2011-03-04 15:44:46 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-02-24 10:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-24 10:18:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-09 13:54:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54:04 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 17:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:58 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:08 440832 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 22:05:20 0 ----a-w- c:\windows\VDM1AE.tmp
2011-01-20 22:02:50 0 ----a-w- c:\windows\VDM1AC.tmp
2011-01-20 22:01:17 0 ----a-w- c:\windows\VDM1AB.tmp
2011-01-20 22:01:17 0 ----a-w- c:\windows\VDM1AA.tmp
2011-01-20 22:00:38 0 ----a-w- c:\windows\VDM1A9.tmp
2011-01-20 21:56:44 0 ----a-w- c:\windows\VDM1A8.tmp
2011-01-20 21:56:44 0 ----a-w- c:\windows\VDM1A7.tmp
2011-01-20 21:56:38 0 ----a-w- c:\windows\VDM1A5.tmp
2011-01-20 21:55:56 0 ----a-w- c:\windows\VDM1A3.tmp
2011-01-12 08:15:07 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04:16 1854976 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:12:02.04 ===============

Attached Files


It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 01 April 2011 - 10:30 PM

Hello English Teacher,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply



Things to include in your next reply::
TDSSKILLER log
Combofix.txt
aswMBR log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 02 April 2011 - 06:05 AM

Hi fireman4it,
Firstly, let me say thanks for your reply and help.
The is still running a little slower than normal. I think this could be because it only has 512MB RAM.
Anyway apart from that I have two programs which try to contact or accept connections from other computers.
The first, this morning the attempts of accepting a connection was exaggerated, Isass.exe with different IP addresses but all UDP and on port 500.
The second is svchost which tries to make outgoing connections.

Anyway here are the logs requested with the exception of TDS Killer as it didn't find anything.

ComboFix 11-04-01.01 - Andy 02/04/2011 11:36:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.511.230 [GMT 2:00]
Eseguito da: c:\documents and settings\Andy\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Andy\Documenti\DPE.DUS
.
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-02 al 2011-04-02 )))))))))))))))))))))))))))))))))))
.
.
2011-04-01 07:29 . 2011-03-23 09:11 6792528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\{C79B5ADA-32E3-4A79-9D12-A8299DDB364A}\mpengine.dll
2011-03-30 15:20 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-30 15:20 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-30 15:20 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-30 15:20 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-30 15:20 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-30 15:20 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-03-30 15:20 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-03-30 15:20 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-03-30 15:13 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-30 15:13 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-30 15:09 . 2011-03-30 15:09 -------- d-----w- c:\programmi\AVAST Software
2011-03-30 15:09 . 2011-03-30 15:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AVAST Software
2011-03-30 10:49 . 2011-03-04 15:40 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-28 15:55 . 2011-03-28 15:55 -------- d-----w- c:\documents and settings\Andy\Dati applicazioni\dvdcss
2011-03-27 19:35 . 2011-03-27 20:20 -------- d-----w- C:\Family
2011-03-26 20:12 . 2011-03-26 20:12 -------- d-----w- c:\documents and settings\Andy\Impostazioni locali\Dati applicazioni\IsolatedStorage
2011-03-26 17:38 . 2011-03-26 17:38 -------- d-----w- c:\programmi\Microsoft WSE
2011-03-26 16:45 . 2011-03-26 16:46 -------- d-----w- c:\documents and settings\Andy\Impostazioni locali\Dati applicazioni\Ancestry.com
2011-03-26 16:41 . 2011-03-26 16:41 -------- d-----w- c:\windows\system32\windows media
2011-03-26 16:40 . 2011-03-26 19:57 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-26 16:39 . 2011-03-26 16:39 -------- d-----w- c:\programmi\Windows Media Components
2011-03-26 15:53 . 2011-03-26 16:15 -------- d-----w- c:\programmi\BCL Technologies
2011-03-26 15:53 . 2011-03-26 19:51 -------- d-----w- c:\programmi\Family Tree Maker 2010
2011-03-26 11:49 . 2011-03-26 18:41 -------- d-----w- C:\Mimma
2011-03-24 10:01 . 2011-03-24 10:02 -------- d-----w- c:\programmi\CCleaner
2011-03-19 16:42 . 2011-03-19 16:42 -------- d-----w- c:\documents and settings\Andy\Dati applicazioni\f-secure
2011-03-19 16:39 . 2011-03-19 16:39 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\F-Secure
2011-03-07 16:11 . 2011-03-07 16:11 -------- d-----w- c:\programmi\DAEMON Tools Lite
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-24 20:28 . 2010-11-15 21:57 90112 ----a-w- c:\windows\DUMP6e7f.tmp
2011-03-23 09:11 . 2010-12-07 22:30 6792528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 16:12 . 2010-12-23 15:18 431672 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-04 15:44 . 2011-02-14 17:34 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-02-24 10:18 . 2011-02-24 10:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-24 10:18 . 2010-11-16 15:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-22 10:00 . 2011-02-22 10:00 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-02-12 21:29 . 2002-08-28 23:58 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS
2011-02-12 21:29 . 2011-02-12 21:29 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2011-02-09 13:54 . 2002-09-09 11:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2002-09-09 11:50 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 17:11 . 2010-12-07 22:30 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2010-11-15 21:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-11-15 21:16 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-25 19:56 . 2011-01-25 19:57 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-21 14:44 . 2002-09-09 11:51 440832 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-20 22:05 . 2011-01-20 22:05 0 ----a-w- c:\windows\VDM1AE.tmp
2011-01-20 22:02 . 2011-01-20 22:02 0 ----a-w- c:\windows\VDM1AC.tmp
2011-01-20 22:01 . 2011-01-20 22:01 0 ----a-w- c:\windows\VDM1AB.tmp
2011-01-20 22:01 . 2011-01-20 22:01 0 ----a-w- c:\windows\VDM1AA.tmp
2011-01-20 22:00 . 2011-01-20 22:00 0 ----a-w- c:\windows\VDM1A9.tmp
2011-01-20 21:56 . 2011-01-20 21:56 0 ----a-w- c:\windows\VDM1A8.tmp
2011-01-20 21:56 . 2011-01-20 21:56 0 ----a-w- c:\windows\VDM1A7.tmp
2011-01-20 21:56 . 2011-01-20 21:56 0 ----a-w- c:\windows\VDM1A5.tmp
2011-01-20 21:55 . 2011-01-20 21:55 0 ----a-w- c:\windows\VDM1A3.tmp
2011-01-12 08:15 . 2010-09-10 22:41 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 08:15 . 2010-09-10 22:40 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 08:15 . 2010-09-10 22:40 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 08:15 . 2010-09-10 22:40 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-12 08:15 . 2010-09-10 22:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-07 14:09 . 2001-08-31 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
------- Sigcheck -------
.
[-] 2011-02-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2011-02-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\programmi\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-03-27 5107232]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2010-03-27 362232]
"Malwarebytes' Anti-Malware"="c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2011-01-20 2548552]
"avast"="c:\programmi\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Secunia PSI Tray.lnk - c:\programmi\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Search Protection"=c:\programmi\Yahoo!\Search Protection\SearchProtection.exe
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"SUPERAntiSpyware"=c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe"
"Easy-PrintToolBox"=c:\programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"Share-to-Web Namespace Daemon"=c:\programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"YSearchProtection"="c:\programmi\Yahoo!\Search Protection\SearchProtection.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"dvd43"=c:\programmi\dvd43\dvd43_tray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/02/2011 19:21 28552]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [16/11/2010 14:01 911680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [30/03/2011 17:20 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/03/2011 17:20 301528]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [11/09/2010 00:40 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/09/2010 00:40 27576]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programmi\File comuni\Acronis\CDP\afcdpsrv.exe [16/11/2010 14:01 2480048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/03/2011 17:20 19544]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [13/12/2010 00:24 363344]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\programmi\Secunia\PSI\PSIA.exe --start-service --> c:\programmi\Secunia\PSI\PSIA.exe --start-service [?]
R2 Secunia Update Agent;Secunia Update Agent;c:\programmi\Secunia\PSI\sua.exe --start-service --> c:\programmi\Secunia\PSI\sua.exe --start-service [?]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [04/03/2011 17:42 1523008]
R2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [16/11/2010 14:01 160704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/12/2010 00:24 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [29/11/2010 20:27 10064]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [24/12/2010 10:30 136176]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscvusb.sys [22/01/2011 17:32 103552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 10:30 15544]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-12-24 08:29]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-12-24 08:29]
.
2011-04-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
mStart Page = hxxp://uk.yahoo.com
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stampa ad alta velocit Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: secunia.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\Andy\Dati applicazioni\Mozilla\Firefox\Profiles\usili4s2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\programmi\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com
FF - Ext: FoxyProxy Standard: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy-basic@eric.h.jung - %profile%\extensions\foxyproxy-basic@eric.h.jung
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Nectar Search Toolbar: {841468a1-d7f4-4bd3-84e6-bb0f13a06c64} - %profile%\extensions\{841468a1-d7f4-4bd3-84e6-bb0f13a06c64}
FF - Ext: SearchPreview: {EF522540-89F5-46b9-B6FE-1829E2B572C6} - %profile%\extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6}
FF - Ext: VTzilla: vtzilla@virustotal.com - %profile%\extensions\vtzilla@virustotal.com
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programmi\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-02 12:12
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(1876)
c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1980)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\programmi\COMODO\COMODO Internet Security\cmdagent.exe
c:\programmi\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\Secunia\PSI\PSIA.exe
c:\programmi\Secunia\PSI\sua.exe
c:\programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
.
**************************************************************************
.
Ora fine scansione: 2011-04-02 12:29:30 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2011-04-02 10:29
.
Pre-Run: 7,054,778,368 byte disponibili
Post-Run: 7,002,820,608 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 439E6403B5E95AD838F9FACFE7531DCC


aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-02 12:37:17
-----------------------------
12:37:17.843 OS Version: Windows 5.1.2600 Service Pack 3
12:37:17.843 Number of processors: 2 586 0x304
12:37:17.843 ComputerName: ANDREW UserName: Andy
12:37:21.546 Initialize success
12:37:25.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:37:25.843 Disk 0 Vendor: Maxtor_6Y080L0 YAR41BW0 Size: 78167MB BusType: 3
12:37:25.875 Disk 0 MBR read successfully
12:37:25.875 Disk 0 MBR scan
12:37:25.890 Disk 0 scanning sectors +160055595
12:37:25.984 Disk 0 scanning C:\WINDOWS\system32\drivers
12:37:42.250 Service scanning
12:37:46.500 Disk 0 trace - called modules:
12:37:46.515 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
12:37:46.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b44ab8]
12:37:46.515 3 CLASSPNP.SYS[f88bafd7] -> nt!IofCallDriver -> \Device\00000074[0x82b574a0]
12:37:46.515 5 ACPI.sys[f8811620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82b60940]
12:37:46.515 Scan finished successfully
It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 02 April 2011 - 11:40 AM

Hello,

There are some signs of a old infection. We will clean those up. here is some information also on those two Ip addresses.

1.
255.255.255.255 >http://support.microsoft.com/kb/140859
239.255.255.250 >http://support.microsoft.com/kb/317843/en-us

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\VDM1AE.tmp
c:\windows\VDM1AC.tmp
c:\windows\VDM1AB.tmp
c:\windows\VDM1AA.tmp
c:\windows\VDM1A9.tmp
c:\windows\VDM1A8.tmp
c:\windows\VDM1A7.tmp
c:\windows\VDM1A5.tmp
c:\windows\VDM1A3.tmp

Domains::

Fcopy::
c:\windows\ServicePackFiles\i386\TCPIP.SYS | c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\ServicePackFiles\i386\TCPIP.SYS | c:\windows\system32\drivers\TCPIP.SYS

Driver::
Secunia PSI Agent
Secunia Update Agent
sptd

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"=-

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Things to include in your next reply::
Combofix.txt
Gmer log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 02 April 2011 - 03:00 PM

Hi,

Before I do the CFScript with ComboFix, I'd like to ask a question.
I saw in the part to copy in notepad that there is an entry under "Driver" Secunia PSI Agent and Secunia Update Agent

Why are these listed? I ask because these belong to a legit program called Secunia PSI. This is a "security" program, in some ways, as it checks that the programs on the computer are up to date against vulnerabilities. Here is there website secunia.com

In the meantime let me say that the firewal has blocked many more attempts for Isass.exe to accept incoming UDP connections from another computer. All these were blocked but all are UDP and for port 500.

On another note, I'm interested to know where you can see the old infections in the logs and the new one (if any)? This is quite interesting. I know maybe I shouldn't be but....!!

Thanks again.
It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 02 April 2011 - 03:47 PM

Hello,

Why are these listed? I ask because these belong to a legit program called Secunia PSI. This is a "security" program, in some ways, as it checks that the programs on the computer are up to date against vulnerabilities. Here is there website secunia.com

Yes i know its a legit program as I use it myself. In the log it shows that the drivers have no files associated with it therefore it can go. I would suggest a uninstall and reinstall of Secunia to fix this situation.

On another note, I'm interested to know where you can see the old infections in the logs and the new one (if any)? This is quite interesting. I know maybe I shouldn't be but....!!

c:\windows\VDM1AE.tmp
c:\windows\VDM1AC.tmp
c:\windows\VDM1AB.tmp
c:\windows\VDM1AA.tmp
c:\windows\VDM1A9.tmp
c:\windows\VDM1A8.tmp
c:\windows\VDM1A7.tmp
c:\windows\VDM1A5.tmp
c:\windows\VDM1A3.tmp
These are leftovers of a infection.
You will have to have this page translated but it part of this infection.http://www.mcafee.com/japan/security/virT2009.asp?v=TangLinko!f9d8da71c813

In the meantime let me say that the firewall has blocked many more attempts for Isass.exe to accept incoming UDP connections from another computer. All these were blocked but all are UDP and for port 500.

This could be a router or firewall configuration problem. We need to run these other scanners and Combofix to see if there is something hiding. As of this point I don't see any active Malware so please run the tools I suggested in my previous post.

Edited by fireman4it, 03 April 2011 - 12:15 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 05 April 2011 - 03:58 AM

Hi,
As requested here are the combo fix log and ESET logs. I have to say that the ESET Online scanner took such a long time just over TEN hours. Is that normal?

ComboFix 11-04-01.01 - Andy 03/04/2011 23:06:37.2.2 - x86
Eseguito da: c:\documents and settings\Andy\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Andy\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
FILE ::
"c:\windows\VDM1A3.tmp"
"c:\windows\VDM1A5.tmp"
"c:\windows\VDM1A7.tmp"
"c:\windows\VDM1A8.tmp"
"c:\windows\VDM1A9.tmp"
"c:\windows\VDM1AA.tmp"
"c:\windows\VDM1AB.tmp"
"c:\windows\VDM1AC.tmp"
"c:\windows\VDM1AE.tmp"
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\VDM1A3.tmp
c:\windows\VDM1A5.tmp
c:\windows\VDM1A7.tmp
c:\windows\VDM1A8.tmp
c:\windows\VDM1A9.tmp
c:\windows\VDM1AA.tmp
c:\windows\VDM1AB.tmp
c:\windows\VDM1AC.tmp
c:\windows\VDM1AE.tmp
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\TCPIP.SYS --> c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\ServicePackFiles\i386\TCPIP.SYS --> c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SECUNIA_PSI_AGENT
-------\Legacy_SECUNIA_UPDATE_AGENT
-------\Legacy_SPTD
-------\Service_Secunia PSI Agent
-------\Service_Secunia Update Agent
-------\Service_sptd
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-03 al 2011-04-03 )))))))))))))))))))))))))))))))))))
.
.
2011-04-02 14:27 . 2011-04-02 14:27 781272 ----a-w- c:\programmi\Mozilla Firefox\mozsqlite3.dll
2011-04-02 14:27 . 2011-04-02 14:27 1874904 ----a-w- c:\programmi\Mozilla Firefox\mozjs.dll
2011-04-02 14:27 . 2011-04-02 14:27 15832 ----a-w- c:\programmi\Mozilla Firefox\mozalloc.dll
2011-04-02 14:27 . 2011-04-02 14:27 728024 ----a-w- c:\programmi\Mozilla Firefox\libGLESv2.dll
2011-04-02 14:27 . 2011-04-02 14:27 142296 ----a-w- c:\programmi\Mozilla Firefox\libEGL.dll
2011-04-02 14:27 . 2011-04-02 14:27 1893336 ----a-w- c:\programmi\Mozilla Firefox\d3dx9_42.dll
2011-04-02 14:27 . 2011-04-02 14:27 142296 ----a-w- c:\programmi\Mozilla Firefox\components\browsercomps.dll
2011-04-02 14:27 . 2011-04-02 14:27 1975768 ----a-w- c:\programmi\Mozilla Firefox\D3DCompiler_42.dll
2011-04-01 07:29 . 2011-03-23 09:11 6792528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\{C79B5ADA-32E3-4A79-9D12-A8299DDB364A}\mpengine.dll
2011-03-30 15:20 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-30 15:20 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-30 15:20 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-30 15:20 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-30 15:20 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-30 15:20 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-03-30 15:20 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-03-30 15:20 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-03-30 15:13 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-30 15:13 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-30 15:09 . 2011-03-30 15:09 -------- d-----w- c:\programmi\AVAST Software
2011-03-30 15:09 . 2011-03-30 15:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AVAST Software
2011-03-30 10:49 . 2011-03-04 15:40 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-03-28 15:55 . 2011-03-28 15:55 -------- d-----w- c:\documents and settings\Andy\Dati applicazioni\dvdcss
2011-03-27 19:35 . 2011-03-27 20:20 -------- d-----w- C:\Family
2011-03-26 20:12 . 2011-03-26 20:12 -------- d-----w- c:\documents and settings\Andy\Impostazioni locali\Dati applicazioni\IsolatedStorage
2011-03-26 17:38 . 2011-03-26 17:38 -------- d-----w- c:\programmi\Microsoft WSE
2011-03-26 16:45 . 2011-03-26 16:46 -------- d-----w- c:\documents and settings\Andy\Impostazioni locali\Dati applicazioni\Ancestry.com
2011-03-26 16:41 . 2011-03-26 16:41 -------- d-----w- c:\windows\system32\windows media
2011-03-26 16:40 . 2011-03-26 19:57 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-26 16:39 . 2011-03-26 16:39 -------- d-----w- c:\programmi\Windows Media Components
2011-03-26 15:53 . 2011-03-26 16:15 -------- d-----w- c:\programmi\BCL Technologies
2011-03-26 15:53 . 2011-03-26 19:51 -------- d-----w- c:\programmi\Family Tree Maker 2010
2011-03-26 11:49 . 2011-03-26 18:41 -------- d-----w- C:\Mimma
2011-03-24 10:01 . 2011-03-24 10:02 -------- d-----w- c:\programmi\CCleaner
2011-03-19 16:42 . 2011-03-19 16:42 -------- d-----w- c:\documents and settings\Andy\Dati applicazioni\f-secure
2011-03-19 16:39 . 2011-03-19 16:39 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\F-Secure
2011-03-07 16:11 . 2011-03-07 16:11 -------- d-----w- c:\programmi\DAEMON Tools Lite
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-24 20:28 . 2010-11-15 21:57 90112 ----a-w- c:\windows\DUMP6e7f.tmp
2011-03-23 09:11 . 2010-12-07 22:30 6792528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-07 16:12 . 2010-12-23 15:18 431672 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-03-04 15:44 . 2011-02-14 17:34 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-02-24 10:18 . 2011-02-24 10:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-24 10:18 . 2010-11-16 15:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-22 10:00 . 2011-02-22 10:00 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2011-02-12 21:29 . 2011-02-12 21:29 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2011-02-09 13:54 . 2002-09-09 11:51 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2002-09-09 11:50 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 17:11 . 2010-12-07 22:30 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2010-11-15 21:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-11-15 21:16 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-25 19:56 . 2011-01-25 19:57 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-21 14:44 . 2002-09-09 11:51 440832 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-12 08:15 . 2010-09-10 22:41 285480 ----a-w- c:\windows\system32\guard32.dll
2011-01-12 08:15 . 2010-09-10 22:40 94784 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-12 08:15 . 2010-09-10 22:40 27576 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-12 08:15 . 2010-09-10 22:40 239368 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-12 08:15 . 2010-09-10 22:40 15592 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-01-07 14:09 . 2001-08-31 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-04-02 14:27 . 2011-04-02 14:27 142296 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\programmi\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="c:\programmi\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"TrueImageMonitor.exe"="c:\programmi\Acronis\TrueImageHome\TrueImageMonitor.exe" [2010-03-27 5107232]
"Acronis Scheduler2 Service"="c:\programmi\File comuni\Acronis\Schedule2\schedhlp.exe" [2010-03-27 362232]
"Malwarebytes' Anti-Malware"="c:\programmi\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"COMODO Internet Security"="c:\programmi\COMODO\COMODO Internet Security\cfp.exe" [2011-01-20 2548552]
"avast"="c:\programmi\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Secunia PSI Tray.lnk - c:\programmi\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Search Protection"=c:\programmi\Yahoo!\Search Protection\SearchProtection.exe
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"SUPERAntiSpyware"=c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe"
"Easy-PrintToolBox"=c:\programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
"Share-to-Web Namespace Daemon"=c:\programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"YSearchProtection"="c:\programmi\Yahoo!\Search Protection\SearchProtection.exe"
"SNPSTD2"=c:\windows\vsnpstd2.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"ATICCC"="c:\programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
"dvd43"=c:\programmi\dvd43\dvd43_tray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [09/02/2011 19:21 28552]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\system32\drivers\tdrpm258.sys [16/11/2010 14:01 911680]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [30/03/2011 17:20 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [30/03/2011 17:20 301528]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [11/09/2010 00:40 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [11/09/2010 00:40 27576]
R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 20:25 12872]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 20:41 67656]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\programmi\File comuni\Acronis\CDP\afcdpsrv.exe [16/11/2010 14:01 2480048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/03/2011 17:20 19544]
R2 MBAMService;MBAMService;c:\programmi\Malwarebytes' Anti-Malware\mbamservice.exe [13/12/2010 00:24 363344]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [04/03/2011 17:42 1523008]
R2 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [16/11/2010 14:01 160704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [13/12/2010 00:24 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [29/11/2010 20:27 10064]
S2 gupdate;Google Update Service (gupdate);c:\programmi\Google\Update\GoogleUpdate.exe [24/12/2010 10:30 136176]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscvusb.sys [22/01/2011 17:32 103552]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 10:30 15544]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-12-24 08:29]
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-12-24 08:29]
.
2011-04-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
mStart Page = hxxp://uk.yahoo.com
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Stampa ad alta velocit Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\Andy\Dati applicazioni\Mozilla\Firefox\Profiles\usili4s2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ourmark=1&ei=utf-8&fr=chr-nectar&slv8-&type=61465&p=
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 00:19
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(1416)
c:\programmi\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(1516)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(4076)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\programmi\COMODO\COMODO Internet Security\cmdagent.exe
c:\programmi\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\File comuni\Acronis\Schedule2\schedul2.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
c:\programmi\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\programmi\COMODO\COMODO Internet Security\cfpupdat.exe
.
**************************************************************************
.
Ora fine scansione: 2011-04-04 00:32:34 - Il pc stato riavviato
ComboFix-quarantined-files.txt 2011-04-03 22:32
ComboFix2.txt 2011-04-02 10:29
.
Pre-Run: 6,669,508,608 byte disponibili
Post-Run: 6,657,941,504 byte disponibili
.
- - End Of File - - 1702D4AF5111AC17AFDE0D8A11E63245





ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=0d2ca5f5d598e1429ff4dba6a5abc860
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-04-04 10:17:39
# local_time=2011-04-05 12:17:39 (+0100, ora legale Europa occidentale)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777213 80 75 2953267 18920143 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 598 598 0 0
# scanned=85622
# found=0
# cleaned=0
# scan_time=36136
It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#10 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 05 April 2011 - 04:02 AM

Here is the GMER log attached as it is too long to post.

Attached Files

  • Attached File  Gmer.log   430.78KB   1 downloads

It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 05 April 2011 - 08:39 PM

Hello, English Teacher.

Scanning time with Eset vary depending how much stuff you have on your machine and being you only have 512mb it will run slower than normal. I have had case with longer scan time believe it or not. It's a good scanner is why we use though not the time it takes.

Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 07 April 2011 - 02:02 PM

Hi fireman4it,

The computer seems to be OK. It's still a little slow though and seems a little more so after Firefox's update to version 4.

I believe that this is due to the fact that more and more programs now require higher specs than mine. I only have 512MB RAM and now many programs need more than this.

Apart from this everything else seems to be OK.
Can I ask where you learnt to read the Malware logs from GMER, ComboFix etc, etc. I would be very interested in studying these when I have some free time!! ;-)
Thanks a lot.

Edited by English Teacher, 07 April 2011 - 02:03 PM.

It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 07 April 2011 - 05:00 PM

Hello,

I learned from right here at Bleeping Computer. They have a nice program that lets you study at your own pace. It was great for me as I work 24hrs on 48 of and have 3 children and all the sporting events and extra stuff that goes along with raising them.

Here is the link to that program.
http://www.bleepingcomputer.com/forums/topic86678.html

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 English Teacher

English Teacher
  • Topic Starter

  • Members
  • 198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salerno, Italy
  • Local time:05:54 AM

Posted 08 April 2011 - 05:38 AM

Hi,
I'm surprised you have anytime to be so often on this forum. Anyway thanks for the help and good luck. I'm taking a look now at the link you gave. Just had a look but at the moment no available slots :-( Thanks once again!!

English Teacher

Edited by English Teacher, 08 April 2011 - 05:41 AM.

It is better to remain silent and be thought a fool than to speak and remove all doubt.
Never argue with stupid people, they'll just bring you down to their level and beat you with experience.
If at first you do succeed, try not to look surprised.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:54 PM

Posted 08 April 2011 - 08:05 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users