Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Google redirects and IE script errors.


  • This topic is locked This topic is locked
8 replies to this topic

#1 retravoh

retravoh

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 25 April 2011 - 07:22 AM

Hello. My computer became infected on 4.22.11. I have tried all methods of purging the infection that I know of and nothing has worked.

The first day of getting infected I got the Windows Recovery infection that gave the "Hard drive is about to crash" error and hid various files on my PC including most of my Start menu programs. I ran unhide program and I ran MBAM and MSE consecutively and they seemed to clean this infection up. I did not have either program running when I got infected. Both of these programs return clean results currently, however, I'm still getting the Google redirects and IE script errors.

I learned this is probably a rootkit infection and I tried TDSSkiller, but it will not run. Other rootkit software like Sophos, GMER, Rootrepeal, and vba32arkit all apparently found nothing. I need some professional help. Here is my DDS log and attached is the GMER log.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by retravoh at 20:05:30.21 on Sun 04/24/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.924 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\program files\mozilla firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://us9.hpwis.com/
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uStart Page = https://citrix.noritsu.com/vpn/index.html
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SSODL: rihodugiy - {863b3077-2420-4540-9db6-646825d56e5e} - No File
SSODL: rupewojaj - {7347cbbc-b4db-47b4-b356-bccee46c09f9} - No File
STS: {863b3077-2420-4540-9db6-646825d56e5e}: gahurihor
STS: {7347cbbc-b4db-47b4-b356-bccee46c09f9}: kupuhivus
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Notification Packages = sceclikiyenule.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1dhpqgrp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\1dhpqgrp.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\citrix\secure access client\npagee.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 waqzob40;Vba32 Armour Driver;c:\windows\system32\drivers\waqzob40.sys [2011-4-23 35904]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl6d18e4cb;MpKsl6d18e4cb;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKsl6d18e4cb.sys [2011-4-24 28752]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-17 47640]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-3 19056]
S2 ecure;FireDaemon Service: ecure; [x]
S2 svchost1;FireDaemon Service: svchost1; [x]
S3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-11-9 41624]
S3 Mestrsimiwm;Mestrsimiwm; [x]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S3 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 gupdate1c9f19a1b80b64c;Google Update Service (gupdate1c9f19a1b80b64c);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S4 mrtRate;mrtRate; [x]
S4 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\novastor\novastor novabackup\nsService.exe [2010-3-4 261256]
S4 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]
S4 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
.
=============== Created Last 30 ================
.
2011-04-25 00:46:08 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKsl6d18e4cb.sys
2011-04-25 00:44:03 -------- d-----w- c:\program files\Sophos
2011-04-25 00:23:48 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKslf8ef0c86.sys
2011-04-24 19:02:04 -------- d-----w- c:\program files\Runtime Software
2011-04-24 18:01:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKslb6b6549e.sys
2011-04-24 06:09:21 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\mpengine.dll
2011-04-24 04:36:25 35904 ----a-w- c:\windows\system32\drivers\waqzob40.sys
2011-04-22 23:14:56 6144 ------w- c:\windows\system32\4.tmp
2011-04-22 23:14:43 6144 ------w- c:\windows\system32\3.tmp
2011-04-22 17:08:22 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-22 01:23:33 215920 ----a-w- c:\windows\system32\muweb.dll
2011-04-22 01:23:33 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-04-22 01:23:32 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-21 14:31:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-19 00:54:17 -------- d-----w- c:\program files\Bonjour
2011-04-19 00:36:26 -------- d--h--w- c:\docume~1\owner\applic~1\Dropbox
2011-04-19 00:26:14 249872 ----a-w- c:\windows\system32\prgiso.dll
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 20:07:18.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:42 AM

Posted 25 April 2011 - 02:02 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it to svchost.exe.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 retravoh

retravoh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 25 April 2011 - 04:12 PM

Thank you very much for the quick reply.

Google is not redirecting now. I have not seen any IE script errors yet either (they sometimes don't appear for a few minutes). Here is the log.

ComboFix 11-04-25.01 - retravoh 04/25/2011 15:13:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1059 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\LogMeInRemoteUser\WINDOWS
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\Local Settings\Application Data\{3E315B7B-DE36-48D3-8799-98E9FBF632A2}
c:\documents and settings\Owner\Local Settings\Application Data\{3E315B7B-DE36-48D3-8799-98E9FBF632A2}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{3E315B7B-DE36-48D3-8799-98E9FBF632A2}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{3E315B7B-DE36-48D3-8799-98E9FBF632A2}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{3E315B7B-DE36-48D3-8799-98E9FBF632A2}\install.rdf
c:\documents and settings\Owner\WINDOWS
c:\ps3themecreator\PS3ThemeCreator.exe
c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Thumbs.db
D:\Autorun.inf
X:\autorun.inf
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Legacy_WKSPATCH
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 00:44 . 2011-04-25 00:44 -------- d-----w- c:\program files\Sophos
2011-04-25 00:23 . 2011-04-25 00:23 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A90EA19A-D8D2-478A-9A19-DBB5FE471C30}\MpKslf8ef0c86.sys
2011-04-24 19:02 . 2011-04-24 19:02 -------- d-----w- c:\program files\Runtime Software
2011-04-24 18:01 . 2011-04-24 18:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A90EA19A-D8D2-478A-9A19-DBB5FE471C30}\MpKslb6b6549e.sys
2011-04-24 06:09 . 2011-04-11 05:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A90EA19A-D8D2-478A-9A19-DBB5FE471C30}\mpengine.dll
2011-04-24 04:36 . 2011-04-24 04:36 35904 ----a-w- c:\windows\system32\drivers\waqzob40.sys
2011-04-22 23:14 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\4.tmp
2011-04-22 23:14 . 2010-05-26 15:39 6144 ------w- c:\windows\system32\3.tmp
2011-04-22 17:08 . 2011-04-11 05:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-22 01:23 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-04-22 01:23 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-21 14:31 . 2011-04-21 14:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-19 00:54 . 2011-04-19 00:54 -------- d-----w- c:\program files\Bonjour
2011-04-19 00:36 . 2011-04-24 18:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Dropbox
2011-04-19 00:26 . 2009-10-20 08:39 249872 ----a-w- c:\windows\system32\prgiso.dll
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2004-09-23 10:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-12 14:08 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-12 14:09 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-18 21:36 . 2010-06-30 13:00 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 21:36 . 2008-10-16 18:41 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-17 13:51 . 2004-08-12 14:09 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-12 14:07 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2004-08-12 13:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2004-08-12 14:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-12 14:06 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-12 13:57 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-05-15 04:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-12 13:55 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-12 14:04 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-12 13:57 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-12 13:59 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-12 13:59 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2004-09-23 10:13 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-09-23 10:13 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-04-17 23:44 . 2010-04-17 23:44 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-04-17 23:44 . 2010-04-17 23:44 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-04-17 23:44 . 2010-04-17 23:44 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2008-7-25 3450608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 01:34 87352 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 20:13 49152 ----a-w- c:\progra~1\COMMON~1\Stardock\MCPStub.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5\\0OODBS\0sprestrt
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 waqzob40;Vba32 Armour Driver;c:\windows\system32\drivers\waqzob40.sys [4/23/2011 11:36 PM 35904]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2/3/2010 8:42 PM 19056]
S2 ecure;FireDaemon Service: ecure; [x]
S2 svchost1;FireDaemon Service: svchost1; [x]
S3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [11/9/2010 9:46 AM 41624]
S3 Mestrsimiwm;Mestrsimiwm; [x]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
S3 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 4:22 PM 102400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S4 gupdate1c9f19a1b80b64c;Google Update Service (gupdate1c9f19a1b80b64c);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2009 6:27 AM 133104]
S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S4 mrtRate;mrtRate; [x]
S4 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\NovaStor\NovaStor NovaBACKUP\nsService.exe [3/4/2010 3:50 PM 261256]
S4 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [8/17/2008 3:40 AM 217088]
S4 SGUARD;SGUARD;\??\c:\windows\system32\drivers\SGuard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
S4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 11:27]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-20 11:27]
.
2011-04-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uStart Page = https://citrix.noritsu.com/vpn/index.html
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1dhpqgrp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SharedTaskScheduler-{863b3077-2420-4540-9db6-646825d56e5e} - (no file)
SharedTaskScheduler-{7347cbbc-b4db-47b4-b356-bccee46c09f9} - (no file)
SSODL-rihodugiy-{863b3077-2420-4540-9db6-646825d56e5e} - (no file)
SSODL-rupewojaj-{7347cbbc-b4db-47b4-b356-bccee46c09f9} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 15:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2171190695-3010563622-2017339152-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
[HKEY_USERS\S-1-5-21-2171190695-3010563622-2017339152-1003\Software\SecuROM\License information*]
"datasecu"=hex:21,ea,54,33,74,41,80,4e,63,4b,14,bc,9b,a8,59,2c,cc,ed,7c,d6,87,
4a,aa,f0,da,de,12,37,e2,86,1e,c5,10,2d,7f,2e,8f,ca,1f,a3,45,4b,d5,cb,bf,2d,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="7CC800015338106B9768841C89136F62DAFBBD00751E8EAA3C83755AF70609A9016661645F7B731BEE57574241FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA9C6AECB7A5D14078EDD5E5BE2F6E6670FEBD4172107A09F80C0A3D13627F9E6C01D99387FE0F4C066C4C6F4DE5DA36610F5A58981F94687CB3131014DFAB4A28D59936FD91351AAB19F5BC00A36868619BB4D5A9D405D504C7E398CEA669D7434AC64D2947B8419DBA70861608901D24FEDD70A8DAF09B3F6E71F6B49DA001D9A006A6DAACA23EB5C16C097BF618EF259B37130304FD03D459FE9A7697E8BAB2C3624605AE1265BB0189F3BC7FE1362E4276C7626DB1E4D354DC3E189AA528656A1B5602757E872D4CF6032DB56D16F2455BE99D346BE9AC78BFBCD33EDCB688D8BE6B5D777AD8FCE5164FBA30C7540C84101EE6232E6AB036A05B1AE08545DC72F23BBF73F9665A6A6B1A80EFE0B4B8E5F745B3F7AABDEF1EBF7690A6EABC9FE3C7CE35662ACF9664A6FDEC73C04DCAF1CF7D79CA887E49F888C6398CB73E0B2D624B107C4DDA81F31EA564889B5156D5412746E7FD8C01FA82325EF7D34ADE498733DDF04782163BC165E455C59E58DD9ECD26E72E2CD07AD3F4369155A8D9C8BE5B37DEDB2654BC784563B618C99D772D629192BCA376E6A86E9A4D6B333E3311BD33E0323CC739E70336BF6D04A9858C04130849BFDF5A3C559823E73A24A7BD874457C4880F982358059320B68A03BC27A3910C3773C97E9E22AF6B2B7E2D4047BF9C3018104A8555A4D5A0536463A93477C9196CB6AF2066F0564EB9EC2192BE507769221373A74F05269EC4EDF6D14AC0782C877275A52FA419A7E5A84167CC4DB68A30640D45C0BBA11521ACADEC344AA0FF44D2163299252E32CBF48914DBB2C9FC22CCF87F98199B32DDAE70B4A3F7C971B6F0B9909D96C3D9FF7304413026E575F6098595DC0C568D3A39B65715D55319BD718FC158A8B596303E3D7EC655DFB4E47D142BACBDDFB065C5054A5F6D2A3BE52047E14ECEB1CE4B08A6E19C6F833C8D7B730EDB6BFECE3416FAF7974566B2D028C08F0E29120F827571B7B9884D0E8DB0B0271AA11EEF360EB47A3D3043AF659F2F1BA5DC0B15661F9E61CE286E0AFF00D9066E53AE91F203ADC7DA9C4730E23FA0D24658554192B294CA644CA21828C07A01239E579323652A6059A472FC77AF01B84942C3CC128A03C6B6B5F04AA7344725D8985EB5E2F31CCDBE07C3BDFCFA153571CC8D2B04D9F1ADD9C98B1D142943556504CC6BA6A58F0C74B189773E95EE1B9BDB0B6AFE3E6BE16B00E030BE5CA0EAB9A333FBF9CCA22B43C94F806DFFCE4EF51FDB8E90BBEF5509319864821BF97340A76C3CACC91672D"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\LMIinit.dll
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
.
- - - - - - - > 'explorer.exe'(2564)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\progra~1\COMMON~1\Stardock\SDMCP.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-25 15:51:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-25 20:50
.
Pre-Run: 52,107,857,920 bytes free
Post-Run: 52,890,640,384 bytes free
.
Current=3 Default=3 Failed=0 LastKnownGood=6 Sets=,1,2,3,4,5,6
- - End Of File - - DC7736B108DAAB55E81A85F338F7128D

Edited by retravoh, 25 April 2011 - 04:14 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:42 AM

Posted 25 April 2011 - 05:21 PM

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#5 retravoh

retravoh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 25 April 2011 - 10:11 PM

Again, Thanks for the help. The PC is behaving normally now (normal speed and no strange popups or redirects when surfing). Here are the logs.

ESET
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\6fe35c0e-7dd9ae71 a variant of Java/TrojanDownloader.OpenStream.NAT trojan
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\40\3da0e5a8-436da28a multiple threats
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\9\f338d49-50bde325 multiple threats
C:\Program Files\321Studios\Keymaker1.exe a variant of Win32/Keygen.AF application
C:\Program Files\321Studios\Keymaker2.exe a variant of Win32/Keygen.AF application
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent.CBFNBEO trojan
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP97\A0018663.sys Win32/Olmasco.E trojan


DDS
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by retravoh at 22:06:31.06 on Mon 04/25/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.748 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\program files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://srch-us9.hpwis.com/
uStart Page = https://citrix.noritsu.com/vpn/index.html
mSearch Bar = hxxp://srch-us9.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
uCustomizeSearch =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: turbotax.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LMIinit - LMIinit.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1dhpqgrp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\1dhpqgrp.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 waqzob40;Vba32 Armour Driver;c:\windows\system32\drivers\waqzob40.sys [2011-4-23 35904]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-1-17 47640]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-3 19056]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 ecure;FireDaemon Service: ecure; [x]
S2 svchost1;FireDaemon Service: svchost1; [x]
S3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-11-9 41624]
S3 Mestrsimiwm;Mestrsimiwm; [x]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]
S3 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
S4 gupdate1c9f19a1b80b64c;Google Update Service (gupdate1c9f19a1b80b64c);c:\program files\google\update\GoogleUpdate.exe [2009-6-20 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S4 mrtRate;mrtRate; [x]
S4 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\novastor\novastor novabackup\nsService.exe [2010-3-4 261256]
S4 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]
S4 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
.
=============== Created Last 30 ================
.
2011-04-25 23:15:40 -------- d-----w- c:\program files\ESET
2011-04-25 20:09:56 98816 ----a-w- c:\windows\sed.exe
2011-04-25 20:09:56 89088 ----a-w- c:\windows\MBR.exe
2011-04-25 20:09:56 256512 ----a-w- c:\windows\PEV.exe
2011-04-25 20:09:56 161792 ----a-w- c:\windows\SWREG.exe
2011-04-25 00:44:03 -------- d-----w- c:\program files\Sophos
2011-04-25 00:23:48 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKslf8ef0c86.sys
2011-04-24 19:02:04 -------- d-----w- c:\program files\Runtime Software
2011-04-24 18:01:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\MpKslb6b6549e.sys
2011-04-24 06:09:21 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a90ea19a-d8d2-478a-9a19-dbb5fe471c30}\mpengine.dll
2011-04-24 04:36:25 35904 ----a-w- c:\windows\system32\drivers\waqzob40.sys
2011-04-22 23:14:56 6144 ------w- c:\windows\system32\4.tmp
2011-04-22 23:14:43 6144 ------w- c:\windows\system32\3.tmp
2011-04-22 17:08:22 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-22 01:23:33 215920 ----a-w- c:\windows\system32\muweb.dll
2011-04-22 01:23:33 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-04-22 01:23:32 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-21 14:31:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-19 00:54:17 -------- d-----w- c:\program files\Bonjour
2011-04-19 00:36:26 -------- d-----w- c:\docume~1\owner\applic~1\Dropbox
2011-04-19 00:26:14 249872 ----a-w- c:\windows\system32\prgiso.dll
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 22:07:53.90 ===============

Attached Files



#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:42 AM

Posted 26 April 2011 - 01:30 PM

Good evening. :)

Assuming that all is still well, i'd say you were done.


C:\Program Files\321Studios\Keymaker1.exe a variant of Win32/Keygen.AF application
C:\Program Files\321Studios\Keymaker2.exe a variant of Win32/Keygen.AF application

I'll leave you to decide the legitimacy of these files as you know what you are putting on your hard drive - at least I hope you do!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

c:\windows\system32\4.tmp
c:\windows\system32\3.tmp


If you can find the above on your system, delete them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a third-party software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
If you are using a wireless router that comes with a NAT hardware firewall, this also doesn't monitor outgoing connections.

There are a few free firewalls available, of which the following are just three (all of which i've used at one time or another) :

Comodo Firewall Pro, available here.
PC Tools Firewall Plus, available here.
Online Armor Free, available here.

It is important to note that you should only have one firewall installed at a time, but you can download them all to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your copy of Adobe Reader is out of date. You can get the latest version here, feel free to uncheck the McAfee download first, or you can update from within the program itself: Help > Check for Updates...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your version of Sun Java needs updating:

1) Go here and click on the Windows XP/Vista/2000/2003/2008 Offline link in the Windows section near the top and save it to your Desktop.

2) Download JavaRa from here and save it to your Desktop.
You will need to extract the file(s):

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


***Please close any instances of Internet Explorer before continuing!***

  • Double-click JavaRa.exe to begin.
  • Pick your preferred language from the drop-down menu and click Select.
  • Click on Remove Older Versions to remove older version of Java - obvious really, isn't it!
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, just in case you have any problems with Java afterwards.
3) Run the installer that you downloaded earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Go to Start > Run, enter the following into the textbox and click OK: ComboFix /Uninstall
This will uninstall Combofix and do a little housework besides.

Create a new Restore Point with a memorable name - this will give a clean one should you need it in the future. If you use a Restore Point from before this point you may reinstall any infection that was present at the time, so only do so if using this latest one doesn't solve any issues.
A tutorial for System Restore is available here.

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet. It's a little old, but still contains some good ideas.

So long, and thanks for all the fish.

 

 


#7 retravoh

retravoh
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 30 April 2011 - 10:17 AM

I have deleted the files you mentioned above. I have downloaded, but not yet installed a third party firewall. I have updated reader and java.

I did the ESET scan again and it only found one entry -

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent.CBFNBEO trojan

Should i do anything about it.


The only problem I'm having is that Internet Explorer does not start. I use firefox 99% of the time, but I do know Internet Explorer worked before the infection. I get this message when I start IE:

"Internet Explorer had encountered a problem and needs to close." When I "click here" to see the error report, I get:

"Error signature AppName: iexplore.exe AppVer: 6.0.2900.5512 ModName: urlmon.dll ModVer:6.0.2900.6082 Offset: 0003e59f"

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:42 AM

Posted 30 April 2011 - 02:50 PM

Good evening. :)

I did the ESET scan again and it only found one entry -

C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe probably a variant of Win32/Agent.CBFNBEO trojan

Should i do anything about it.

Sorry, should have said. This looks to me like a legitimate file that has been incorrectly flagged as malicious - Updates from HP points to a Hewlett-Packard file and Google seems to confirm it.

As to the IE problem, i'd post about it here as it's where the Techies hang out and they are better equipped to deal with this one.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:42 AM

Posted 03 May 2011 - 01:58 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users