Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't acces windows update nor AV sites


  • This topic is locked This topic is locked
18 replies to this topic

#1 rbsilva

rbsilva

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 30 January 2012 - 12:37 PM

Hello

Not being able to update windows, I suspected a virus or malware was on the computer. Found out that the anti-virus websites aren't available.
Turned to bleeping computer for help - runned Security Check, FSS, MiniTool Box, aswMBR. Cleaned the host files. Runned GMER. Posted the log and was asked to follow the guide.
Here are the final relevant posts and logs attached as requested.

««««
DDS Post
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Utilizador at 15:51:20 on 2012-01-30
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.447.166 [GMT 0:00]
.
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programas\Browser MOUSE\mouse32a.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\OpenOffice.org 2.2\program\soffice.exe
C:\Programas\OpenOffice.org 2.2\program\soffice.BIN
svchost.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programas\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\programas\messenger\msmsgs.exe" /background
uRun: [EPSON SX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifbe.exe /fu "c:\windows\temp\E_S398.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [RemoteControl] c:\programas\cyberlink\powerdvd\PDVDServ.exe
mRun: [RoxioEngineUtility] "c:\programas\ficheiros comuns\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\programas\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [FLMOFFICE4DMOUSE] c:\programas\browser mouse\mouse32a.exe
mRun: [avgnt] "c:\programas\antivir personaledition classic\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\programas\ficheiros comuns\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\utiliz~1\menuin~1\progra~1\arranque\openof~1.lnk - c:\programas\openoffice.org 2.2\program\quickstart.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{82E0A45C-4F3E-4EBA-AE04-163BCA76A531} : DhcpNameServer = 192.168.1.254 192.168.1.254
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\utilizador\application data\mozilla\firefox\profiles\j3w0g97q.default\
FF - plugin: c:\programas\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programas\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\programas\antivir personaledition classic\avgio.sys [2007-9-13 11840]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\programas\antivir personaledition classic\sched.exe [2007-9-13 57896]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\programas\antivir personaledition classic\avguard.exe [2007-9-13 204840]
R3 avgntflt;avgntflt;c:\programas\antivir personaledition classic\avgntflt.sys [2007-9-13 48704]
S2 drqrjr;Security Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 ifigmcl;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 cpuz134;cpuz134;c:\programas\cpuid\pc wizard 2010\pcwiz_x32.sys [2011-12-30 20328]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2005-8-24 129535]
.
=============== Created Last 30 ================
.
2012-01-24 15:47:27 -------- d-----w- C:\gmer
2012-01-11 14:49:03 626688 ----a-w- c:\programas\mozilla firefox\msvcr80.dll
2012-01-11 14:49:03 548864 ----a-w- c:\programas\mozilla firefox\msvcp80.dll
2012-01-11 14:49:03 479232 ----a-w- c:\programas\mozilla firefox\msvcm80.dll
2012-01-11 14:49:03 43992 ----a-w- c:\programas\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-12-29 15:47:30 249856 ------w- c:\windows\Setup1.exe
2011-12-29 15:47:25 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 05:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 15:52:05,04 ===============


»»»»

Thanks in advance for the help.
rbsilva

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 01 February 2012 - 04:54 PM

Hello and welcome to BleepingComputer! :)



I am Blind Faith and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are destined to idetifying the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that step. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me.
Do not forget to check your topic periodically and subscribe to the topic so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 02 February 2012 - 11:41 AM

Hello Elle and thank you for the assistance.

The only change I've made in the PC since the last logs was the installation of a Brother printer.
Nonetheless I've run the DDS and the GMER (without tha IAT option). Here are the most recent logs (I've attached the attach.txt file from dds and the gmer log).

DDS log »»»»»»»»
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Utilizador at 12:39:06 on 2012-02-02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.447.129 [GMT 0:00]
.
AV: Avira AntiVir PersonalEdition *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Programas\Browser MOUSE\mouse32a.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\Ficheiros comuns\Java\Java Update\jusched.exe
C:\Programas\Browny02\Brother\BrStMonW.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Programas\Brother\ControlCenter3\brccMCtl.exe
C:\Programas\OpenOffice.org 2.2\program\soffice.exe
C:\Programas\OpenOffice.org 2.2\program\soffice.BIN
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Programas\Java\jre6\bin\jqs.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Browny02\BrYNSvc.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programas\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\programas\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\programas\messenger\msmsgs.exe" /background
uRun: [EPSON SX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifbe.exe /fu "c:\windows\temp\E_S398.tmp" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [RemoteControl] c:\programas\cyberlink\powerdvd\PDVDServ.exe
mRun: [RoxioEngineUtility] "c:\programas\ficheiros comuns\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\programas\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [FLMOFFICE4DMOUSE] c:\programas\browser mouse\mouse32a.exe
mRun: [avgnt] "c:\programas\antivir personaledition classic\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\programas\ficheiros comuns\java\java update\jusched.exe"
mRun: [ControlCenter3] c:\programas\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsMon00] c:\programas\browny02\brother\BrStMonW.exe /AUTORUN
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\utiliz~1\menuin~1\progra~1\arranque\openof~1.lnk - c:\programas\openoffice.org 2.2\program\quickstart.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{82E0A45C-4F3E-4EBA-AE04-163BCA76A531} : DhcpNameServer = 192.168.1.254 192.168.1.254
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\utilizador\application data\mozilla\firefox\profiles\j3w0g97q.default\
FF - plugin: c:\programas\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programas\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\programas\antivir personaledition classic\avgio.sys [2007-9-13 11840]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\programas\antivir personaledition classic\sched.exe [2007-9-13 57896]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\programas\antivir personaledition classic\avguard.exe [2007-9-13 204840]
R3 avgntflt;avgntflt;c:\programas\antivir personaledition classic\avgntflt.sys [2007-9-13 48704]
R3 BrYNSvc;BrYNSvc;c:\programas\browny02\BrYNSvc.exe [2012-1-31 245760]
S2 drqrjr;Security Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 ifigmcl;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 cpuz134;cpuz134;c:\programas\cpuid\pc wizard 2010\pcwiz_x32.sys [2011-12-30 20328]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [2005-8-24 129535]
.
=============== Created Last 30 ================
.
2012-01-31 16:45:02 -------- d-----r- c:\documents and settings\utilizador\application data\Brother
2012-01-31 16:38:06 61440 ----a-w- c:\windows\system32\brprtink.dll
2012-01-31 16:37:54 55808 ----a-w- c:\windows\system32\BrUsi09c.dll
2012-01-31 16:37:53 1535488 ----a-w- c:\windows\system32\BrWia09c.dll
2012-01-31 16:37:53 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2012-01-31 16:37:40 -------- d-----w- c:\programas\Browny02
2012-01-31 16:37:18 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-01-31 16:37:18 5632 ------w- c:\windows\system32\BrDctF2L.dll
2012-01-31 16:37:18 3072 ------w- c:\windows\system32\BrDctF2S.dll
2012-01-31 16:37:18 217088 ------w- c:\windows\system32\NSSearch.dll
2012-01-31 16:37:18 -------- d-----w- c:\programas\Brother
2012-01-31 16:37:16 180224 ------w- c:\windows\system32\BroSNMP.dll
2012-01-31 16:36:42 -------- d-----w- c:\documents and settings\all users\application data\Brother
2012-01-24 15:47:27 -------- d-----w- C:\gmer
2012-01-11 14:49:03 626688 ----a-w- c:\programas\mozilla firefox\msvcr80.dll
2012-01-11 14:49:03 548864 ----a-w- c:\programas\mozilla firefox\msvcp80.dll
2012-01-11 14:49:03 479232 ----a-w- c:\programas\mozilla firefox\msvcm80.dll
2012-01-11 14:49:03 43992 ----a-w- c:\programas\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-12-29 15:47:30 249856 ------w- c:\windows\Setup1.exe
2011-12-29 15:47:25 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 05:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 12:39:57,67 ===============

««««««««

Thanks again for your time and help
Best regards

rbsilva

Attached Files



#4 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 04 February 2012 - 11:53 AM

Hi there,




Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you,please post it in English as I cannot understand Spanish.






Elle

Edited by Blind Faith, 04 February 2012 - 11:53 AM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#5 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 06 February 2012 - 08:05 AM

Hello Elle

Thanks for the reply.
Runned the combofix. Here's the log

P.S.: My OS isn't in spanish but portuguese. I've manually translated the log.


ComboFix 12-02-06.01 - Utilizador 06-02-2012 12:36:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.447.156 [GMT 0:00]
Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
AV: Avira AntiVir PersonalEdition *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((( Other exclusions )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\Utilizador\WINDOWS
c:\windows\edms4690.dll
.
.
(((((((((((((((( Archives/Files created from 2012-01-06 to 2012-02-06 ))))))))))))))))))))))))))))
.
.
2012-01-31 16:45 . 2012-01-31 16:45 -------- d-----r- c:\documents and settings\Utilizador\Application Data\Brother
2012-01-31 16:38 . 2010-01-22 07:52 61440 ----a-w- c:\windows\system32\brprtink.dll
2012-01-31 16:37 . 2009-08-18 10:36 55808 ----a-w- c:\windows\system32\BrUsi09c.dll
2012-01-31 16:37 . 2009-08-18 10:40 1535488 ----a-w- c:\windows\system32\BrWia09c.dll
2012-01-31 16:37 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Browny02
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Brother
2012-01-31 16:37 . 2010-02-09 17:11 217088 ------w- c:\windows\system32\NSSearch.dll
2012-01-31 16:37 . 2010-01-22 15:34 3072 ------w- c:\windows\system32\BrDctF2S.dll
2012-01-31 16:37 . 2007-12-13 22:16 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-01-31 16:37 . 2007-12-13 22:16 5632 ------w- c:\windows\system32\BrDctF2L.dll
2012-01-31 16:37 . 2010-02-05 11:42 180224 ------w- c:\windows\system32\BroSNMP.dll
2012-01-31 16:36 . 2012-01-31 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2012-01-24 15:47 . 2012-01-24 15:47 -------- d-----w- C:\gmer
2012-01-17 11:59 . 2012-01-17 11:59 -------- d-sh--w- c:\documents and settings\Administrador\PrivacIE
2012-01-11 14:49 . 2012-01-11 14:49 626688 ----a-w- c:\programas\Mozilla Firefox\msvcr80.dll
2012-01-11 14:49 . 2012-01-11 14:49 548864 ----a-w- c:\programas\Mozilla Firefox\msvcp80.dll
2012-01-11 14:49 . 2012-01-11 14:49 479232 ----a-w- c:\programas\Mozilla Firefox\msvcm80.dll
2012-01-11 14:49 . 2012-01-11 14:49 43992 ----a-w- c:\programas\Mozilla Firefox\mozutils.dll
.
.
.
((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 15:47 . 2011-12-29 15:47 249856 ------w- c:\windows\Setup1.exe
2011-12-29 15:47 . 2011-12-29 15:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 15:24 . 2011-12-29 17:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-10 05:54 . 2010-11-04 12:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 03:27 . 2007-09-13 13:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-01-11 14:49 . 2011-06-07 08:27 121816 ----a-w- c:\programas\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((( Register Charging Points )))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty and legitim entries by standard aren't showed.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"VTTrayp"="VTtrayp.exe" [2006-09-28 176128]
"RemoteControl"="c:\programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"RoxioEngineUtility"="c:\programas\Ficheiros comuns\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2005-08-23 868352]
"FLMOFFICE4DMOUSE"="c:\programas\Browser MOUSE\mouse32a.exe" [2006-02-14 360448]
"avgnt"="c:\programas\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 327720]
"SunJavaUpdateSched"="c:\programas\Ficheiros comuns\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ControlCenter3"="c:\programas\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\programas\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
OpenOffice.org 2.2.lnk - c:\programas\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4329:TCP"= 4329:TCP:oyoca
.
R3 BrYNSvc;BrYNSvc;c:\programas\Browny02\BrYNSvc.exe [31-01-2012 16:37 245760]
S2 drqrjr;Security Microsoft;c:\windows\system32\svchost.exe -k netsvcs [04-08-2004 12:00 14336]
S2 ifigmcl;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [04-08-2004 12:00 14336]
S3 cpuz134;cpuz134;c:\programas\CPUID\PC Wizard 2010\pcwiz_x32.sys [30-12-2011 18:56 20328]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [24-08-2005 9:25 129535]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
drqrjr
.
.
------- Suplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Utilizador\Application Data\Mozilla\Firefox\Profiles\j3w0g97q.default\
.
- - - - REMOVED ORPHANS - - - -
.
HKLM-Run-Cmaudio - cmicnfg.cpl
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-06 12:45
Windows 5.1.2600 Service Pack 2 NTFS
.
Searching for hidden processes...
.
Searching for hidden auto-start entries...
.
Searching for hidden files/archives...
.
Swept successfully completed
hidden archives/files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drqrjr]
"ServiceDll"="c:\windows\system32\pmosyzll.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ifigmcl]
"ServiceDll"="c:\windows\system32\pmosyzll.dll"
.
Time to conclusion: 2012-02-06 12:48:27
ComboFix-quarantined-files.txt 2012-02-06 12:48
.
Pré-execution: 74.316.148.736 bytes free
Pós execution: 74.668.290.048 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 19892FA0F1D94A1161B921DB00D45D1F

Best regards
Rbsilva

#6 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 07 February 2012 - 05:18 PM

Hi there,




We suspect a variant of Conficker might be present on your system. Whether it is so or not, I would still like you to get tested through this site: Conficker Eye Chart.

Please tell me which of the images are displayed and which are not. The images situated on the first row are connected to several security sites so if you are infected, some of the images may not be displayed.


====================================================================================



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic440609.html

Collect::[89]
c:\windows\system32\pmosyzll.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4329:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\drqrjr]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ifigmcl]

Driver::
drqrjr
ifigmcl

NetSvc::
drqrjr
ifigmcl

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Elle

Edited by Blind Faith, 07 February 2012 - 05:19 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#7 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 09 February 2012 - 10:32 AM

Hello again

I've performed the asked actions.
Regarding the Conficker, the 1st and 3rd images aren't shown (a possible A/B variant according to the results table in the site).
Following is the Combofix log.
When finished it displayed a message indicating that some malicious files were sent somewhere for additional tests (?).

(translated from portuguese)
ComboFix 12-02-06.01 - Utilizador 09-02-2012 15:06:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.447.225 [GMT 0:00]
Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Utilizador\Ambiente de trabalho\CFScript.txt
AV: Avira AntiVir PersonalEdition *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
file zipped: c:\windows\system32\pmosyzll.dll
.
.
((((((((((((((((((((((((((((((((((((( Other Exclusions )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DRQRJR
-------\Legacy_IFIGMCL
-------\Service_drqrjr
-------\Service_ifigmcl
.
.
(((((((((((((((( Archives/Files created from 2012-01-09 to 2012-02-09 ))))))))))))))))))))))))))))
.
.
2012-01-31 16:45 . 2012-01-31 16:45 -------- d-----r- c:\documents and settings\Utilizador\Application Data\Brother
2012-01-31 16:38 . 2010-01-22 07:52 61440 ----a-w- c:\windows\system32\brprtink.dll
2012-01-31 16:37 . 2009-08-18 10:36 55808 ----a-w- c:\windows\system32\BrUsi09c.dll
2012-01-31 16:37 . 2009-08-18 10:40 1535488 ----a-w- c:\windows\system32\BrWia09c.dll
2012-01-31 16:37 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Browny02
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Brother
2012-01-31 16:37 . 2010-02-09 17:11 217088 ------w- c:\windows\system32\NSSearch.dll
2012-01-31 16:37 . 2010-01-22 15:34 3072 ------w- c:\windows\system32\BrDctF2S.dll
2012-01-31 16:37 . 2007-12-13 22:16 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-01-31 16:37 . 2007-12-13 22:16 5632 ------w- c:\windows\system32\BrDctF2L.dll
2012-01-31 16:37 . 2010-02-05 11:42 180224 ------w- c:\windows\system32\BroSNMP.dll
2012-01-31 16:36 . 2012-01-31 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2012-01-24 15:47 . 2012-01-24 15:47 -------- d-----w- C:\gmer
2012-01-17 11:59 . 2012-01-17 11:59 -------- d-sh--w- c:\documents and settings\Administrador\PrivacIE
2012-01-11 14:49 . 2012-02-07 09:49 45016 ----a-w- c:\programas\Mozilla Firefox\mozutils.dll
2012-01-11 14:49 . 2012-01-11 14:49 626688 ----a-w- c:\programas\Mozilla Firefox\msvcr80.dll
2012-01-11 14:49 . 2012-01-11 14:49 548864 ----a-w- c:\programas\Mozilla Firefox\msvcp80.dll
2012-01-11 14:49 . 2012-01-11 14:49 479232 ----a-w- c:\programas\Mozilla Firefox\msvcm80.dll
.
.
.
((((((((((((((((((((((((((((((((((((( Report Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 15:47 . 2011-12-29 15:47 249856 ------w- c:\windows\Setup1.exe
2011-12-29 15:47 . 2011-12-29 15:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 15:24 . 2011-12-29 17:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-07 09:49 . 2011-06-07 08:27 134104 ----a-w- c:\programas\mozilla firefox\components\browsercomps.dll
2009-03-21 14:20 159590 --sha-r- c:\windows\system32\pmosyzll.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-06_12.45.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-09 15:16 . 2012-02-09 15:16 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat
.
(((((((((((((((((((((((((( Registry Charging Points )))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty and legitm entries aren't shown by default.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"VTTrayp"="VTtrayp.exe" [2006-09-28 176128]
"RemoteControl"="c:\programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"RoxioEngineUtility"="c:\programas\Ficheiros comuns\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2005-08-23 868352]
"FLMOFFICE4DMOUSE"="c:\programas\Browser MOUSE\mouse32a.exe" [2006-02-14 360448]
"avgnt"="c:\programas\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 327720]
"SunJavaUpdateSched"="c:\programas\Ficheiros comuns\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ControlCenter3"="c:\programas\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\programas\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
OpenOffice.org 2.2.lnk - c:\programas\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Messenger\\msmsgs.exe"=
.
R3 BrYNSvc;BrYNSvc;c:\programas\Browny02\BrYNSvc.exe [31-01-2012 16:37 245760]
S3 cpuz134;cpuz134;c:\programas\CPUID\PC Wizard 2010\pcwiz_x32.sys [30-12-2011 18:56 20328]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [24-08-2005 9:25 129535]
.
.
------- Suplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Utilizador\Application Data\Mozilla\Firefox\Profiles\j3w0g97q.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-09 15:16
Windows 5.1.2600 Service Pack 2 NTFS
.
Searching for hidden process ...
.
Searching for hidden auto-init entries ...
.
Searching hidden files/archives...
.
Sweep ended successfully
hidden archives/files: 0
.
**************************************************************************
.
--------------------- DLLs Charged under the Processes Running ---------------------
.
- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\webcheck.dll
c:\programas\Browser MOUSE\MOUDL32A.DLL
.
------------------------ Other Processes in Execution ------------------------
.
c:\programas\AntiVir PersonalEdition Classic\avguard.exe
c:\programas\AntiVir PersonalEdition Classic\sched.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\programas\Java\jre6\bin\jqs.exe
c:\programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\programas\OpenOffice.org 2.2\program\soffice.exe
c:\programas\OpenOffice.org 2.2\program\soffice.BIN
c:\programas\Brother\ControlCenter3\brccMCtl.exe
.
**************************************************************************
.
Time to conclusion: 2012-02-09 15:21:48 - Machine restarted
ComboFix-quarantined-files.txt 2012-02-09 15:21
ComboFix2.txt 2012-02-06 12:48
.
Pré-execução: 74.654.593.024 bytes livres
Pós execução: 74.571.288.576 bytes livres
.
- - End Of File - - 48C9327A2A107B142BE5CAD55D894CF4


I believe the updates are now available. May I update Windows and the AV or we should wait?
Best regards
Rbsilva

#8 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 10 February 2012 - 05:59 PM

Hi there,



When finished it displayed a message indicating that some malicious files were sent somewhere for additional tests (?).


We were not sure about the nature of a file so we thought it would be better to send it to further analysis.
Now, Conficker is a malicious software known to infect other system files. Therefore, we would like to test some of them.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
c:\windows\system32\pmosyzll.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


============================================================================================================

Hi

Please visit the online Jotti Virus Scanner Posted Image<--link
  • Browse to the following filepath:

    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\smss.exe

  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.


Do this for each file individually :)


Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#9 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 February 2012 - 08:00 AM

Hello again

Run the script through Combofix and got the following log:
Note: When started Combofix showed a message indicating that the version was expired (or something similar) and asked if I wanted to delete it before downloading it again. Clicked YES but nothing changed and the program strated running as usual.

ComboFix 12-02-06.01 - Utilizador 14-02-2012 12:39:43.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.447.198 [GMT 0:00]
Executando de: c:\documents and settings\Utilizador\Ambiente de trabalho\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Utilizador\Ambiente de trabalho\CFScript.txt
AV: Avira AntiVir PersonalEdition *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((( Other Exclusions )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\ST6UNST.000
c:\windows\system32\AutoRun.inf
.
.
(((((((((((((((( Archives/Files created from 2012-01-14 to 2012-02-14 ))))))))))))))))))))))))))))
.
.
2012-01-31 16:45 . 2012-01-31 16:45 -------- d-----r- c:\documents and settings\Utilizador\Application Data\Brother
2012-01-31 16:38 . 2010-01-22 07:52 61440 ----a-w- c:\windows\system32\brprtink.dll
2012-01-31 16:37 . 2009-08-18 10:36 55808 ----a-w- c:\windows\system32\BrUsi09c.dll
2012-01-31 16:37 . 2009-08-18 10:40 1535488 ----a-w- c:\windows\system32\BrWia09c.dll
2012-01-31 16:37 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Browny02
2012-01-31 16:37 . 2012-01-31 16:37 -------- d-----w- c:\programas\Brother
2012-01-31 16:37 . 2010-02-09 17:11 217088 ------w- c:\windows\system32\NSSearch.dll
2012-01-31 16:37 . 2010-01-22 15:34 3072 ------w- c:\windows\system32\BrDctF2S.dll
2012-01-31 16:37 . 2007-12-13 22:16 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-01-31 16:37 . 2007-12-13 22:16 5632 ------w- c:\windows\system32\BrDctF2L.dll
2012-01-31 16:37 . 2010-02-05 11:42 180224 ------w- c:\windows\system32\BroSNMP.dll
2012-01-31 16:36 . 2012-01-31 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2012-01-24 15:47 . 2012-01-24 15:47 -------- d-----w- C:\gmer
2012-01-17 11:59 . 2012-01-17 11:59 -------- d-sh--w- c:\documents and settings\Administrador\PrivacIE
.
.
.
((((((((((((((((((((((((((((((((((((( Report Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-29 15:47 . 2011-12-29 15:47 249856 ------w- c:\windows\Setup1.exe
2011-12-29 15:47 . 2011-12-29 15:31 73216 ----a-w- c:\windows\ST6UNST.EXE
2011-12-10 15:24 . 2011-12-29 17:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-13 12:04 . 2011-06-07 08:27 134104 ----a-w- c:\programas\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-06_12.45.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-14 12:43 . 2012-02-14 12:43 16384 c:\windows\Temp\Perflib_Perfdata_3b8.dat
+ 2010-11-04 12:34 . 2012-01-04 17:15 52128560 c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((( Registry Charging Points )))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries or legitm by standard doesn't show up.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"VTTrayp"="VTtrayp.exe" [2006-09-28 176128]
"RemoteControl"="c:\programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"RoxioEngineUtility"="c:\programas\Ficheiros comuns\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2005-08-23 868352]
"FLMOFFICE4DMOUSE"="c:\programas\Browser MOUSE\mouse32a.exe" [2006-02-14 360448]
"avgnt"="c:\programas\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 327720]
"SunJavaUpdateSched"="c:\programas\Ficheiros comuns\Java\Java Update\jusched.exe" [2011-06-09 254696]
"ControlCenter3"="c:\programas\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\programas\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Utilizador\Menu Iniciar\Programas\Arranque\
OpenOffice.org 2.2.lnk - c:\programas\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Messenger\\msmsgs.exe"=
.
R3 BrYNSvc;BrYNSvc;c:\programas\Browny02\BrYNSvc.exe [31-01-2012 16:37 245760]
S3 cpuz134;cpuz134;c:\programas\CPUID\PC Wizard 2010\pcwiz_x32.sys [30-12-2011 18:56 20328]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [24-08-2005 9:25 129535]
.
.
------- Suplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Utilizador\Application Data\Mozilla\Firefox\Profiles\j3w0g97q.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-14 12:43
Windows 5.1.2600 Service Pack 2 NTFS
.
Searching for hidden processes...
.
Searching for hidden auto-init entries...
.
Searching hidden files/archives...
.
Swept successfully completed
hidden archives/files: 0
.
**************************************************************************
.
--------------------- DLLs Charged Undes Executing Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\webcheck.dll
c:\programas\Browser MOUSE\MOUDL32A.DLL
.
------------------------ Other Executing Processes------------------------
.
c:\programas\AntiVir PersonalEdition Classic\avguard.exe
c:\programas\AntiVir PersonalEdition Classic\sched.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\system32\VTTimer.exe
c:\windows\system32\VTtrayp.exe
c:\programas\Java\jre6\bin\jqs.exe
c:\programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programas\OpenOffice.org 2.2\program\soffice.exe
c:\programas\OpenOffice.org 2.2\program\soffice.BIN
c:\programas\Brother\ControlCenter3\brccMCtl.exe
c:\windows\system32\MsPMSPSv.exe
.
**************************************************************************
.
Time to conclusion: 2012-02-14 12:48:48 - Machine rebooted
ComboFix-quarantined-files.txt 2012-02-14 12:48
ComboFix2.txt 2012-02-09 15:23
ComboFix3.txt 2012-02-06 12:48
.
Pré-execution: 74.507.145.216 bytes livres
Pós execution: 74.497.105.920 bytes livres
.
- - End Of File - - 540FD48E5CACB53259A96D8C444C5526

Regarding the Jotti Virus Scanner, none of the files reported malware on the 20 scanners
"Scan finished. 0 out of 20 scanners reported malware."

Do you have an ideia on what is/was infecting and when will I be able to perform Win updates and AV updates in order to avoid similar problems.
Thanks again for the help provided.
Best regards
Rbsilva

#10 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 16 February 2012 - 08:27 AM

Hi there,



I am very sorry for the delay, I am awaiting for my post to be approved, I came a bit late with the proposed fix. I will come today as soon as possible with further instructions.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 16 February 2012 - 11:02 AM

Hi,
We are currently running several additional scans to ensure ourselves that an update would be possible.
Your system was indeed infected with Conficker but as we can see from your log, we succeeded to clean it.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 20 February 2012 - 02:14 PM

Hi there,


Do you still need help? If you don't reply during the next 24 hours we will need to close your topic due to lack of feedback.

Please let us know. :)



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 20 February 2012 - 09:12 PM

Sorry for the lack of feedback.
I have been away for the last few days and wasn't able to perform the scan required.

Since you believe conficker is out, can I make windows updates (and AV updates)? Or should wait for the ESET Online Scan?
Nevertheless, between next Wednesday and Thursday I should have it posted here.
If you can "hold" the topic, I would appreciate it.

Best regards,
Rbsilva

#14 rbsilva

rbsilva
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 22 February 2012 - 01:58 PM

Hello again and sorry for the delay.

I've run the ESET Online Scanner. It found and "fixed" 3 threats.

Here's the requested report

C:\Qoobox\Quarantine\[89]-Submit_2012-02-09_15.06.01.zip Win32/Conficker.AA worm deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\edms4690.dll.vir a variant of Win32/Spy.Bancos.OHK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{EEB2E717-4EB0-4C43-80DE-EF8F9B076486}\RP163\A0015258.dll a variant of Win32/Spy.Bancos.OHK trojan cleaned by deleting - quarantined

May I proceed with windows updates?
Again, thanks for your help.
Best regards
Rbsilva

#15 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:25 PM

Posted 23 February 2012 - 05:09 PM

Hi there,


One last scan and you are free to update your system. We want to be sure everything is clean by now. :)

Please open Malwarebytes' Anti-Malware and update it from the Update tab.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users