Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Moderator says several rootkits infecting


  • This topic is locked This topic is locked
16 replies to this topic

#1 taffin

taffin

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 23 November 2012 - 01:21 PM

After posting my MBAR log in the "am i infected?" forum, I am apparantly very much the affirmative.
I am well out of my limited league in dealing with this and am posting the MBAM and DDS logs as the Mod Boopme instructed.
I look forward to any help as it is offered.
Thank you.

DDS and MBAR logs are as follows with the attach. txt file attached as per the Preperation guide instructions

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
Run by Admin at 13:03:25 on 2012-11-23
.
============== Running Processes ================
.
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\ron carter\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\VM303_STI.EXE
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.ca
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Page = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
uDefault_Page_URL = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uURLSearchHooks: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - <orphaned>
BHO: rsion - <orphaned>
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - <orphaned>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Foyhmai] "c:\documents and settings\admin\application data\moazn\daun.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:149
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:149
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Enqueue current page with Bulk Image Downloader - c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Image Downloader - c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Open current page with Bulk Image Downloader - c:\program files\bulk image downloader\iemenu\iebid.htm
IE: Open link target with Bulk Image Downloader - c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - hxxp://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/en/10/install/gtdownde.cab
TCP: NameServer = 64.71.255.198
TCP: Interfaces\{7C6F430D-F11A-49E9-A147-2F0149DD172B} : DHCPNameServer = 64.71.255.198
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\os2f5i3m.default-1351706994328\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-10-27 08:56; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=
.
=============== Created Last 30 ================
.
2012-11-22 20:16:12 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-10-31 17:46:24 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-31 17:46:24 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-10-31 17:46:24 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-10-31 17:46:24 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-10-31 17:46:24 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
.
==================== Find3M ====================
.
2012-10-09 13:35:10 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 13:35:09 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 19:32:24 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 19:32:20 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 17:51:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 13:05:48.67 ===============


Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.22.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: MOLEHOLE [administrator]

11/22/2012 2:39:25 PM
mbar-log-2012-11-22 (14-39-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27657
Time elapsed: 51 minute(s), 40 second(s)

Memory Processes Detected: 2
C:\Program Files\Common Files\HPAiODevEvent\HPAiODevEvent.exe (Spyware.Zbot.DG) -> 292 -> Delete on reboot. [96ebdadfd4890c2abbd4764003fdce32]
C:\Documents and Settings\Admin\sudbyzquxqus.exe (Trojan.Cutwail) -> 1616 -> Delete on reboot. [770a2c8d2637a492f55ba779b351817f]

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Trojan.0Access) -> Delete on reboot. [89f8e7d2fa63f442f4f8e8deb64ad729]
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot. [d7aa576283da1c1a278e1ce4b7495da3]

Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HPAiODevEvent (Spyware.Zbot.DG) -> Data: "C:\Program Files\Common Files\HPAiODevEvent\HPAiODevEvent.exe" /n -> Delete on reboot. [96ebdadfd4890c2abbd4764003fdce32]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|sudbyzquxqus (Trojan.Cutwail) -> Data: C:\Documents and Settings\Admin\sudbyzquxqus.exe -> Delete on reboot. [770a2c8d2637a492f55ba779b351817f]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Suganyak (Trojan.LameShield) -> Data: "C:\Documents and Settings\Admin\Application Data\Ysry\avhi.exe" -> Delete on reboot. [136e4475bf9e8babe7e2efdf27d9c739]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Regedit32 (Trojan.Agent) -> Data: C:\WINDOWS\system32\regedit.exe -> Delete on reboot. [3b463980f766043213ef19eda1629f61]

Registry Data Items Detected: 3
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\n.) Good: (fastprox.dll) -> Delete on reboot. [344d39801b423ff76c9394969d67ac54]
HKCR\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32| (Hijack.Trojan.Siredef.C) -> Bad: (C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\n.) Good: (%systemroot%\system32\wbem\fastprox.dll) -> Delete on reboot. [7011546568f546f0516e41bfbf4152ae]
HKCR\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InProcServer32| (Trojan.0Access) -> Bad: (C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b\n.) Good: (shell32.dll) -> Delete on reboot. [f9887544e27b082e47e28e9d43c1d828]

Folders Detected: 10
C:\WINDOWS\Installer\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\L (Backdoor.0Access) -> Delete on reboot. [a5dc4673f865c472fe8351af4cb45fa1]
C:\WINDOWS\Installer\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\U (Backdoor.0Access) -> Delete on reboot. [4e337247fd60989e483a60a03dc3936d]
C:\Documents and Settings\Admin\Local Settings\Application Data\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\U (Backdoor.0Access) -> Delete on reboot. [1b6690293a23191dbdc8b14f4bb5946c]
C:\Documents and Settings\Admin\Local Settings\Application Data\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\L (Backdoor.0Access) -> Delete on reboot. [b1d0ffba82db92a46f171fe143bd8e72]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\U (Trojan.Siredef.C) -> Delete on reboot. [621fc5f489d4c472b5e451afe020c739]
C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b\U (Trojan.Siredef.C) -> Delete on reboot. [136ec8f1203d3df9debbea16827e44bc]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\L (Trojan.Siredef.C) -> Delete on reboot. [dea3ccedd88596a01289b14f54ac1fe1]
C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b\L (Trojan.Siredef.C) -> Delete on reboot. [3d4401b89bc2f541a7f4f70959a7916f]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b (Trojan.Siredef.C) -> Delete on reboot. [7c0519a0b8a551e534683ac62bd58e72]
C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b (Trojan.Siredef.C) -> Delete on reboot. [3e4300b9550847ef4a5297696f9146ba]

Files Detected: 22
C:\Program Files\Common Files\HPAiODevEvent\HPAiODevEvent.exe (Spyware.Zbot.DG) -> Delete on reboot. [96ebdadfd4890c2abbd4764003fdce32]
C:\Documents and Settings\Admin\sudbyzquxqus.exe (Trojan.Cutwail) -> Delete on reboot. [770a2c8d2637a492f55ba779b351817f]
C:\Documents and Settings\Admin\Application Data\Ysry\avhi.exe (Trojan.LameShield) -> Delete on reboot. [136e4475bf9e8babe7e2efdf27d9c739]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\@ (Trojan.Siredef.C) -> Delete on reboot. [a4dd9e1bdc81a492cacc9f61f80817e9]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\n (Trojan.0Access) -> Delete on reboot. [2e53358492cb3600a34913b3eb1544bc]
C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b\@ (Trojan.Siredef.C) -> Delete on reboot. [acd55762d48934023c5aeb1516eaee12]
C:\RECYCLER\S-1-5-21-3351435203-520130090-611744288-1018\$49bc8f3f0df7591b47488db127cdb61b\n (Trojan.0Access) -> Delete on reboot. [89f8e7d2fa63f442f4f8e8deb64ad729]
C:\Documents and Settings\Admin\Local Settings\Temp\19291265.exe (Trojan.Cutwail) -> Delete on reboot. [6a1717a26eefed493f11c35d42c212ee]
C:\Documents and Settings\Admin\Local Settings\Temp\~!#1C4.tmp (Trojan.Agent.TRGen) -> Delete on reboot. [8df4f0c999c4c076f7963e6fd72902fe]
C:\Documents and Settings\Admin\Local Settings\Temp\~!#1C6.tmp (Spyware.Zbot.DG) -> Delete on reboot. [5031b603b8a53ef8d1be11a550b056aa]
C:\Documents and Settings\Admin\Local Settings\Temp\~!#1C8.tmp (Trojan.Medfos) -> Delete on reboot. [cbb6f9c015482a0c467b28850ff1f010]
C:\Documents and Settings\Admin\Local Settings\Temp\glom0_og.exe (Trojan.Agent.SZ) -> Delete on reboot. [027f6b4efe5fec4a9d5dbcb2ae56857b]
C:\Documents and Settings\Admin\Local Settings\Temp\rundll32.dll (Trojan.Phex.THAGen2) -> Delete on reboot. [31509b1ef5682a0ccc7315a8d32d7789]
C:\Documents and Settings\Admin\Local Settings\Temp\glom0_ogc.exe (Trojan.Happili) -> Delete on reboot. [057cab0e77e65ed89c236e371be541bf]
C:\Documents and Settings\ron carter\Local Settings\Temp\6D.tmp (Trojan.Agent) -> Delete on reboot. [9ae73c7dd7867db95a89c06a47b945bb]
C:\WINDOWS\Installer\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\@ (Backdoor.0Access) -> Delete on reboot. [4e337b3e9fbee155b9a118e8da26c53b]
C:\Documents and Settings\Admin\Local Settings\Application Data\{49bc8f3f-0df7-591b-4748-8db127cdb61b}\@ (Backdoor.0Access) -> Delete on reboot. [b8c968516cf135014fbf48b8a25e46ba]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\L\00000004.@ (Trojan.Siredef.C) -> Delete on reboot. [acd56257ef6e3600464ece32689854ac]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\L\201d3dde (Trojan.Siredef.C) -> Delete on reboot. [c3be05b4302d56e0088cfb059e62bb45]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\U\00000001.@ (Trojan.0Access) -> Delete on reboot. [d0b1b5049ac35adc5298a323867ae21e]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\U\80000000.@ (Trojan.0Access) -> Delete on reboot. [344d2594ea7353e345a55571926eec14]
C:\RECYCLER\S-1-5-18\$49bc8f3f0df7591b47488db127cdb61b\U\800000cb.@ (Trojan.0Access) -> Delete on reboot. [cab7fabf0d501125e2089e2827d96a96]

(end)
Hopefully this is enough to start :)

Attached Files



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 23 November 2012 - 07:34 PM

Hello taffin, and welcome to the MRT forums! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

First, please be advised that the MBAR (MalwareBytes Anti-Rootkit) program is still beta and using it could have some bugs. Beta means that the creators/developers have deemed the product functional, but not foolproof as of yet. Use it at your own risk...in a way!

==========

Step :step1: Warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you would still like to continue with the cleaning process, then follow the next step.

==========

Step :step2:

Now that you've already ran the MBAR tool, I'd like you to run it again just as you did before and post the new log.

==========

Step :step3:

Next, please run the 'fixdamage' tool in the Malwarebytes Anti-Rootkit folder and reboot.

==========

Step :step4:

Run RogueKiller

  • Download RogueKiller from here, and save it to your desktop.
  • Close all open programs.
  • Double click the file on your desktop. Once the automatic check completes, hit the Scan button.
  • Once the full scan has finished, click on the Delete button. Once it's done removing things, open the newest log on your desktop (should be called RKreport[X].txt (where the X will be a number)) and copy and paste it into your reply.

==========

In your next reply, please include the following:

  • The new MBAR log
  • The RogueKiller log
After the above, please tell me how the computer is running now!

bloopie

Edited by bloopie, 23 November 2012 - 07:37 PM.
Fixed typo


#3 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 24 November 2012 - 08:58 AM

Followed instructions and the MBAR said no infections this time. Hopefully then it's getting a bit killed off :)

The following are the two logs you asked for.

Malwarebytes Anti-Rootkit 1.1.0.1009
www.malwarebytes.org

Database version: v2012.11.24.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: MOLEHOLE [administrator]

11/24/2012 12:24:28 AM
mbar-log-2012-11-24 (00-24-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 27664
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




RogueKiller V8.3.1 [Nov 23 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Scan -- Date : 11/24/2012 08:46:23

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] VM303_STI.EXE -- C:\WINDOWS\VM303_STI.EXE -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Foyhmai ("C:\Documents and Settings\Admin\Application Data\Moazn\daun.exe") -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : BigDog303 (C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3351435203-520130090-611744288-1018[...]\Run : Foyhmai ("C:\Documents and Settings\Admin\Application Data\Moazn\daun.exe") -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (szkgfs.sys @ 0xF749A9E0)
_INLINE_ : NtSetSecurityObject -> HOOKED (szkgfs.sys @ 0xF7499E28)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] b9fcffd5371610654f5bc283a179175c
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 72770 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149115330 | Size: 3474 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_11242012_02d0846.txt >>
RKreport[1]_S_11242012_02d0846.txt

Thanks for the help so far!

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 24 November 2012 - 03:15 PM

Hi again,

You haven't yet responded to this:

Please tell me if you have your original Windows CD/DVD available.


Did you use the 'fix damage' tool found in the Malwarebytes Anti-Rootkit folder as described in my previous post? If not, please do now!

Also, in Step :step4: above, I asked you to run RogueKiller with the "delete" function after the scan. It appears you only posted the scan log. Be sure to use the delete button and post that log for me. :)

And, you also still haven't told me how the computer is running now! Any problems you can see that need to be addressed?

==============================

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

In your next reply, please include the following:

  • A response to my queries at the top of this post!
  • The C:\Combofix.txt log
bloopie

#5 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 24 November 2012 - 07:26 PM

Apologies- I thought I had but must have missed that.

No, there is no disk available for the computer.

I did use the fix damage tool when you said to and the delete option with Rogue Killer after but sent the first report, not the number 2. The second is as follows :

RogueKiller V8.3.1 [Nov 23 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Admin [Admin rights]
Mode : Remove -- Date : 11/24/2012 08:47:54

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] VM303_STI.EXE -- C:\WINDOWS\VM303_STI.EXE -> KILLED [TermProc]

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Foyhmai ("C:\Documents and Settings\Admin\Application Data\Moazn\daun.exe") -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : BigDog303 (C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (szkgfs.sys @ 0xF749A9E0)
_INLINE_ : NtSetSecurityObject -> HOOKED (szkgfs.sys @ 0xF7499E28)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] b9fcffd5371610654f5bc283a179175c
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 72770 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 149115330 | Size: 3474 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11242012_02d0847.txt >>
RKreport[1]_S_11242012_02d0846.txt ; RKreport[2]_D_11242012_02d0847.txt


combofix log is as follows:


ComboFix 12-11-24.02 - Admin 11/24/2012 18:35:35.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.481 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Admin\Recent\DBOLE.sys
c:\documents and settings\Admin\Recent\dudl.exe
c:\documents and settings\Admin\Recent\eb.drv
c:\documents and settings\Admin\Recent\eb.exe
c:\documents and settings\Admin\Recent\grid.exe
c:\documents and settings\Admin\Recent\hymt.tmp
c:\documents and settings\Admin\Recent\kernel32.drv
c:\documents and settings\Admin\Recent\tempdoc.exe
c:\documents and settings\Admin\Recent\tempdoc.sys
c:\documents and settings\Admin\Recent\tjd.drv
c:\documents and settings\All Users\Application Data\shs_setup_4059-354328.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\8927A071.TMP
c:\documents and settings\ron carter\Application Data\alot
c:\documents and settings\ron carter\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\system32\SET28B.tmp
c:\windows\system32\SET46.tmp
c:\windows\system32\SET48.tmp
c:\windows\system32\SET54.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-10-25 to 2012-11-25 )))))))))))))))))))))))))))))))
.
.
2012-11-24 23:03 . 2012-11-24 23:33 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2012-11-24 04:33 . 2012-11-24 04:33 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-11-22 20:16 . 2012-11-20 06:17 262112 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-10-31 17:46 . 2012-11-20 06:17 96224 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
2012-10-31 17:46 . 2012-11-20 06:17 157272 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2012-10-31 17:46 . 2012-11-20 06:17 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-10-31 17:46 . 2012-11-20 06:17 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-10-31 17:46 . 2012-11-20 06:17 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-10-27 12:56 . 2012-10-27 12:56 -------- d-----w- c:\program files\Common Files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 13:35 . 2012-03-31 12:24 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 13:35 . 2011-07-14 22:33 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-24 19:32 . 2012-07-15 01:16 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-24 19:32 . 2011-07-28 01:34 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-09-24 17:51 . 2012-07-15 01:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-20 06:17 . 2012-11-22 20:16 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-08-06 296096]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-10-02 20:51 75064 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2/24/2012 2:28 PM 99728]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [4/11/2012 1:56 PM 73104]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/18/2012 7:45 AM 101112]
S0 atintex;atintex;c:\windows\system32\drivers\atintex.sys --> c:\windows\system32\drivers\atintex.sys [?]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2/24/2012 2:28 PM 99728]
S1 hsfnt;hsfnt;c:\windows\system32\drivers\hsfnt.sys --> c:\windows\system32\drivers\hsfnt.sys [?]
S1 ras2k;ras2k;c:\windows\system32\drivers\ras2k.sys --> c:\windows\system32\drivers\ras2k.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [11/23/2012 11:33 PM 35144]
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 13:35]
.
2012-11-24 c:\windows\Tasks\HP Photo Creations Messager.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2010-12-20 21:29]
.
2012-11-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3351435203-520130090-611744288-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3351435203-520130090-611744288-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3351435203-520130090-611744288-1018.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3351435203-520130090-611744288-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3351435203-520130090-611744288-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3351435203-520130090-611744288-1018.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 18:27]
.
2012-11-24 c:\windows\Tasks\User_Feed_Synchronization-{AE8B93C2-C9A8-4464-BAE5-F8638881E384}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ca
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Enqueue current page with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link target with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Open current page with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebid.htm
IE: Open link target with Bulk Image Downloader - file://c:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
TCP: DhcpNameServer = 64.71.255.198
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
DPF: {48DF87EE-F2DE-11D8-BE7F-302050C10801} - hxxp://www.flysuite.com/flyword/loaderword_win.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\os2f5i3m.default-1351706994328\
FF - ExtSQL: 2012-10-27 08:56; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
.
.
------- File Associations -------
.
txtfile=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
Notify-TPSvc - TPSvc.dll
SafeBoot-50790734.sys
SafeBoot-52111486.sys
SafeBoot-sglfb.sys
SafeBoot-tga.sys
SafeBoot-wd.sys
SafeBoot-sacsvr
AddRemove-Bulk Image Downloader_is1 - c:\program files\Bulk Image Downloader\unins000.exe
AddRemove-Dell Digital Jukebox Driver - c:\program files\Dell\Digital Jukebox Drivers\DrvUnins.exe
AddRemove-{6cf646c1-641c-4061-9dff-97a0f119340d} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-11-24 19:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
.
**************************************************************************
.
Completion time: 2012-11-24 19:20:09 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-25 00:19
.
Pre-Run: 30,874,750,976 bytes free
Post-Run: 32,444,571,648 bytes free
.
- - End Of File - - B028712B324343D32A3B99B9071B724D



Computer seems to be running considerably quicker at the moment thanks. However, I am still running 2 iexplorer.exe

Thanks for all the help so far.

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 24 November 2012 - 07:56 PM

Hi again,

Okay, good!

Now I'd like you to run a full scan with MBAM as instructed below, then a scan with ESET to check for remnants!

==========

Step :step1:

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

==========

Step :step2:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

==========

In your next reply, please include the following:

  • The MBAM log
  • The ESET log

bloopie

#7 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 24 November 2012 - 08:39 PM

will do. thanks.

#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 24 November 2012 - 08:45 PM

:thumbup2: let me know the results!

#9 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 25 November 2012 - 09:40 AM

MBAM scan took ages but it is as follows; will post Eset after it.

Malwarebytes Anti-Malware (PRO) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.24.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: MOLEHOLE [administrator]

Protection: Disabled

11/24/2012 8:43:45 PM
mbam-log-2012-11-25 (01-11-43).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 375536
Time elapsed: 1 hour(s), 48 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2622\A0507168.exe (Trojan.Downloader) -> No action taken.
C:\TDSSKiller_Quarantine\19.03.2012_16.37.30\rtkt0000\svc0000\tsk0000.dta (Virus.RLoader) -> No action taken.

(end)


ESET



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=27a5ff505de4854baf1eda832174ebdb
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-25 07:57:02
# local_time=2012-11-25 02:57:02 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=105391
# found=11
# cleaned=0
# scan_time=5815
C:\Documents and Settings\update.exe a variant of Win32/Kryptik.UZS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\19\6b527313-6c79e50f a variant of Java/TrojanDownloader.Agent.NDJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\39995914-7f8dc0f9 Java/Exploit.Agent.NBS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\37\52577ba5-1fb233d1 Java/Exploit.Agent.NBS trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\5\410f8205-5db80ec6 Java/Exploit.CVE-2012-0507.H trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\57\7cea6c39-4ec133ee a variant of Java/TrojanDownloader.Agent.NDJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\Local Settings\Application Data\{6287F004-954B-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\My Documents\Downloads\frostwire-4.21.4.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Admin\My Documents\Downloads\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ron carter\Local Settings\Application Data\CatDBUserdll32\d3dHelplog.dll probably a variant of Win32/Sefnit.CD trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\ron carter\Local Settings\Application Data\{B195B836-9706-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (unable to clean) 00000000000000000000000000000000 I

Had to let run overnight. I did the uninstall after closing. I will restart computer after sending this and then tell how it seems .

#10 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 25 November 2012 - 10:04 AM

Morning Bloopie,
Restarted computer. It's definitely running smoother but checked in the taskmanager and still have multiple iexplorer.exe running. Three at the moment and all in top 5 of the list when look by memory usage.

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 25 November 2012 - 01:32 PM

Hi again, good afternoon! :)

Glad to hear your system is running smoother, but I need to issue you a warning on P2P programs:

Step :step1: Warning!

Going over your logs I noticed that you have µTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Next, we'll remove what ESET found with a batch script, and then we'll upload a file for further diagnosis.

Malwarebytes only found leftovers that are already in quarantine and in system restore, so they are harmless. Just bear in mind that you did not remove them which should be done in the future. Since the detections are harmless, we'll leave them to spare you another scan with removal.

Anyway, back to the next steps! :)

==========

Step :step2:

  • Hold the "WindowsPosted Image" key and press "R" to open the runbox and type in notepad and click Ok.
  • Copy the text in the code box below then paste it into the blank Notepad and save it to your Desktop as DelFile.bat
@echo off
del /f /s /q "C:\Documents and Settings\update.exe"
del /f /s /q "C:\Documents and Settings\Admin\Local Settings\Application Data\{6287F004-954B-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul"
del /f /s /q "C:\Documents and Settings\Admin\My Documents\Downloads\frostwire-4.21.4.windows.exe"
del /f /s /q "C:\Documents and Settings\Admin\My Documents\Downloads\Nero-9.4.12.3d_free.exe"
del /f /s /q "C:\Documents and Settings\ron carter\Local Settings\Application Data\CatDBUserdll32\d3dHelplog.dll"
del /f /s /q "C:\Documents and Settings\ron carter\Local Settings\Application Data\{B195B836-9706-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul"
rd /s /q "C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\19\6b527313-6c79e50f"
rd /s /q "C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\20\39995914-7f8dc0f9"
rd /s /q "C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\37\52577ba5-1fb233d1"
rd /s /q "C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\5\410f8205-5db80ec6"
rd /s /q "C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\6.0\57\7cea6c39-4ec133ee"
del %0
  • ---->>The batch file should now look like this: Posted Image<--in Windows Vista/7 and this:Posted Image<--in Windows XP
  • Now double click on the DelFile.bat on your Desktop and the batch will quickly run and delete itself for you.
  • Now reboot the machine.

==========

Step :step3:

Show hidden files and folders. If you are unsure of how to do this, see this guide.

==========

Step :step4:

Next, I'd like you to upload a file for me:

  • Go to VirusTotal.com
  • Click the "Choose File" button.
  • Navigate to the file c:\windows\system32\drivers\hsfnt.sys and click Open.
  • Click the "Scan It" button (***Note: If it says this file has already been scanned, please click "Reanalyze").
  • When it is finished scanning please provide a link to the results page in your next reply.

==========

In addition to the link with the Virustotal results, please let me know if you had any trouble with the above steps!

bloopie

Edited by bloopie, 25 November 2012 - 01:33 PM.
Fixed typo


#12 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 25 November 2012 - 02:05 PM

Ran batch file and rebooted. I attempted to follow the directions but there is no hsfnt.sys in that folder. I do have 3 similar files- hsfbs2s2.sys, hsfcxts2.sys and hsfdpsp2.sys.

#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 25 November 2012 - 02:25 PM

Hi again,

By the last file names you gave me, they're probably part of a modem software...may not even still be active. They're okay.

Knowing that, then I have good news! All we need to do is update a couple of programs, and then uninstall our tools (which is important)!

==========

Step :step1:

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!

==========

Step :step2:

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
    64-bit OS users, should read: Which Java download should I choose for my 64-bit Windows operating system?
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u9-windows-i586.exe (or jre-7u9-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==============================

Your machine appears to be clean! :thumbsup:

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.


Step :step3:

DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


Step :step4:

Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


Step :step5:

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Any programs and logs that are left over you can just delete from the desktop.


Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:



The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:
If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Please respond to this post so I can close the thread unless you have any other questions.


Best of regards, and happy surfing!! :wink:

bloopie

#14 taffin

taffin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:40 PM

Posted 26 November 2012 - 08:54 AM

Morning Bloopie,
I've followed all steps and computer seems to be running nice and smooth thanks.
Only thing weird is that still have multiple copies of iexplorer.exe running. Is that normal?
Thanks again for all your help

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:40 PM

Posted 26 November 2012 - 05:35 PM

Good evening, :)

Only thing weird is that still have multiple copies of iexplorer.exe running. Is that normal?

There could be a number of reasons, but is Internet Explorer your default browser? I would recommend a switch to another browser as IE is constantly targeted, but that's just a suggestion.

See if you could try ending the processes via the Task Manager, and let me know if they come back up and how many of them are listed...

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users