possible malware remaining

View previous topic View next topic Go down

possible malware remaining

Post by viruskill on Thu Dec 31, 2009 9:19 pm

A quick history of my XP virus experience - i got the Internet Security 2010 virus, bought Norton 360 and it didn't do anything for it. i then downloaded Malwarebytes Anti-Malware and it seemed to fix it (at least it allowed me to access Task Manager and End Process/delete the .exe that way).

Now i cannot run my computer in safe mode, browser searches are re-directed to ad-sites, some links that should work won't open period, etc.

anytime i run the MBAM program the following 2 files always appear:

Files Infected:
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and delete

what can i do to remove the possible remaining malware?


as seen in a previous post, here is a log file from HijackThis:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:11:43 PM, on 31/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: kill.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\coIEPlg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

--
End of file - 7482 bytes

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 9:26 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
    O4 - Startup: kill.bat


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 9:48 pm

Malwarebytes' Anti-Malware 1.43
Database version: 3465
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

31/12/2009 4:43:31 PM
mbam-log-2009-12-31 (16-43-31).txt

Scan type: Quick Scan
Objects scanned: 105227
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IS2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\k1tesp2ul.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xy10k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrla6jea94.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\r0hgf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ppi2.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 9:55 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:01 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by Chris at 16:58:55.89 on 31/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1485 [GMT -5:00]

AV: Norton 360 Premier Edition *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Chris\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360 premier edition\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360 premier edition\engine\3.5.2.11\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360 premier edition\engine\3.5.2.11\coIEPlg.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360 premier edition\engine\3.5.2.11\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-12-27 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-12-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-12-27 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091217.002\IDSXpx86.sys [2009-12-27 329592]
R2 N360;Norton 360;c:\program files\norton 360 premier edition\engine\3.5.2.11\ccSvcHst.exe [2009-12-27 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-27 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091230.055\NAVENG.SYS [2009-12-31 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20091230.055\NAVEX15.SYS [2009-12-31 1323568]
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [2009-10-10 367616]
R3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [2009-10-10 18944]
R3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [2009-10-10 33792]

=============== Created Last 30 ================

2009-12-31 21:10:52 0 d-----w- c:\program files\TrendMicro
2009-12-28 17:37:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2009-12-28 01:24:19 0 d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2009-12-28 01:24:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 01:24:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-28 01:24:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 01:24:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 01:14:14 0 ----a-w- c:\windows\system32\29358.exe
2009-12-28 00:54:13 0 ----a-w- c:\windows\system32\11478.exe
2009-12-28 00:34:13 0 ----a-w- c:\windows\system32\15724.exe
2009-12-28 00:32:24 0 d-----r- c:\program files\Norton Support
2009-12-28 00:14:13 0 ----a-w- c:\windows\system32\19169.exe
2009-12-27 23:54:11 0 ----a-w- c:\windows\system32\26500.exe
2009-12-27 23:34:11 0 ----a-w- c:\windows\system32\6334.exe
2009-12-27 23:14:09 0 ----a-w- c:\windows\system32\18467.exe
2009-12-27 23:02:38 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-27 23:02:38 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-27 23:02:28 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-12-27 23:02:24 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-27 23:02:24 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-27 23:02:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-27 23:02:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-27 23:02:24 0 d-----w- c:\program files\Symantec
2009-12-27 23:02:24 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-27 23:01:53 0 d-----w- c:\windows\system32\drivers\N360
2009-12-27 23:01:51 0 d-----w- c:\program files\Norton 360 Premier Edition
2009-12-27 23:01:51 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2009-12-27 23:00:32 0 d-----w- c:\program files\NortonInstaller
2009-12-27 23:00:32 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-12-27 04:35:53 0 d-----w- c:\docume~1\chris\applic~1\AVG8
2009-12-27 04:18:34 1 ----a-w- C:\s
2009-12-27 04:18:14 7020 --sha-w- c:\windows\E88D4.exe
2009-12-27 03:55:09 0 d-----w- c:\docume~1\chris\applic~1\Applied Acoustics Systems
2009-12-27 03:24:44 0 d-----w- c:\program files\setupdir
2009-12-27 03:05:05 86016 ----a-w- c:\windows\unvise32.exe
2009-12-27 02:10:07 0 d-----w- c:\program files\WGINST.000
2009-12-27 01:47:52 701 ----a-w- c:\windows\VWAVES22.INI
2009-12-27 01:45:15 0 d-----w- c:\program files\SOUNDS
2009-12-27 01:45:12 0 d-----w- c:\program files\SYNTHS
2009-12-27 01:45:12 0 d-----w- c:\program files\PRESETS
2009-12-27 01:23:54 0 d-----w- c:\docume~1\chris\applic~1\Anvil Studio
2009-12-27 01:08:06 299520 ----a-w- c:\windows\uninst.exe
2009-12-27 01:08:05 0 d-----w- c:\documents and settings\chris\WINDOWS
2009-12-16 12:47:33 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 12:43:00 0 d-----w- c:\docume~1\chris\applic~1\HpUpdate
2009-12-16 12:42:58 0 d-----w- c:\windows\Hewlett-Packard
2009-12-16 12:40:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-16 12:40:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-14 23:31:07 0 ----a-w- c:\documents and settings\chris\񀿉
2009-12-13 16:16:55 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-12-13 16:16:55 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-12-13 16:16:32 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-12-13 16:16:32 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2009-12-13 16:16:26 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-12-13 16:15:57 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2009-12-13 16:15:57 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2009-12-13 16:15:57 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-12-13 16:15:57 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-12-13 16:15:57 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-12-13 16:04:29 0 d-----w- c:\program files\common files\HP
2009-12-13 16:04:28 0 d-----w- c:\program files\common files\Hewlett-Packard
2009-12-13 16:03:31 1373528 ----a-r- c:\windows\hpzshl01.exe
2009-12-13 16:03:31 1140056 ----a-r- c:\windows\hpzmsi01.exe
2009-12-13 16:03:31 10563 ----a-r- c:\windows\hpwscr19.dat
2009-12-13 16:03:30 0 d-----w- c:\windows\yellowtail
2009-12-13 16:03:06 0 d-----w- c:\program files\HP
2009-12-13 16:01:04 997 ----a-r- c:\windows\hpwmdl19.dat
2009-12-13 16:01:04 176399 ----a-w- c:\windows\hpwins19.dat

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-15 01:58:25 90112 ----a-w- c:\windows\system32\agsaami.dll
2009-10-15 01:58:25 610304 ----a-w- c:\windows\system32\agsaamg.dll
2009-10-15 01:58:25 372736 ----a-w- c:\windows\system32\agsaamc.dll
2009-10-15 01:58:25 2535424 ----a-w- c:\windows\system32\agsaamj.dll
2009-10-15 01:12:50 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-15 01:12:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 22:48:59 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:00:02.90 ===============

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:01 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2009 6:53:43 PM
System Uptime: 31/12/2009 4:44:32 PM (1 hours ago)

Motherboard: Intel Corporation | | D946GZIS
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | LGA 775 | 2131/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 76 GiB total, 37.176 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


"Nero SoundTrax Help
礣orrent
32 Bit HP CIO Components Installer
4500_Help
Acoustica Beatcraft
Acoustica Effects Pack
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.2
Advertising Center
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Audacity 1.2.6
BPD_HPSU
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Canon MP Drivers
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Collab
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocMgr
DocProc
DocProcQFolder
DolbyFiles
eSupportQFolder
Fax
FL Studio 8
GPBaseService
GPBaseService2
Guitar Pro 5.2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 10.0
HP Document Manager 1.0
HP Imaging Device Functions 10.0
HP Officejet J4500 Series
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
IL Download Manager
ImagXpress
Intel(R) Network Connections 14.5.1.0
iZotope Ozone 4
J4500
Java 2 Runtime Environment, SE v1.4.2_19
Java(TM) 6 Update 17
Magic M4A to MP3 Converter 3.1
Malwarebytes' Anti-Malware
MarketResearch
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MIDInight Express II
Movie Templates - Starter Kit
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 9
Nero BurningROM
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
Norton 360 Premier Edition
OCR Software by I.R.I.S. 10.0
Opera 10.10
PoiZone
Power AMR MP3 WAV WMA M4A AC3 Audio Converter 1.6
Power Tab Editor 1.7
ProductContext
PSSWCORE
RealPlayer
Scan
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Shop for HP Supplies
SigmaTel Audio
SmartWebPrintingOC
SolutionCenter
Soundforum Synth
SoundTrax
Status
Toolbox
Toxic Biohazard
TrayApp
Uniblue DriverScanner 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
US-122L / US-144 driver
VideoToolkit01
VLC media player 1.0.3
WebFldrs XP
WebReg
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
WinRAR archiver

==== Event Viewer Messages From Past Week ========

30/12/2009 4:50:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows CardSpace service to connect.
30/12/2009 4:50:27 PM, error: Service Control Manager [7000] - The Windows CardSpace service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/12/2009 9:07:25 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
27/12/2009 9:05:54 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
27/12/2009 9:05:54 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
27/12/2009 9:05:50 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
27/12/2009 9:05:46 PM, error: SRService [104] - The System Restore initialization process failed.
27/12/2009 8:41:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
27/12/2009 8:41:41 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/12/2009 7:11:18 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
27/12/2009 7:11:14 PM, error: Dhcp [1002] - The IP address lease 99.239.205.193 for the Network Card with network address 0019D19C409E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
27/12/2009 11:28:30 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\atapi.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
27/12/2009 11:28:10 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\drivers\atapi.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
26/12/2009 11:37:46 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
26/12/2009 11:20:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Print Spooler service to connect.
26/12/2009 11:20:19 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 10:08 pm

Hello.

Do you know what this file/folder is?
C:\s

I see that you are running uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    礣orrent
    Java 2 Runtime Environment, SE v1.4.2_19

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\29358.exe
    c:\windows\system32\11478.exe
    c:\windows\system32\15724.exe
    c:\windows\system32\19169.exe
    c:\windows\system32\26500.exe
    c:\windows\system32\6334.exe
    c:\windows\system32\18467.exe
    c:\windows\E88D4.exe

    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=-
    "AppInit_DLLs"=""

    :commands
    [resethosts]
    [reboot]


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:13 pm

hi,

not sure what "c:/S" is...looks like the file was created a few days ago, around the time all the virus stuff started...should i just delete it?

in teh meantime i will follow the previous posted intructions.

thanks.

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 10:15 pm

Yes, delete it too, standing by for OTM log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:25 pm

i had to reboot and was not able to copy the log...should i just run the program again?

the "s" file deleted with no problems.

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 10:26 pm

The log should be automatically saved here:

C:\OTM\logfile-time-and-date.log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:27 pm

sorry, should have thought of that.

========== FILES ==========
c:\windows\system32\29358.exe moved successfully.
c:\windows\system32\11478.exe moved successfully.
c:\windows\system32\15724.exe moved successfully.
c:\windows\system32\19169.exe moved successfully.
c:\windows\system32\26500.exe moved successfully.
c:\windows\system32\6334.exe moved successfully.
c:\windows\system32\18467.exe moved successfully.
c:\windows\E88D4.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.4.0 log created on 12312009_171728

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 10:31 pm

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 10:40 pm

i noticed OT "failed to delete" certain files when it was in the process of the cleanup...is that normal?

my internet is still directing me to ad sites however.

eg: searching then clicking a link for nhl.com directed me to ask.com

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 10:41 pm

Ugh, patched files are annoying.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 11:18 pm

hey Bel, hopefully you're still lurking:

ComboFix 09-12-31.06 - Chris 31/12/2009 18:02:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1618 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\Combo-Fix.exe
AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Premier Edition *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winitn.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 21:10 . 2009-12-31 21:10 -------- d-----w- c:\program files\TrendMicro
2009-12-31 03:58 . 2009-12-31 03:58 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Opera
2009-12-31 03:58 . 2009-12-31 03:58 -------- d-----w- c:\program files\Opera
2009-12-28 17:37 . 2009-12-28 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-28 01:24 . 2009-12-28 01:24 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-12-28 01:24 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-28 01:24 . 2009-12-28 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-28 01:24 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-28 01:24 . 2009-12-31 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-28 00:32 . 2009-12-28 00:32 -------- d-----r- c:\program files\Norton Support
2009-12-27 23:02 . 2009-12-27 23:02 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-12-27 23:02 . 2009-12-27 23:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-12-27 23:02 . 2009-12-27 23:02 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-12-27 23:02 . 2009-12-27 23:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-27 23:02 . 2009-12-27 23:02 -------- d-----w- c:\program files\Symantec
2009-12-27 23:02 . 2009-12-27 23:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-27 23:02 . 2009-12-27 23:02 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-27 23:01 . 2009-12-27 23:01 -------- d-----w- c:\windows\system32\drivers\N360
2009-12-27 23:01 . 2009-12-27 23:02 -------- d-----w- c:\program files\Norton 360 Premier Edition
2009-12-27 23:01 . 2009-12-27 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-27 23:00 . 2009-12-27 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-27 23:00 . 2009-12-27 23:00 -------- d-----w- c:\program files\NortonInstaller
2009-12-27 04:35 . 2009-12-27 04:35 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2009-12-27 04:27 . 2009-12-27 04:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-27 03:55 . 2009-12-27 03:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Applied Acoustics Systems
2009-12-27 03:24 . 2009-12-27 03:24 -------- d-----w- c:\program files\setupdir
2009-12-27 03:05 . 1999-12-17 15:13 86016 ----a-w- c:\windows\unvise32.exe
2009-12-27 02:10 . 2009-12-27 02:10 -------- d-----w- c:\program files\WGINST.000
2009-12-27 01:45 . 2009-12-27 01:45 -------- d-----w- c:\program files\SOUNDS
2009-12-27 01:45 . 2009-12-27 01:45 -------- d-----w- c:\program files\SYNTHS
2009-12-27 01:45 . 2009-12-27 01:45 -------- d-----w- c:\program files\PRESETS
2009-12-27 01:23 . 2009-12-27 01:24 -------- d-----w- c:\documents and settings\Chris\Application Data\Anvil Studio
2009-12-27 01:08 . 1998-02-07 02:37 299520 ----a-w- c:\windows\uninst.exe
2009-12-27 01:08 . 2009-12-27 01:08 -------- d-----w- c:\documents and settings\Chris\WINDOWS
2009-12-24 00:27 . 2009-12-28 18:36 -------- d-----w- c:\program files\Google
2009-12-16 12:50 . 2009-12-16 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-16 12:47 . 2009-12-16 12:51 77349 ----a-w- c:\windows\hpqins05.dat
2009-12-16 12:43 . 2009-12-23 13:29 -------- d-----w- c:\documents and settings\Chris\Application Data\HpUpdate
2009-12-16 12:42 . 2009-12-16 12:42 -------- d-----w- c:\windows\Hewlett-Packard
2009-12-16 12:40 . 2009-12-16 12:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-13 16:27 . 2009-12-13 16:27 -------- d-----w- c:\documents and settings\Chris\Application Data\HP
2009-12-13 16:17 . 2009-12-13 16:17 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\HP
2009-12-13 16:16 . 2007-01-17 16:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-12-13 16:16 . 2007-01-17 16:37 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-12-13 16:16 . 2009-12-13 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-13 16:16 . 2007-11-06 00:06 278016 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5mu.dll
2009-12-13 16:16 . 2007-11-07 02:10 271704 ----a-r- c:\windows\system32\hpzids01.dll
2009-12-13 16:16 . 2007-11-06 00:07 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2009-12-13 16:16 . 2007-01-17 16:37 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-12-13 16:15 . 2007-10-31 10:35 729088 ----a-r- c:\windows\system32\hpwwiax4.dll
2009-12-13 16:15 . 2007-10-31 10:35 593920 ----a-r- c:\windows\system32\hpwtscl3.dll
2009-12-13 16:15 . 2007-01-17 16:37 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-12-13 16:15 . 2007-01-17 16:37 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-12-13 16:15 . 2007-01-17 16:31 294912 ----a-r- c:\windows\system32\hpovst11.dll
2009-12-13 16:05 . 2009-12-17 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-13 16:04 . 2009-12-13 16:04 -------- d-----w- c:\program files\Common Files\HP
2009-12-13 16:04 . 2009-12-13 16:04 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-13 16:04 . 2009-12-13 16:04 -------- d-----w- c:\program files\Hewlett-Packard
2009-12-13 16:03 . 2008-01-07 14:10 10563 ----a-r- c:\windows\hpwscr19.dat
2009-12-13 16:03 . 2007-11-07 02:15 1140056 ----a-r- c:\windows\hpzmsi01.exe
2009-12-13 16:03 . 2007-11-07 02:04 1373528 ----a-r- c:\windows\hpzshl01.exe
2009-12-13 16:03 . 2009-12-13 16:03 -------- d-----w- c:\windows\yellowtail
2009-12-13 16:03 . 2009-12-13 16:06 -------- d-----w- c:\program files\HP
2009-12-13 16:01 . 2009-12-13 16:17 176399 ----a-w- c:\windows\hpwins19.dat
2009-12-13 16:01 . 2008-01-07 14:08 997 ----a-r- c:\windows\hpwmdl19.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 23:09 . 2009-10-10 22:56 18064 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 22:14 . 2009-11-16 21:00 -------- d-----w- c:\program files\Java
2009-12-31 21:10 . 2009-12-31 21:10 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-28 18:50 . 2009-11-27 14:05 -------- d-----w- c:\documents and settings\Chris\Application Data\vlc
2009-12-28 18:10 . 2009-10-24 02:11 -------- d-----w- c:\program files\VstPlugins
2009-12-27 23:02 . 2009-12-27 23:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-27 23:02 . 2009-12-27 23:02 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-27 23:02 . 2009-12-27 23:02 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-12-27 23:02 . 2009-12-27 23:02 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-12-27 23:02 . 2009-12-27 23:02 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-12-27 08:51 . 2009-12-31 18:06 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\NAVENG.SYS
2009-12-27 08:51 . 2009-12-31 18:06 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\EECTRL.SYS
2009-12-27 08:51 . 2009-12-31 18:06 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\CCERASER.DLL
2009-12-27 08:51 . 2009-12-31 18:06 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\ECMSVR32.DLL
2009-12-27 08:51 . 2009-12-31 18:06 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\NAVENG32.DLL
2009-12-27 08:51 . 2009-12-31 18:06 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\NAVEX32A.DLL
2009-12-27 08:51 . 2009-12-31 18:06 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\NAVEX15.SYS
2009-12-27 08:51 . 2009-12-31 18:06 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091230.055\ERASER.SYS
2009-12-27 04:22 . 2009-10-10 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-26 13:49 . 2009-11-17 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-26 13:42 . 2009-10-15 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-24 00:27 . 2009-12-24 00:26 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-24 00:26 . 2009-12-24 00:26 1975408 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\GoogleToolbarInstaller_en32_signed.exe
2009-12-16 12:38 . 2009-12-16 12:38 152576 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-16 12:37 . 2009-12-16 12:37 79488 ----a-w- c:\documents and settings\Chris\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-04 14:27 . 2009-12-04 14:27 305944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgaspmx.dll
2009-11-26 16:08 . 2009-10-31 14:11 -------- d-----w- c:\program files\VLC
2009-11-26 04:40 . 2009-10-24 16:20 -------- d-----w- c:\program files\DOSBox
2009-11-25 23:30 . 2009-10-20 00:59 -------- d-----w- c:\documents and settings\Chris\Application Data\Nero
2009-11-20 14:16 . 2009-11-20 14:16 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-20 14:16 . 2009-11-20 14:16 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-17 00:06 . 2009-12-10 23:22 1074456 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcmgr.exe
2009-11-17 00:06 . 2009-12-10 23:22 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-11-17 00:06 . 2009-12-10 23:22 3293976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgdiagex.exe
2009-11-17 00:06 . 2009-12-10 23:22 1946392 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgapix.dll
2009-11-17 00:06 . 2009-12-10 23:21 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2009-11-17 00:06 . 2009-11-17 13:32 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-17 00:06 . 2009-12-10 23:22 502040 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgrsx.exe
2009-11-17 00:06 . 2009-11-17 13:33 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-17 00:06 . 2009-12-10 23:22 1494088 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2009-11-17 00:06 . 2009-12-10 23:22 744728 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgscanx.exe
2009-11-17 00:06 . 2009-12-10 23:22 562456 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2009-11-17 00:06 . 2009-12-10 23:22 361752 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmax.exe
2009-11-17 00:05 . 2009-11-17 00:05 -------- d-----w- c:\program files\AVG
2009-11-04 01:35 . 2009-11-04 01:33 -------- d-----w- c:\program files\Acoustica Beatcraft
2009-11-04 01:33 . 2009-11-04 01:33 -------- d-----w- c:\program files\Acoustica Shared Effects
2009-10-29 07:45 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 22:37 . 2009-12-28 00:58 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSvix86.sys
2009-10-28 22:37 . 2009-12-28 00:58 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-12-28 00:58 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\Scxpx86.dll
2009-10-28 22:37 . 2009-12-28 00:58 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSxpx86.dll
2009-10-28 22:37 . 2009-12-28 00:58 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSviA64.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-21 05:38 . 2008-04-14 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-14 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 22:42 . 2009-10-15 22:43 38208 ----a-w- c:\documents and settings\Chris\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-10-15 22:42 . 2009-10-15 22:42 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-10-15 22:42 . 2009-10-15 22:42 15840168 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\selfextractor_air_1.5.2.exe
2009-10-15 22:42 . 2009-10-15 22:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-10-15 01:58 . 2009-10-15 01:57 90112 ----a-w- c:\windows\system32\agsaami.dll
2009-10-15 01:58 . 2009-10-15 01:57 610304 ----a-w- c:\windows\system32\agsaamg.dll
2009-10-15 01:58 . 2009-10-15 01:57 372736 ----a-w- c:\windows\system32\agsaamc.dll
2009-10-15 01:58 . 2009-10-15 01:57 2535424 ----a-w- c:\windows\system32\agsaamj.dll
2009-10-15 01:12 . 2009-10-15 01:12 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-10-15 01:12 . 2009-10-15 01:12 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-13 10:30 . 2008-04-14 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 15:09 . 2009-10-10 22:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-12 13:38 . 2008-04-14 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2008-04-14 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 00:48 . 2009-10-11 00:48 0 ----a-w- c:\windows\ativpsrm.bin
2009-10-10 22:48 . 2009-10-10 22:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-14 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-15 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-14 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-6-23 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [27/12/2009 6:02 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [27/12/2009 6:02 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [27/12/2009 6:02 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys [27/12/2009 7:58 PM 329592]
R2 N360;Norton 360;c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe [27/12/2009 6:02 PM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/12/2009 3:51 AM 102448]
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [10/10/2009 7:52 PM 367616]
R3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [10/10/2009 7:52 PM 18944]
R3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [10/10/2009 7:52 PM 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-MIDInight Express II - c:\program files\MIDInight Express II\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-31 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360 Premier Edition\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(848)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-12-31 18:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 23:15

Pre-Run: 39,895,220,224 bytes free
Post-Run: 39,912,689,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 03E230C924CDE37E0F42C30165C864E3

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 11:32 pm

so things SEEM to be working now...is there anything else you would like me to do???

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 11:36 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 11:40 pm

everything seems OK at the moment...any advice/recs for me to keep things running smoothly???

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

Re: possible malware remaining

Post by Belahzur on Thu Dec 31, 2009 11:41 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: possible malware remaining

Post by viruskill on Thu Dec 31, 2009 11:46 pm

thanks man, i'll link the GeekPolice from all my metal band sites!!

viruskill
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-12-31
OS OS : XP SP3
Points Points : 25508
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum