Malware.Trace

View previous topic View next topic Go down

Malware.Trace

Post by bellyboy on Tue 17 Aug 2010, 5:28 am

I use Malwarebytes Anti-Malware. It shows an infection ("Malware.trace") in the Registry Key. I clicke REMOVE, and it says it was removed. But, subsequent scans show the same infected file.

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by Belahzur on Tue 17 Aug 2010, 10:48 am

Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

[OTL.txt] Log from Pop-up

Post by bellyboy on Wed 18 Aug 2010, 2:09 am

Here is pop-up window log:
=======================================
OTL logfile created on: 8/17/2010 9:42:58 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\pray\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 459.00 Mb Available Physical Memory | 45.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 20.54 Gb Free Space | 55.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRVPN1
Current User Name: pray
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/17 09:42:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pray\Desktop\OTL.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/10/15 01:04:34 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/09/30 17:41:14 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2008/06/24 18:17:34 | 000,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2007/04/25 10:12:00 | 000,759,408 | ---- | M] (Shavlik Technologies) -- C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
PRC - [2006/07/21 05:00:00 | 000,098,304 | R--- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
PRC - [2006/04/04 11:45:22 | 000,689,776 | ---- | M] () -- C:\WINDOWS\ProPatches\Scheduler\stAgent.exe
PRC - [2004/12/17 10:00:00 | 000,118,784 | ---- | M] (WinZip Computing, Inc.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2003/06/27 01:21:22 | 000,868,352 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe


========== Modules (SafeList) ==========

MOD - [2010/08/17 09:42:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pray\Desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2008/09/30 17:41:08 | 000,116,664 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2008/08/20 15:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2007/09/12 18:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2007/04/25 10:12:00 | 000,759,408 | ---- | M] (Shavlik Technologies) [Auto | Running] -- C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe -- (Shavlik Scheduler)
SRV - [2006/04/04 11:45:22 | 000,689,776 | ---- | M] () [Auto | Running] -- C:\WINDOWS\ProPatches\Scheduler\stAgent.exe -- (stAgent)


========== Driver Services (SafeList) ==========

DRV - [2010/07/15 03:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100814.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/07/15 03:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100814.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/17 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/30 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2008/10/23 15:04:49 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/08/20 15:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2008/08/20 15:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2008/05/28 11:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2008/05/28 11:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2007/07/26 19:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 14:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2007/06/20 03:00:00 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/06/20 03:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/06/27 01:21:24 | 000,213,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\UdfReadr_xp.sys -- (UdfReadr_xp)
DRV - [2003/06/27 01:21:24 | 000,118,409 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2003/06/27 01:21:24 | 000,022,745 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2003/06/27 01:21:24 | 000,021,993 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/06/27 01:21:22 | 000,259,328 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.2.2
FF - prefs.js..extensions.enabledItems: {bee6eb20-01e0-ebd1-da83-080329fb9a3a}:0.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2.0
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:2.1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/29 15:57:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/07 16:21:42 | 000,000,000 | ---D | M]

[2010/01/29 15:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pray\Application Data\Mozilla\Extensions
[2010/03/18 12:58:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\extensions
[2010/01/29 16:04:29 | 000,000,000 | ---D | M] (Flash and Video Download) -- C:\Documents and Settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
[2010/01/29 16:04:28 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/01/29 16:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\extensions\anttoolbar@ant.com
[2010/03/08 10:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\extensions\YoutubeDownloader@PeterOlayev.com
[2010/08/11 17:19:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/08/16 13:52:38 | 000,416,656 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 193.169.12.8 nosd.info
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
O1 - Hosts: 14382 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [RoxioEngineUtility] C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe (Roxio)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10h_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: intranet ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: l-3comcept.com ([intranet] http in Local intranet)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} [You must be registered and logged in to see this link.] (SysProWmi Class)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} [You must be registered and logged in to see this link.] (Office Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [You must be registered and logged in to see this link.] (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {7D41E608-A87D-4802-8DEE-3ECBFE9B82E3} [You must be registered and logged in to see this link.] (BrowserHelper.Settings)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} [You must be registered and logged in to see this link.] (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {D76D7136-4A96-11D3-BD95-D296DC2DD072} [You must be registered and logged in to see this link.] (:-) VideoSoft FlexGrid 7.0 (DAO/RDO))
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.10.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/23 10:08:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/17 09:42:12 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\pray\Desktop\OTL.exe
[2010/08/16 13:39:50 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/08/16 13:39:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/08/16 13:32:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/08/12 14:47:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\pray\Application Data\Roxio
[2010/08/11 16:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\pray\Local Settings\Application Data\Windows Server
[2010/07/26 13:28:53 | 000,017,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ppa.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/17 09:42:15 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\pray\Desktop\OTL.exe
[2010/08/17 09:41:18 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\pray\NTUSER.DAT
[2010/08/17 09:27:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/17 09:27:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/16 16:58:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\pray\ntuser.ini
[2010/08/16 13:52:38 | 000,416,656 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/16 13:40:04 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\pray\Desktop\Spybot - Search & Destroy.lnk
[2010/08/16 12:44:24 | 005,362,546 | -H-- | M] () -- C:\Documents and Settings\pray\Local Settings\Application Data\IconCache.db
[2010/08/16 09:20:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/12 14:03:46 | 000,132,608 | ---- | M] () -- C:\Documents and Settings\pray\My Documents\Where to look.doc
[2010/08/10 15:34:58 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BSOG e-Portal.url
[2010/07/26 09:10:00 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\pray\Desktop\60_John Lewis.doc
[2010/07/26 09:06:10 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\pray\Desktop\61_Greg Mahoney_Gary Nelson.doc
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/16 13:40:04 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\pray\Desktop\Spybot - Search & Destroy.lnk
[2010/08/12 14:03:38 | 000,132,608 | ---- | C] () -- C:\Documents and Settings\pray\My Documents\Where to look.doc
[2010/08/10 15:18:37 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\pray\Desktop\60_John Lewis.doc
[2010/08/10 15:18:37 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\pray\Desktop\61_Greg Mahoney_Gary Nelson.doc
[2010/05/17 15:11:39 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/17 11:52:09 | 000,000,007 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt
[2010/01/29 16:19:40 | 000,018,432 | ---- | C] () -- C:\Documents and Settings\pray\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/29 16:19:21 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/01/29 16:19:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/01/29 16:19:18 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/01/29 16:19:18 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/01/29 16:19:16 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/01/29 16:19:16 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/03/03 12:29:48 | 000,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1020.dll
[2008/10/23 15:49:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\VPN.dll
[2007/03/05 14:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/02/23 17:57:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/02/23 16:32:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/23 16:20:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/02/23 10:57:32 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2006/02/08 21:52:14 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2005/04/16 01:42:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\aalog2xml.dll
[2005/02/26 14:21:00 | 005,533,696 | ---- | C] () -- C:\WINDOWS\System32\qt-mt333.dll
[2005/02/18 00:42:26 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\reffileinfo.dll
[2004/11/20 14:17:36 | 000,950,272 | ---- | C] () -- C:\WINDOWS\System32\ice20.dll
[2004/11/20 14:12:26 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\iceutil20.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

[Extras.Txt] Log from Other File

Post by bellyboy on Wed 18 Aug 2010, 2:10 am

OTL Extras logfile created on: 8/17/2010 9:42:58 AM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\pray\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 459.00 Mb Available Physical Memory | 45.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 20.54 Gb Free Space | 55.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRVPN1
Current User Name: pray
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150160}" = J2SE Runtime Environment 5.0 Update 16
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}" = Easy CD & DVD Creator 6
"{5C8AE145-C9F7-4883-9750-7ECD2B41CCCA}" = Linksys VPN Client
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{AD8A1013-4E46-4E02-85C2-3168C3328432}" = Symantec AntiVirus
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"HP-LaserJet 1020 series" = LaserJet 1020 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.6.1 (Full)
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OrderReminder HP LaserJet 1020" = OrderReminder HP LaserJet 1020
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WinZip Companion for Outlook" = WinZip Companion for Outlook
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by Belahzur on Wed 18 Aug 2010, 3:26 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    [2010/08/11 16:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\pray\Local Settings\Application Data\Windows Server



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware.Trace

Post by bellyboy on Wed 18 Aug 2010, 3:45 am

Thanks for much for your assistance. The computer rebooted, after which a notepad window appeared. I was reading it (the first line was about something that failed to move, and the second line indicated a move was successful). Suddenly, the computer rebooted again. So, I am uncertain where to get the fix log to paste it here.

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by bellyboy on Wed 18 Aug 2010, 6:01 am

Since I was unable to capture the fix log on the initial attempt (because of the reboot mentioned above), I ran it again and it generated this:

========== OTL ==========
Folder C:\Documents and Settings\pray\Local Settings\Application Data\Windows Server\ not found.

OTL by OldTimer - Version 3.2.10.0 log created on 08172010_140005

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by bellyboy on Wed 18 Aug 2010, 9:10 am

Additional note:

After a Malwarebytes Anti-Malware scan, I was prompted to restart the computer...and it entered a near-perpetual rebooting cycle. It would pop up a window of "Winlogon.exe - Application Error" and want to reboot. [GRRRRRR!]

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by Belahzur on Wed 18 Aug 2010, 11:55 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware.Trace

Post by bellyboy on Thu 19 Aug 2010, 12:45 am

Here is the MBAM log. Though it claims the infection has been quarantined and deleted successfully, after rebooting, it will appear again in subsequent scans.

==========================

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4445

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/18/2010 8:43:00 AM
mbam-log-2010-08-18 (08-43-00).txt

Scan type: Quick scan
Objects scanned: 208051
Time elapsed: 21 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by Belahzur on Thu 19 Aug 2010, 8:53 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware.Trace

Post by bellyboy on Fri 20 Aug 2010, 1:03 am

Here is the log generated by Combo-Fix:

===============================
ComboFix 10-08-18.03 - pray 08/19/2010 8:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.501 [GMT -5:00]
Running from: c:\documents and settings\pray\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fscd.txt
c:\windows\system32\idm.txt
c:\windows\system32\lkd.txt
c:\windows\system32\qs.txt

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-17 21:47 . 2010-08-17 21:47 8224 ----a-w- C:\GDIPFONTCACHEV1.DAT
2010-08-17 16:35 . 2010-08-17 16:35 -------- d-----w- C:\_OTL
2010-08-16 18:39 . 2010-08-16 22:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-16 18:39 . 2010-08-16 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-16 18:32 . 2010-08-16 18:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-12 19:47 . 2010-08-12 19:47 -------- d-----w- c:\documents and settings\pray\Application Data\Roxio
2010-07-26 18:28 . 2001-08-17 18:53 17792 -c--a-w- c:\windows\system32\dllcache\ppa.sys
2010-07-26 18:28 . 2001-08-17 18:53 17792 ----a-w- c:\windows\system32\drivers\ppa.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-19 13:56 . 2008-10-23 20:04 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-28 14:36 . 2010-05-28 14:36 503808 ----a-w- c:\documents and settings\pray\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-366ef5a0-n\msvcp71.dll
2010-05-28 14:36 . 2010-05-28 14:36 499712 ----a-w- c:\documents and settings\pray\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-366ef5a0-n\jmc.dll
2010-05-28 14:36 . 2010-05-28 14:36 348160 ----a-w- c:\documents and settings\pray\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-366ef5a0-n\msvcr71.dll
2010-05-27 17:04 . 2010-05-27 17:04 503808 ----a-w- c:\documents and settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1a505808-n\msvcp71.dll
2010-05-27 17:04 . 2010-05-27 17:04 499712 ----a-w- c:\documents and settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1a505808-n\jmc.dll
2010-05-27 17:04 . 2010-05-27 17:04 348160 ----a-w- c:\documents and settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1a505808-n\msvcr71.dll
2010-05-25 21:14 . 2010-05-25 21:14 503808 ----a-w- c:\documents and settings\tdegen\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1f491d17-n\msvcp71.dll
2010-05-25 21:14 . 2010-05-25 21:14 499712 ----a-w- c:\documents and settings\tdegen\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1f491d17-n\jmc.dll
2010-05-25 21:14 . 2010-05-25 21:14 348160 ----a-w- c:\documents and settings\tdegen\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1f491d17-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-14 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-2-23 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/26/2010 1:28 PM 17792]
R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\ProPatches\Scheduler\stSchedEx.exe [3/8/2007 4:07 PM 759408]
R2 stAgent;Shavlik Remote Agent Service;c:\windows\ProPatches\Scheduler\stAgent.exe [3/8/2007 4:07 PM 689776]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/5/2010 6:02 AM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7D41E608-A87D-4802-8DEE-3ECBFE9B82E3} - [You must be registered and logged in to see this link.]
DPF: {D76D7136-4A96-11D3-BD95-D296DC2DD072} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\pray\Application Data\Mozilla\Firefox\Profiles\cvkfbnti.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

ActiveSetup-{DDE03EA1-6BE6-4388-9045-F4C090909B3E} - bzhcwcio2.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-19 08:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1752)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy CD Creator 6\DragToDisc\Shellex.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-19 09:01:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-19 14:01

Pre-Run: 21,859,770,368 bytes free
Post-Run: 22,618,951,680 bytes free

- - End Of File - - CBCAA0612DB11FA0C6D5EFDFA14D797D

bellyboy

Newbie Surfer
Newbie Surfer

Posts : 13
Joined : 2010-08-17
Operating System : Windows XP Pro Version 2002 Service Pack 3

View user profile

Back to top Go down

Re: Malware.Trace

Post by Sneakyone on Fri 20 Aug 2010, 2:23 pm

Hi.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.


  • I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by bellyboy on Sat 21 Aug 2010, 2:45 am

    Thank you! Here are the results of the scan:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Friday, August 20, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, August 20, 2010 07:29:41
    Records in database: 4131583
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\

    Scan statistics:
    Objects scanned: 53094
    Threats found: 5
    Infected objects found: 4
    Suspicious objects found: 2
    Scan duration: 01:50:35


    File name / Threat / Threats count
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00FC0000\4CFC8575.VBN Infected: Trojan.Win32.Vilsel.qwm 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01040000\4D671D32.VBN Suspicious: Exploit.HTML.CVE-2010-1885.a 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ADC0000\4EFEF2A2.VBN Suspicious: Exploit.HTML.CVE-2010-1885.a 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C500000\4F5E24F7.VBN Infected: Trojan.Win32.Agent2.cods 1
    C:\Documents and Settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\44\7278e12c-3f10389d Infected: Exploit.Java.Agent.f 1
    C:\Documents and Settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\44\7278e12c-3f10389d Infected: Trojan-Downloader.Java.OpenStream.af 1

    Selected area has been scanned.

    bellyboy

    Newbie Surfer
    Newbie Surfer

    Posts : 13
    Joined : 2010-08-17
    Operating System : Windows XP Pro Version 2002 Service Pack 3

    View user profile

    Back to top Go down

    Re: Malware.Trace

    Post by Sneakyone on Sat 21 Aug 2010, 2:33 pm

    Hi.

    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:


      :Files
      C:\Documents and Settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\44\7278e12c-3f10389d

      :commands
      [emptytemp]
      [emptyflash]
      [resethosts]
      [reboot]

    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe

    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by bellyboy on Tue 24 Aug 2010, 1:41 am

    The log from running OTL.exe:

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\crolfes\Application Data\Sun\Java\Deployment\cache\6.0\44\7278e12c-3f10389d moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 11910905 bytes
    ->Temporary Internet Files folder emptied: 3423595 bytes
    ->Flash cache emptied: 601 bytes

    User: All Users

    User: BSOG
    ->Temp folder emptied: 69598 bytes
    ->Temporary Internet Files folder emptied: 2873378 bytes
    ->Flash cache emptied: 17043 bytes

    User: crolfes
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 781403 bytes
    ->Java cache emptied: 52886026 bytes
    ->FireFox cache emptied: 85251386 bytes
    ->Flash cache emptied: 22543 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 111759 bytes

    User: LTurner
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 229376 bytes
    ->Flash cache emptied: 348 bytes

    User: NByrd
    ->Temp folder emptied: 173 bytes
    ->Temporary Internet Files folder emptied: 3616745 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: pray
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 2719664 bytes
    ->Java cache emptied: 48753461 bytes
    ->FireFox cache emptied: 89677124 bytes
    ->Flash cache emptied: 54004 bytes

    User: tdegen
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 10680297 bytes
    ->Flash cache emptied: 3568 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 301.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: BSOG
    ->Flash cache emptied: 0 bytes

    User: crolfes
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: LTurner
    ->Flash cache emptied: 0 bytes

    User: NByrd

    User: NetworkService

    User: pray
    ->Flash cache emptied: 0 bytes

    User: tdegen
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.10.0 log created on 08232010_093615

    Files\Folders moved on Reboot...
    C:\Documents and Settings\pray\Local Settings\Temporary Internet Files\Content.IE5\0W9IN7CY\malwaretrace-t23342[1].htm moved successfully.
    C:\Documents and Settings\pray\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.

    Registry entries deleted on Reboot...

    bellyboy

    Newbie Surfer
    Newbie Surfer

    Posts : 13
    Joined : 2010-08-17
    Operating System : Windows XP Pro Version 2002 Service Pack 3

    View user profile

    Back to top Go down

    Re: Malware.Trace

    Post by Sneakyone on Tue 24 Aug 2010, 8:52 am

    Hi.

    How is your computer running now?


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by bellyboy on Tue 24 Aug 2010, 9:04 am

    I'm able to run Malwarebytes' Anti-Malware (both Quick Scan and Full Scan) with 0 results. I've rebooted and run the scans again, and continued to receive 0 results.

    However, I noticed Symantec's Auto-Protect was popping up a window to notify me of "Trojan.Bamital!inf" which it appears to have quarantined when it was unable to fully remove it. I suppose that is why it is showing up: because it still resides in quarantine.

    I believe my original problem is solved. But, I'm curious now if the several instances of "Trojan.Bamital!inf" are being handled or whether I need to fret over them. (Sigh.)

    Thanks so much for your expert help. It's reassuring to know there are good guys out there.

    bellyboy

    Newbie Surfer
    Newbie Surfer

    Posts : 13
    Joined : 2010-08-17
    Operating System : Windows XP Pro Version 2002 Service Pack 3

    View user profile

    Back to top Go down

    Re: Malware.Trace

    Post by Sneakyone on Tue 24 Aug 2010, 9:30 am

    Hi.

    Could you please run ComboFix without doing any of the fixes and post the log here.


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by bellyboy on Wed 25 Aug 2010, 1:13 am

    ComboFix 10-08-23.02 - pray 08/24/2010 9:04.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.506 [GMT -5:00]
    Running from: c:\documents and settings\pray\Desktop\Combo-Fix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
    .

    2010-08-17 21:47 . 2010-08-17 21:47 8224 ----a-w- C:\GDIPFONTCACHEV1.DAT
    2010-08-17 16:35 . 2010-08-17 16:35 -------- d-----w- C:\_OTL
    2010-08-16 18:39 . 2010-08-16 22:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-16 18:39 . 2010-08-16 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-16 18:32 . 2010-08-16 18:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-12 19:47 . 2010-08-12 19:47 -------- d-----w- c:\documents and settings\pray\Application Data\Roxio
    2010-07-26 18:28 . 2001-08-17 18:53 17792 -c--a-w- c:\windows\system32\dllcache\ppa.sys
    2010-07-26 18:28 . 2001-08-17 18:53 17792 ----a-w- c:\windows\system32\drivers\ppa.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-24 14:02 . 2008-10-23 20:04 -------- d-----w- c:\program files\Symantec AntiVirus
    .

    ((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-23 21:29 . 2010-08-23 21:29 16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-27 868352]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-14 149280]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
    "OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 98304]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-2-23 118784]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [7/26/2010 1:28 PM 17792]
    R2 Shavlik Scheduler;Shavlik Remote Scheduler Service;c:\windows\ProPatches\Scheduler\stSchedEx.exe [3/8/2007 4:07 PM 759408]
    R2 stAgent;Shavlik Remote Agent Service;c:\windows\ProPatches\Scheduler\stAgent.exe [3/8/2007 4:07 PM 689776]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/5/2010 6:02 AM 102448]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 5:41 PM 116664]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    DPF: {7D41E608-A87D-4802-8DEE-3ECBFE9B82E3} - [You must be registered and logged in to see this link.]
    DPF: {D76D7136-4A96-11D3-BD95-D296DC2DD072} - [You must be registered and logged in to see this link.]
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
    Rootkit scan 2010-08-24 09:09
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(168)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-08-24 09:12:14
    ComboFix-quarantined-files.txt 2010-08-24 14:12
    ComboFix2.txt 2010-08-23 14:33
    ComboFix3.txt 2010-08-19 14:01

    Pre-Run: 22,693,969,920 bytes free
    Post-Run: 22,685,237,248 bytes free

    - - End Of File - - 3E8F980C73CEBCCA89B43887D15449A4

    bellyboy

    Newbie Surfer
    Newbie Surfer

    Posts : 13
    Joined : 2010-08-17
    Operating System : Windows XP Pro Version 2002 Service Pack 3

    View user profile

    Back to top Go down

    Re: Malware.Trace

    Post by Sneakyone on Wed 25 Aug 2010, 1:38 pm

    Hi.

    What is the filepath Trojan.Bamital!inf is detected in?


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by bellyboy on Thu 26 Aug 2010, 2:21 am


    According to the Symantec full scan, the "Trojan.Bamital!inf" was originally located at AND is currently located at

    C:\System Volume Information\_restore[FBC21C81-DCDF-4AA6-BA3E-B2775C525170]\RP12

    with filenames A0002539.exe, A0002315.exe, A0002314.exe, A0002305.exe, and A0002304.exe

    It also appeared originally at AND is currently located at

    C:\System Volume Information\_restore[FBC21C81-DCDF-4AA6-BA3E-B2775C525170]\RP8

    with filename A0002197.exe

    Each of the above instances received "partial" Action, with the Action Description being "Risk was partially removed."

    bellyboy

    Newbie Surfer
    Newbie Surfer

    Posts : 13
    Joined : 2010-08-17
    Operating System : Windows XP Pro Version 2002 Service Pack 3

    View user profile

    Back to top Go down

    Re: Malware.Trace

    Post by Sneakyone on Thu 26 Aug 2010, 4:01 pm

    Hi.

    Good, those are fine, they will be removed in this next instruction:

    Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

    Updating System Restore
    Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
    • Select Start > All Programs > Accessories > System tools > System Restore.
    • On the dialogue box that appears select Create a Restore Point
    • Click NEXT
    • Enter a name e.g. Clean
    • Click CREATE.


    You now have a clean restore point.

    To get rid of the bad ones:
    • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
    • In the Drop down box that appears select your main drive e.g. C
    • Click OK
    • The System will do a calculation of temporary/old files, and then display a dialogue box.
    • Select the More Options Tab.
    • At the bottom will be a System Restore box with a CLEANUP button click this
    • Accept the Warning and select OK again, the program will close and you are done.


    ========

    Removing the tools
    Now, to remove all of the tools we used and the files and folders they created, please do the following:

    Download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


    ============

    Service Pack upgrade
    Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

    More info about SP3: [You must be registered and logged in to see this link.]

    =====

    Update Programs
    Please download the newest version of Adobe Acrobat Reader from Adobe.com

    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.



    Please download the newest version of Java from Java.com.

    Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs.
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

    Once old versions are gone, please install the newest version.

    =========

    Here are some prevention tips I have provided:

    1. Don't download files from untrusted websites or websites that seem suspious.

    2. Don't use torrents they are a good way to get lots of malware.

    3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

    4. Disable autorun XP or Vista/7

    5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

    6. Don't ever click on the links inside of a popup.

    7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

    8. Use a Site Advisor so you don't go to sites that will infect you. Mcafee Siteadvisor

    9. Also there are many holes and flaws in Internet Explorer I recommend using Firefox 3 to keep you more safe.

    10. Always keep your Java and Adobe updated.

    11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

    12. Always have a Firewall and a Antivirus.

    Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

    For more information please visit [You must be registered and logged in to see this link.]


    I'm livin' life in the fast lane.


    Sneakyone

    Tech Officer
    Tech Officer

    Posts : 2707
    Joined : 2010-01-10
    Operating System : Windows 7 Ultimate 64-bit

    View user profile http://twitter.com/AVerySneakyone

    Back to top Go down

    Re: Malware.Trace

    Post by Sponsored content Today at 4:36 am


    Sponsored content


    Back to top Go down

    View previous topic View next topic Back to top


     
    Permissions in this forum:
    You cannot reply to topics in this forum