Win32/Trojan

View previous topic View next topic Go down

Re: Win32/Trojan

Post by TheAvatar on 5th October 2010, 11:00 pm

Hi ,

Please work your way through these steps:

Step 1:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code:
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O4 - HKLM..\Run: [BearShare] C:\Program Files\BearShare\BearShare.exe File not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • After rebooting, please post the OTL you are presented with on startup.



Step 2:

Please download Combofix from one of the following locations:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

**IMPORTANT! Save Combofix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> [You must be registered and logged in to see this link.]

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not re-run Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


In your next reply please include:
  • The log from OTL.
  • The Combofix log.

Thanks.


- The Avatar
If I have helped you, please consider donating to [You must be registered and logged in to see this link.]

GeekPolice.net [You must be registered and logged in to see this link.]    [You must be registered and logged in to see this link.]

Online: GMT 10+ 7:30pm to 8:30pm weekdays. On and off on weekends regularly.

TheAvatar
Intermediate
Intermediate

Posts Posts : 137
Joined Joined : 2010-10-02
Gender Gender : Male
OS OS : Windows XP SP3
Protection Protection : ESET NOD32, Comodo, Malwarebytes
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Trojan

Post by turnej10 on 7th October 2010, 1:51 am

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\BearShare deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 552 bytes
->Temporary Internet Files folder emptied: 70789 bytes
->Flash cache emptied: 83 bytes

User: All Users

User: Default User
->Temp folder emptied: 552 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 83 bytes

User: JEREMIAH TURNER
->Temp folder emptied: 1329679404 bytes
->Temporary Internet Files folder emptied: 8919465 bytes
->Java cache emptied: 25037644 bytes
->FireFox cache emptied: 47987426 bytes
->Apple Safari cache emptied: 1060864 bytes

User: jturner
->Temp folder emptied: 3008676 bytes
->Temporary Internet Files folder emptied: 298103 bytes
->FireFox cache emptied: 80620377 bytes
->Flash cache emptied: 1471 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 38156 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2664019 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 79343585 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 762181621 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 552 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,233.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: JEREMIAH TURNER

User: jturner
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10062010_183253

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

turnej10
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-10-05
OS OS : WindowsXP
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Trojan

Post by turnej10 on 7th October 2010, 2:29 am

ComboFix 10-10-06.02 - jturner 10/06/2010 19:15:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.200 [GMT -7:00]
Running from: c:\documents and settings\jturner\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JEREMIAH TURNER\Application Data\hotfix.exe
c:\program files\Internet Explorer\msimg32.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll

----- File Replicators -----

c:\program files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe
c:\program files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe
c:\program files\InstallShield Installation Information\{9E11661F-C75F-4566-A91F-85BD90D09C70}\setup.exe
c:\program files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe
c:\program files\InstallShield Installation Information\{FC6E442D-ACBF-4EE3-BB0F-E9EFD6A43D07}\setup.exe
c:\swsetup\Default\Disk1\setup.exe
c:\swsetup\MVEDV\muveeInstall\setup.exe
c:\swsetup\QLB\Disk1\setup.exe
c:\swsetup\SEDXPSP2\AR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\BR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\CH\Disk1\setup.exe
c:\swsetup\SEDXPSP2\CS\Disk1\setup.exe
c:\swsetup\SEDXPSP2\DK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\FI\Disk1\setup.exe
c:\swsetup\SEDXPSP2\FR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\GK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\GR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\HU\Disk1\setup.exe
c:\swsetup\SEDXPSP2\IL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\IT\Disk1\setup.exe
c:\swsetup\SEDXPSP2\JP\Disk1\setup.exe
c:\swsetup\SEDXPSP2\KR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\NL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\NO\Disk1\setup.exe
c:\swsetup\SEDXPSP2\PL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\PT\Disk1\setup.exe
c:\swsetup\SEDXPSP2\RU\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SE\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SEDInstaller\setup.exe
c:\swsetup\SEDXPSP2\SK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SP\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TH\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TW\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TZ\Disk1\setup.exe
c:\swsetup\SEDXPSP2\US\Disk1\setup.exe
c:\swsetup\WLASST\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-07 02:14 . 2010-10-07 02:14 862872 ----a-w- c:\documents and settings\jturner\Application Data\yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-10-07 01:32 . 2010-10-07 01:32 -------- d-----w- C:\_OTL
2010-10-05 12:31 . 2010-10-05 12:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-04 19:27 . 2010-10-04 19:27 -------- d-----w- c:\documents and settings\JEREMIAH TURNER\Application Data\Malwarebytes
2010-10-04 17:33 . 2010-10-04 17:33 -------- d-----w- c:\documents and settings\jturner\Application Data\Malwarebytes
2010-10-04 17:32 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 17:32 . 2010-10-04 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-04 17:32 . 2010-10-04 17:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 15:58 . 2010-10-04 15:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-04 15:57 . 2010-10-04 15:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-26 14:27 . 2010-09-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AcrobatUpdater.exe
2010-09-07 13:52 . 2010-08-30 21:34 1496064 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-07 13:52 . 2010-08-30 21:33 43008 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-07 13:52 . 2010-08-30 21:33 338944 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-07 13:52 . 2010-08-30 21:33 346112 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 01:33 . 2005-05-12 04:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-07 01:17 . 2008-04-15 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-04 19:40 . 2007-01-20 06:56 -------- d-----w- c:\program files\Windows Media Connect 2
2010-10-04 19:38 . 2008-02-11 06:29 -------- d-----w- c:\program files\DivX
2010-10-04 19:38 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2010-10-04 19:38 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2010-10-04 17:12 . 2010-10-04 17:09 -------- d-----w- c:\documents and settings\jturner\Application Data\Symantec
2010-10-04 17:11 . 2010-10-04 17:11 -------- d--h--r- c:\documents and settings\jturner\Application Data\yahoo!
2010-10-03 18:42 . 2008-04-09 03:43 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-10-03 14:49 . 2008-04-19 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-10-03 14:46 . 2009-05-24 17:54 -------- d-----w- c:\program files\Symantec
2010-10-03 14:45 . 2010-10-03 14:46 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-10-03 14:45 . 2010-10-03 14:46 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-10-03 14:45 . 2009-05-24 17:56 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-03 14:45 . 2009-05-24 17:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-03 13:47 . 2009-05-24 17:58 -------- d-----w- c:\program files\Norton Internet Security
2006-02-05 05:51 . 2006-02-05 05:51 756024 -c--a-w- c:\program files\CCAAgent_Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2005-11-28 1491023]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/3/2010 6:20 AM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 7:39 AM 200192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 05:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\jturner\Application Data\Mozilla\Firefox\Profiles\ica1fizm.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\JEREMIAH TURNER\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\JEREMIAH TURNER\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{CA2DB500-5ECF-11D2-B28F-0080C8383C7B} - c:\windows\system32\shmswnrc.dll


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-06 19:26:22
ComboFix-quarantined-files.txt 2010-10-07 02:26

Pre-Run: 57,307,672,576 bytes free
Post-Run: 60,584,603,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EC382136CA6187E56050FED9E84B67CE

turnej10
Novice
Novice

Posts Posts : 26
Joined Joined : 2010-10-05
OS OS : WindowsXP
Points Points : 22948
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Trojan

Post by TheAvatar on 7th October 2010, 9:49 am

Hi turnej10,

I have unpleasant news for you. Sad tearing In addition to some malwares in the system, one of the infections is identified as Sality or so-called Virut virus. It's a file infector, and as such our efforts in cleaning will be futile. You'll be better off to perform a reformat and reinstall (clean install).

Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. you may refer to the following thread.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

If you need assistance in performing a clean install, here are a couple of good guides to walk you through the process:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


Good luck.

My Buddy


- The Avatar
If I have helped you, please consider donating to [You must be registered and logged in to see this link.]

GeekPolice.net [You must be registered and logged in to see this link.]    [You must be registered and logged in to see this link.]

Online: GMT 10+ 7:30pm to 8:30pm weekdays. On and off on weekends regularly.

TheAvatar
Intermediate
Intermediate

Posts Posts : 137
Joined Joined : 2010-10-02
Gender Gender : Male
OS OS : Windows XP SP3
Protection Protection : ESET NOD32, Comodo, Malwarebytes
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum