Win32/Trojan

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Win32/Trojan

Post by turnej10 on Tue 05 Oct 2010, 7:45 pm

First topic message reminder :

When I turn on my computer I receive a message box (Microsoft Security Essentials Alert) saying I have a Win32/Trojan. When I attempt to open Firefox, internet explorer, or task manager. It gives me an error message stating The application taskmgr.exe was launched successfully but it was forced to shut down due to security reasons.
This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it. I wasnt able to upload anything from Firfox or Internet explorer and figured I would try to upload Malwarebytes' Anti-Malware from a seperate user account on my laptop. I was able to log in as a different user on my lap top and have tried to upload Malwarebytes' Anti-Malware on the separate user account. I ran the Malware program on the separate user account and it did find and elimante the torjan alerts. When I tried to go back in the original user account where I received the virus the pump up was still there. I ran Malwarebytes again but it still has not gone away and I still cant open task manager, IE, or Firefox. Please Help.

turnej10

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2010-10-05
Operating System : WindowsXP

View user profile

Back to top Go down


Re: Win32/Trojan

Post by TheAvatar on Wed 06 Oct 2010, 10:00 am

Hi ,

Please work your way through these steps:

Step 1:

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code:
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O4 - HKLM..\Run: [BearShare] C:\Program Files\BearShare\BearShare.exe File not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • After rebooting, please post the OTL you are presented with on startup.



Step 2:

Please download Combofix from one of the following locations:

LINK 1
LINK 2

**IMPORTANT! Save Combofix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> [You must be registered and logged in to see this link.]

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not re-run Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


In your next reply please include:
  • The log from OTL.
  • The Combofix log.

Thanks.

TheAvatar

Malware Advisor
Malware Advisor

Posts : 137
Joined : 2010-10-02
Operating System : Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Trojan

Post by turnej10 on Thu 07 Oct 2010, 12:51 pm

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\BearShare deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 552 bytes
->Temporary Internet Files folder emptied: 70789 bytes
->Flash cache emptied: 83 bytes

User: All Users

User: Default User
->Temp folder emptied: 552 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 83 bytes

User: JEREMIAH TURNER
->Temp folder emptied: 1329679404 bytes
->Temporary Internet Files folder emptied: 8919465 bytes
->Java cache emptied: 25037644 bytes
->FireFox cache emptied: 47987426 bytes
->Apple Safari cache emptied: 1060864 bytes

User: jturner
->Temp folder emptied: 3008676 bytes
->Temporary Internet Files folder emptied: 298103 bytes
->FireFox cache emptied: 80620377 bytes
->Flash cache emptied: 1471 bytes

User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 38156 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2664019 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 79343585 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 762181621 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 552 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2,233.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: JEREMIAH TURNER

User: jturner
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.14.1 log created on 10062010_183253

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

turnej10

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2010-10-05
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Win32/Trojan

Post by turnej10 on Thu 07 Oct 2010, 1:29 pm

ComboFix 10-10-06.02 - jturner 10/06/2010 19:15:34.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.200 [GMT -7:00]
Running from: c:\documents and settings\jturner\My Documents\Downloads\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\JEREMIAH TURNER\Application Data\hotfix.exe
c:\program files\Internet Explorer\msimg32.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll

----- File Replicators -----

c:\program files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe
c:\program files\InstallShield Installation Information\{534AA552-E1F1-4965-B2AA-FBDEB0730D60}\setup.exe
c:\program files\InstallShield Installation Information\{9E11661F-C75F-4566-A91F-85BD90D09C70}\setup.exe
c:\program files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe
c:\program files\InstallShield Installation Information\{FC6E442D-ACBF-4EE3-BB0F-E9EFD6A43D07}\setup.exe
c:\swsetup\Default\Disk1\setup.exe
c:\swsetup\MVEDV\muveeInstall\setup.exe
c:\swsetup\QLB\Disk1\setup.exe
c:\swsetup\SEDXPSP2\AR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\BR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\CH\Disk1\setup.exe
c:\swsetup\SEDXPSP2\CS\Disk1\setup.exe
c:\swsetup\SEDXPSP2\DK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\FI\Disk1\setup.exe
c:\swsetup\SEDXPSP2\FR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\GK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\GR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\HU\Disk1\setup.exe
c:\swsetup\SEDXPSP2\IL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\IT\Disk1\setup.exe
c:\swsetup\SEDXPSP2\JP\Disk1\setup.exe
c:\swsetup\SEDXPSP2\KR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\NL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\NO\Disk1\setup.exe
c:\swsetup\SEDXPSP2\PL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\PT\Disk1\setup.exe
c:\swsetup\SEDXPSP2\RU\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SE\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SEDInstaller\setup.exe
c:\swsetup\SEDXPSP2\SK\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SL\Disk1\setup.exe
c:\swsetup\SEDXPSP2\SP\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TH\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TR\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TW\Disk1\setup.exe
c:\swsetup\SEDXPSP2\TZ\Disk1\setup.exe
c:\swsetup\SEDXPSP2\US\Disk1\setup.exe
c:\swsetup\WLASST\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-07 02:14 . 2010-10-07 02:14 862872 ----a-w- c:\documents and settings\jturner\Application Data\yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-10-07 01:32 . 2010-10-07 01:32 -------- d-----w- C:\_OTL
2010-10-05 12:31 . 2010-10-05 12:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-04 19:27 . 2010-10-04 19:27 -------- d-----w- c:\documents and settings\JEREMIAH TURNER\Application Data\Malwarebytes
2010-10-04 17:33 . 2010-10-04 17:33 -------- d-----w- c:\documents and settings\jturner\Application Data\Malwarebytes
2010-10-04 17:32 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 17:32 . 2010-10-04 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-04 17:32 . 2010-10-04 17:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-04 15:58 . 2010-10-04 15:58 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-04 15:57 . 2010-10-04 15:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-26 14:27 . 2010-09-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AdobeARM.exe
2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AdobeExtractFiles.dll
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\ReaderUpdater.exe
2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\31033\AcrobatUpdater.exe
2010-09-07 13:52 . 2010-08-30 21:34 1496064 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-07 13:52 . 2010-08-30 21:33 43008 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-07 13:52 . 2010-08-30 21:33 338944 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-07 13:52 . 2010-08-30 21:33 346112 ----a-w- c:\documents and settings\JEREMIAH TURNER\Application Data\Mozilla\Firefox\Profiles\k6xkhw08.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 01:33 . 2005-05-12 04:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-07 01:17 . 2008-04-15 00:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-10-04 19:40 . 2007-01-20 06:56 -------- d-----w- c:\program files\Windows Media Connect 2
2010-10-04 19:38 . 2008-02-11 06:29 -------- d-----w- c:\program files\DivX
2010-10-04 19:38 . 2005-05-12 03:51 -------- d-----w- c:\program files\MSN Encarta Plus
2010-10-04 19:38 . 2005-05-12 03:51 -------- d-----w- c:\program files\Microsoft Works
2010-10-04 17:12 . 2010-10-04 17:09 -------- d-----w- c:\documents and settings\jturner\Application Data\Symantec
2010-10-04 17:11 . 2010-10-04 17:11 -------- d--h--r- c:\documents and settings\jturner\Application Data\yahoo!
2010-10-03 18:42 . 2008-04-09 03:43 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-10-03 14:49 . 2008-04-19 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-10-03 14:46 . 2009-05-24 17:54 -------- d-----w- c:\program files\Symantec
2010-10-03 14:45 . 2010-10-03 14:46 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-10-03 14:45 . 2010-10-03 14:46 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-10-03 14:45 . 2009-05-24 17:56 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-03 14:45 . 2009-05-24 17:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-03 13:47 . 2009-05-24 17:58 -------- d-----w- c:\program files\Norton Internet Security
2006-02-05 05:51 . 2006-02-05 05:51 756024 -c--a-w- c:\program files\CCAAgent_Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-11 794624]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-23 52840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-15 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2005-11-28 1491023]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-9-30 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/3/2010 6:20 AM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [3/22/2005 7:39 AM 200192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-07 05:21]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\jturner\Application Data\Mozilla\Firefox\Profiles\ica1fizm.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\JEREMIAH TURNER\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\JEREMIAH TURNER\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{CA2DB500-5ECF-11D2-B28F-0080C8383C7B} - c:\windows\system32\shmswnrc.dll


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-06 19:26:22
ComboFix-quarantined-files.txt 2010-10-07 02:26

Pre-Run: 57,307,672,576 bytes free
Post-Run: 60,584,603,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EC382136CA6187E56050FED9E84B67CE

turnej10

Newbie Surfer
Newbie Surfer

Posts : 26
Joined : 2010-10-05
Operating System : WindowsXP

View user profile

Back to top Go down

Re: Win32/Trojan

Post by TheAvatar on Thu 07 Oct 2010, 8:49 pm

Hi turnej10,

I have unpleasant news for you. In addition to some malwares in the system, one of the infections is identified as Sality or so-called Virut virus. It's a file infector, and as such our efforts in cleaning will be futile. You'll be better off to perform a reformat and reinstall (clean install).

Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. you may refer to the following thread.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

If you need assistance in performing a clean install, here are a couple of good guides to walk you through the process:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


Good luck.


TheAvatar

Malware Advisor
Malware Advisor

Posts : 137
Joined : 2010-10-02
Operating System : Windows XP SP3

View user profile

Back to top Go down

Re: Win32/Trojan

Post by Sponsored content Today at 4:28 am


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum