Walmart/Facebook Gift Virus

View previous topic View next topic Go down

Walmart/Facebook Gift Virus

Post by dachopstix on 7th April 2011, 11:32 pm

I have the Walmart Gift virus that pops up on both Firefox and IE. As well, I'm unable to access the Windows Update website anymore. I've run OTL and have included the Mediafire links to the OTL & Extras logs. What do I have to do to fix this?

Extras.txt: [You must be registered and logged in to see this link.]

OTL.txt: [You must be registered and logged in to see this link.]

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by Belahzur on 8th April 2011, 1:25 am

Hello.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by dachopstix on 8th April 2011, 9:54 pm

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6308

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/8/2011 8:02:15 AM
mbam-log-2011-04-08 (08-02-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 263204
Time elapsed: 51 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by Belahzur on 9th April 2011, 6:26 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by dachopstix on 16th April 2011, 1:06 am

ComboFix 11-04-14.03 - Anson 04/15/2011 18:53:51.2.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1750 [GMT -4:00]
Running from: c:\documents and settings\Anson\Desktop\Combo-Fix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Adobe Systems
c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B86000.dat
c:\documents and settings\Anson\WINDOWS
C:\Install.exe
c:\windows\system32\BReWErS.dll
c:\windows\system32\muzapp.exe
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 22:17 . 2011-04-15 22:24 -------- d-----w- C:\Combo-Fix
2011-04-09 23:42 . 2011-04-09 23:42 -------- d-----w- c:\program files\Common Files\Java
2011-04-08 10:43 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 10:42 . 2011-04-08 10:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-08 10:42 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 23:37 . 2011-04-07 23:37 -------- d-----w- c:\program files\ESET
2011-04-04 01:19 . 2011-04-04 01:19 -------- d-----w- c:\documents and settings\Anson\Local Settings\Application Data\AVG Security Toolbar
2011-04-04 01:13 . 2011-04-04 01:13 -------- d-----w- c:\documents and settings\Anson\Application Data\AVG10
2011-04-04 01:09 . 2011-04-15 21:05 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-04 01:09 . 2011-04-04 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-04-04 00:50 . 2011-04-04 00:50 163270584 ----a-w- c:\temp\AVG\avg_isct_x86_all_2011_1209a3533.exe
2011-04-04 00:49 . 2011-04-04 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-04-04 00:32 . 2011-04-04 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2011-04-04 00:07 . 2011-04-04 00:09 -------- dc-h--w- c:\windows\ie8
2011-04-03 20:59 . 2011-04-03 21:00 125832448 ----a-w- c:\temp\Ad-Aware90Install_2011-04-01.exe
2011-04-03 20:58 . 2011-04-15 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-04-03 20:58 . 2011-04-03 20:58 -------- d-----w- c:\program files\STOPzilla!
2011-04-03 20:58 . 2011-04-03 20:58 -------- d-----w- c:\program files\Common Files\iS3
2011-04-02 19:59 . 2011-04-02 19:59 -------- d-----w- c:\documents and settings\Anson\Local Settings\Application Data\Mozilla
2011-04-02 12:59 . 2011-04-04 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-02 12:53 . 2011-04-02 12:53 -------- d-----w- c:\documents and settings\Anson\Application Data\Malwarebytes
2011-04-02 12:53 . 2011-04-02 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-01 22:26 . 2011-04-01 22:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-31 20:13 . 2011-03-31 20:13 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-03-31 20:13 . 2011-03-31 20:13 452048 ----a-r- c:\windows\system32\SZBase5.dll
2011-03-31 20:13 . 2011-03-31 20:13 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-03-31 20:13 . 2011-03-31 20:13 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-03-31 20:13 . 2011-03-31 20:13 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-03-31 20:13 . 2011-03-31 20:13 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-03-31 20:13 . 2011-03-31 20:13 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-03-31 20:13 . 2011-03-31 20:13 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-03-31 20:13 . 2011-03-31 20:13 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-03-31 20:13 . 2011-03-31 20:13 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-03-31 20:13 . 2011-03-31 20:13 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-03-31 20:13 . 2011-03-31 20:13 738768 ----a-r- c:\windows\system32\IS3Base5.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-02 00:34 . 2010-09-26 17:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:40 . 2010-04-22 13:04 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19 . 2007-07-08 01:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-02 07:58 . 2007-01-16 22:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-30 04:16 . 2011-01-30 04:16 30056 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-01-29 22:00 . 2011-03-06 01:50 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-01-29 22:00 . 2011-01-29 22:00 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll
2011-01-29 22:00 . 2011-01-29 22:00 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll
2011-01-29 22:00 . 2011-01-29 22:00 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll
2011-01-29 22:00 . 2011-01-29 22:00 57344 ----a-w- c:\windows\system32\MK_Lyric.dll
2011-01-29 22:00 . 2011-01-29 22:00 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll
2011-01-29 22:00 . 2011-01-29 22:00 569344 ----a-w- c:\windows\system32\muzdecode.ax
2011-01-29 22:00 . 2011-01-29 22:00 491520 ----a-w- c:\windows\system32\muzapp.dll
2011-01-29 22:00 . 2011-01-29 22:00 49152 ----a-w- c:\windows\system32\MaJGUILib.dll
2011-01-29 22:00 . 2011-01-29 22:00 45056 ----a-w- c:\windows\system32\MaXMLProto.dll
2011-01-29 22:00 . 2011-01-29 22:00 45056 ----a-w- c:\windows\system32\MACXMLProto.dll
2011-01-29 22:00 . 2011-01-29 22:00 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll
2011-01-29 22:00 . 2011-01-29 22:00 40960 ----a-w- c:\windows\system32\MAMACExtract.dll
2011-01-29 22:00 . 2011-01-29 22:00 352256 ----a-w- c:\windows\system32\MSLUR71.dll
2011-01-29 22:00 . 2011-01-29 22:00 258048 ----a-w- c:\windows\system32\muzoggsp.ax
2011-01-29 22:00 . 2011-01-29 22:00 245760 ----a-w- c:\windows\system32\MSCLib.dll
2011-01-29 22:00 . 2011-01-29 22:00 200704 ----a-w- c:\windows\system32\muzwmts.dll
2011-01-29 22:00 . 2011-01-29 22:00 155648 ----a-w- c:\windows\system32\MSFLib.dll
2011-01-29 22:00 . 2011-01-29 22:00 143360 ----a-w- c:\windows\system32\3DAudio.ax
2011-01-29 22:00 . 2011-01-29 22:00 135168 ----a-w- c:\windows\system32\muzaf1.dll
2011-01-29 22:00 . 2011-01-29 22:00 131072 ----a-w- c:\windows\system32\muzmpgsp.ax
2011-01-29 22:00 . 2011-01-29 22:00 122880 ----a-w- c:\windows\system32\muzeffect.ax
2011-01-29 22:00 . 2011-01-29 22:00 118784 ----a-w- c:\windows\system32\MaDRM.dll
2011-01-29 22:00 . 2011-01-29 22:00 110592 ----a-w- c:\windows\system32\muzmp4sp.ax
2011-01-27 11:57 . 2007-01-16 22:16 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2004-10-01 20:00 . 2007-01-16 23:09 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2011-03-18 17:53 . 2011-04-02 19:58 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2009-07-12 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2009-07-12 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-02-11 2048000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-05-22 151552]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-07-17 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-02-26 75048]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-20 124512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"c:\\Program Files\\Sierra\\FEAR Perseus Mandate\\FEARXP2.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Temp\\Progs\\utorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 3:27 PM 25680]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 1:19 PM 299984]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2009/12/20 17:45];c:\program files\CyberLink\PowerDVD8\000.fcl [8/28/2009 7:36 PM 87536]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys --> c:\windows\system32\drivers\Ambfilt.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/12/2010 4:33 AM 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 3:23 PM 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 3:23 PM 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 3:23 PM 26192]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys --> c:\windows\system32\drivers\dgderdrv.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Anson\Application Data\Mozilla\Firefox\Profiles\dhlbjqzv.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
Notify-TPSvc - TPSvc.dll
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-04-15 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-839522115-1275210071-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:49,b7,cb,5d,31,9c,fa,8f,2b,86,e9,4c,1c,46,68,b3,dc,0c,be,71,c6,85,0c,
df,98,3a,42,96,d5,37,03,67,9b,a0,c7,41,c9,8b,40,87,98,f3,cc,56,05,43,10,ec,\
"??"=hex:fc,bb,e5,89,2d,1d,22,f4,e3,c5,b3,6c,8c,bf,99,19
.
[HKEY_USERS\S-1-5-21-839522115-1275210071-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:3b,03,fa,7e,7c,dd,be,62,be,ab,65,57,fc,87,49,6e,d8,51,7e,76,f7,
87,1b,77,38,9a,3b,80,4c,1b,ad,96,aa,f0,2b,de,8e,2f,5e,6e,fb,c5,c1,c5,a9,01,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(452)
c:\windows\system32\NavLogon.dll
.
Completion time: 2011-04-15 19:02:22
ComboFix-quarantined-files.txt 2011-04-15 23:02
.
Pre-Run: 92,625,612,800 bytes free
Post-Run: 92,616,454,144 bytes free
.
- - End Of File - - 621A8776E837568BC15141E55682D8B7

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by Belahzur on 16th April 2011, 6:15 pm

Hello.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by dachopstix on 16th April 2011, 11:06 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=62cca46d1ec9d6449ae8bd9a609279e5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-16 10:44:03
# local_time=2011-04-16 06:44:03 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 684608 684608 0 0
# scanned=106261
# found=0
# cleaned=0
# scan_time=3401

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by Belahzur on 17th April 2011, 10:52 am

Hello.

I see that you are running µTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    Adobe Reader 9.4.3

Your Java needs updating!

  • Please go to Start > Control Panel, click on Java.
  • When the Java control panel opens, go into the Update tab.
  • At the bottom of that window, press the "Update Now" button and it will attempt to download the latest Java update.
  • Next, the Updater window opens, hit the Install button. It will now attempt to download the update.
  • Untick the box for installing the Yahoo Toolbar when asked.

Then download and install [You must be registered and logged in to see this link.]

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by dachopstix on 17th April 2011, 11:53 pm

Well, after running ComboFix, the computer is running fine now, except for the pop-up blocker not working. No more Walmart popups, no more Google hijacking. Java was just updated a day after the log.

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by Belahzur on 18th April 2011, 9:42 pm

Are you using Firefox + AdBlock Plus?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245080
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Walmart/Facebook Gift Virus

Post by dachopstix on 19th April 2011, 12:48 am

Haven't downloaded AdBlock Plus, I'll try it out

dachopstix
Novice
Novice

Posts Posts : 12
Joined Joined : 2011-04-07
OS OS : Windows XP
Points Points : 20866
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum