1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Removal of Malicious Code

Discussion in 'Malware and Virus Removal Archive' started by ga5150, 2010/02/06.

Page 1 of 2
  1. 2010/02/06
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    [Resolved] Removal of Malicious Code

    Hi all,

    I had trouble logging into Ebay/Paypal etc; and determined something was wrong when the status bar would freeze about halfway. This did not happen on other websites and it only happened on the one desktop machine. Other machines operated normally. I found your forums and ran some of the malware programs and did some general cleanup. What I'm left with is the mbr.log showing that I have malicious code and I'm to the point where I need some expert assistance if possible to insure this machine is clean and good to go. Kaspersky came back clean, Dr. Web comes back clean, McAfee shows no problems, Super Anti Spyware comes back good, and I ran TFC also. Any help is greatly appreciated!!

    Rodney


    As directed, here is my DDS:



    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Carr at 0:20:18.90 on Sun 02/07/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.160 [GMT -5:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    svchost.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Carr\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://clarkhoward.com/shownotes/category/10/355/
    uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
    uInternet Settings,ProxyServer = 210.51.14.197:80
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: {83B28A74-640D-48F4-9F51-E80EED7CC7E0} - No File
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
    DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
    DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - hxxp://www.toolbar.google.com/data/GoogleActivate.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\carr\applic~1\mozilla\firefox\profiles\gcruaftg.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://clarkhoward.com/shownotes/category/10/355/
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-3 163280]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-4 214664]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-3 19024]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-3 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-11-4 144704]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-3-11 598856]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-3 40384]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-4 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-4 35272]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
    S0 Cdr4vsd;Cdr4vsd; [x]
    S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\PPSCAN.SYS [2003-7-5 115136]
    S2 SMPCLS;SMPCLS; [x]
    S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-4 606736]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-4 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-4 40552]

    =============== Created Last 30 ================

    2010-02-07 04:46:13 77312 ----a-w- C:\mbr.exe
    2010-02-06 03:07:00 0 d-----w- c:\documents and settings\carr\DoctorWeb
    2010-02-06 02:36:17 0 d-sha-r- C:\cmdcons
    2010-02-06 02:35:04 98816 ----a-w- c:\windows\sed.exe
    2010-02-06 02:35:04 77312 ----a-w- c:\windows\MBR.exe
    2010-02-06 02:35:04 261632 ----a-w- c:\windows\PEV.exe
    2010-02-06 02:35:04 161792 ----a-w- c:\windows\SWREG.exe
    2010-02-06 02:10:03 0 d-----w- c:\program files\Trend Micro
    2010-02-05 15:56:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-02-05 15:56:31 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-02-05 15:56:31 0 d-----w- c:\docume~1\carr\applic~1\SUPERAntiSpyware.com
    2010-02-05 15:55:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
    2010-02-04 22:36:37 0 d-----w- c:\program files\Panda Security
    2010-02-03 21:51:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-02-03 21:16:15 0 d-----w- c:\docume~1\carr\applic~1\Malwarebytes
    2010-02-03 21:16:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-03 21:16:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-02-03 21:16:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 21:16:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-17 21:08:07 50672 ----a-w- C:\GDIPFONTCACHEV1.DAT

    ==================== Find3M ====================

    2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll

    ============= FINISH: 0:21:32.60 ===============










    And the attach log:



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/1/2003 8:23:13 PM
    System Uptime: 2/6/2010 8:57:35 PM (4 hours ago)

    Motherboard: Dell Computer Corporation | | 07W080
    Processor: Intel(R) Pentium(R) 4 CPU 2.20GHz | Socket 478 | 2192/400mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 29 GiB total, 8.62 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Ethernet Controller
    Device ID: PCI\VEN_11AB&DEV_1FAA&SUBSYS_1FAA11AB&REV_03\4&1A671D0C&0&20F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_11AB&DEV_1FAA&SUBSYS_1FAA11AB&REV_03\4&1A671D0C&0&20F0
    Service:

    ==== System Restore Points ===================

    RP1560: 1/16/2010 1:17:46 AM - System Checkpoint
    RP1561: 1/17/2010 1:50:32 AM - System Checkpoint
    RP1562: 1/18/2010 3:01:53 AM - System Checkpoint
    RP1563: 1/19/2010 3:47:52 AM - System Checkpoint
    RP1564: 1/20/2010 4:47:55 AM - System Checkpoint
    RP1565: 1/20/2010 7:21:37 AM - Software Distribution Service 3.0
    RP1566: 1/21/2010 7:47:41 AM - System Checkpoint
    RP1567: 1/22/2010 7:26:15 AM - Software Distribution Service 3.0
    RP1568: 1/23/2010 7:44:10 AM - System Checkpoint
    RP1569: 1/24/2010 8:44:09 AM - System Checkpoint
    RP1570: 1/25/2010 8:56:41 AM - System Checkpoint
    RP1571: 1/26/2010 9:45:17 AM - System Checkpoint
    RP1572: 1/27/2010 9:58:59 AM - System Checkpoint
    RP1573: 1/28/2010 10:43:43 AM - System Checkpoint
    RP1574: 1/29/2010 11:43:43 AM - System Checkpoint
    RP1575: 1/30/2010 12:43:48 PM - System Checkpoint
    RP1576: 1/31/2010 1:43:40 PM - System Checkpoint
    RP1577: 2/1/2010 2:59:58 PM - System Checkpoint
    RP1578: 2/2/2010 4:54:54 PM - System Checkpoint
    RP1579: 2/2/2010 8:17:43 PM - Removed ABBYY FineReader 6.0 Sprint
    RP1580: 2/2/2010 8:20:13 PM - Removed Apple Software Update
    RP1581: 2/2/2010 8:24:25 PM - Removed Dell Solution Center
    RP1582: 2/2/2010 8:27:16 PM - Removed Google Earth.
    RP1583: 2/2/2010 8:36:01 PM - Removed Paint Shop Pro 7
    RP1584: 2/2/2010 8:39:17 PM - Removed Rhapsody Player Engine
    RP1585: 2/2/2010 8:40:04 PM - Removed Spelling Dictionaries Support For Adobe Reader 8
    RP1586: 2/3/2010 4:51:00 PM - avast! Free Antivirus Setup
    RP1587: 2/4/2010 10:00:42 PM - System Checkpoint
    RP1588: 2/5/2010 10:56:29 AM - Installed SUPERAntiSpyware Free Edition
    RP1589: 2/6/2010 2:35:32 PM - System Checkpoint
    RP1590: 2/6/2010 8:14:35 PM - Installed Java(TM) 6 Update 18
    RP1591: 2/6/2010 8:21:46 PM - Removed J2SE Runtime Environment 5.0 Update 4
    RP1592: 2/6/2010 8:40:26 PM - Removed J2SE Runtime Environment 5.0 Update 6
    RP1593: 2/6/2010 8:41:08 PM - Removed Java 2 Runtime Environment, SE v1.4.1_01

    ==== Installed Programs ======================


    µTorrent
    AAC Decoder
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.2.0
    Adobe Shockwave Player 11
    ArcSoft MediaImpression
    Audacity 1.2.3
    AutoUpdate
    avast! Free Antivirus
    AVIcodec (remove only)
    BACS
    Banctec Service Agreement
    BCM V.92 56K Modem
    BitTornado 0.3.18
    Broadcom Advanced Control Suite
    CaseLinr 5.5
    CD Wave Editor version 1.94
    Critical Update for Windows Media Player 11 (KB959772)
    Crystal Reports Basic Runtime for Visual Studio 2008
    DAO
    dBpowerAMP FLAC Codec
    dBpowerAMP Music Converter
    dBpowerAMP Shorten Codec
    Dell Support
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DP Editor Ver.1.0
    Epson Copy Utility 3.4
    Epson Event Manager
    EPSON Perfection V30/V300 Photo Scanner Driver Update
    EPSON Scan
    ESPN Java Check
    Eudora
    Exif Launcher Ver.1.1
    FinePixViewer Ver.1.1
    FLAC Installer 1.1.0m (remove only)
    FLV Player 1.3.3
    Forté Agent
    H.264 Decoder
    Help and Support Customization
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Intel(R) Extreme Graphics Driver
    Internet Explorer Q903235
    Java Auto Updater
    Java(TM) 6 Update 18
    Lexmark Supplies Monitor
    Lexmark Z55
    LiveUpdate
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Microsoft .NET Framework (English)
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.0 Hotfix (KB928367)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Access 2000 Runtime SR-1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Office 2000 SR-1 Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MKV Splitter
    Modem Helper
    Monkey's Audio
    Mozilla Firefox (3.6)
    Nero 6 Ultra Edition
    PartyCAD10
    QuickTime
    RealPlayer
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    Viewpoint Media Player (Remove Only)
    VivTV
    WebFldrs XP
    WinAce Archiver 2.0
    Window Washer
    Windows Genuine Advantage v1.3.0254.0
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Service Pack 3
    WinRAR archiver
    Xvid 1.1.2 final uninstall
    YMPEG: Fast MPEG-1/2/VCD/SVCD Codec

    ==== Event Viewer Messages From Past Week ========

    2/6/2010 4:21:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    2/6/2010 4:21:25 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/6/2010 4:18:05 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
    2/6/2010 4:18:04 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    2/6/2010 4:18:03 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    2/6/2010 4:18:03 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
    2/6/2010 4:15:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SystemGuards service to connect.
    2/6/2010 4:15:52 PM, error: Service Control Manager [7000] - The McAfee SystemGuards service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    2/5/2010 9:30:15 PM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/5/2010 9:29:48 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/5/2010 9:29:09 PM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/5/2010 4:37:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    2/5/2010 11:05:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments " " in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    2/5/2010 11:05:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
    2/5/2010 11:05:11 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2010 11:05:11 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2010 11:05:11 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2010 11:05:11 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2/5/2010 11:04:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    2/5/2010 11:04:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2/4/2010 9:43:44 PM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
    2/4/2010 9:43:43 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/4/2010 9:43:43 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/3/2010 7:34:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    2/3/2010 6:13:30 PM, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s).
    2/3/2010 6:03:56 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/3/2010 5:56:46 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/3/2010 10:00:46 AM, error: Service Control Manager [7034] - The Window Washer Engine service terminated unexpectedly. It has done this 1 time(s).
    2/2/2010 2:24:39 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee Real-time Scanner service, but this action failed with the following error: An instance of the service is already running.
    2/2/2010 2:22:52 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.

    ==== End Of File ===========================






    And here is the most recent mbr.log:


    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x03944E1A
    malicious code @ sector 0x03944E1D !
    PE file found in sector at 0x03944E33 !
     
    ga5150,
    #1
  2. 2010/02/07
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them,

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    I removed the P2P programs this morning.
     
    ga5150,
    #3
  5. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're running two AV programs, Avast and McAfee.
    One of them has to go.
    Before you do anything, let me know, which one you want to keep (my vote goes for Avast).
     
    broni,
    #4
  6. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    I will gladly keep whatever you recommend, so Avast it is. McAfee came free with Comcast so that's why it is there. I added the Avast a few days ago after reading that it was recommended in another thread.
     
    ga5150,
    #5
  7. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall McAfee using Add\Remove and then use McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    When done....

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt " along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #6
  8. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    Quick question-I'm to remove everything related to McAfee right? It comes up as Security Center and ask if I want to remove all items such as Virus Scan, Personal Firewall, Backup/Restore etc;

    I just wanted to make sure whether to dump all this, or just the AV part.
     
    ga5150,
    #7
  9. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Remove all of it.
    Afterwards, make sure, Windows firewall is up.
     
    broni,
    #8
  10. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    Combo Fix Log


    ComboFix 10-02-07.05 - Carr 02/07/2010 17:19:20.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.638.408 [GMT -5:00]
    Running from: c:\documents and settings\Carr\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
    .

    2010-02-07 04:46 . 2010-02-07 04:46 77312 ----a-w- C:\mbr.exe
    2010-02-07 01:16 . 2010-02-07 01:16 348160 ----a-w- c:\documents and settings\Carr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1002955a-n\msvcr71.dll
    2010-02-07 01:16 . 2010-02-07 01:16 61440 ----a-w- c:\documents and settings\Carr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3538bd1e-n\decora-sse.dll
    2010-02-07 01:16 . 2010-02-07 01:16 503808 ----a-w- c:\documents and settings\Carr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1002955a-n\msvcp71.dll
    2010-02-07 01:16 . 2010-02-07 01:16 499712 ----a-w- c:\documents and settings\Carr\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1002955a-n\jmc.dll
    2010-02-07 01:16 . 2010-02-07 01:16 12800 ----a-w- c:\documents and settings\Carr\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3538bd1e-n\decora-d3d.dll
    2010-02-06 03:07 . 2010-02-06 15:23 -------- d-----w- c:\documents and settings\Carr\DoctorWeb
    2010-02-06 02:10 . 2010-02-06 02:10 -------- d-----w- c:\program files\Trend Micro
    2010-02-05 16:05 . 2010-02-05 16:05 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-05 16:05 . 2010-02-05 16:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-05 16:04 . 2010-02-05 16:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2010-02-05 16:04 . 2010-02-05 16:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-02-05 16:04 . 2003-06-17 13:29 36256 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-02-05 15:57 . 2010-02-05 15:57 52224 ----a-w- c:\documents and settings\Carr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-05 15:57 . 2010-02-05 15:57 117760 ----a-w- c:\documents and settings\Carr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-02-05 15:56 . 2010-02-05 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-05 15:56 . 2010-02-05 15:56 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-05 15:56 . 2010-02-05 15:56 -------- d-----w- c:\documents and settings\Carr\Application Data\SUPERAntiSpyware.com
    2010-02-05 15:55 . 2010-02-05 15:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-02-04 22:36 . 2010-02-05 15:50 -------- d-----w- c:\program files\Panda Security
    2010-02-03 21:56 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-02-03 21:56 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-02-03 21:56 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-02-03 21:56 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-02-03 21:56 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-02-03 21:56 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-02-03 21:56 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-02-03 21:52 . 2010-01-28 22:09 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-02-03 21:52 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
    2010-02-03 21:51 . 2010-02-03 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-02-03 21:51 . 2010-02-03 21:51 -------- d-----w- c:\program files\Alwil Software
    2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\documents and settings\Carr\Application Data\Malwarebytes
    2010-02-03 21:16 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-03 21:16 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 21:16 . 2010-02-03 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-02 19:08 . 2003-06-17 13:17 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
    2010-02-02 19:08 . 2010-02-04 00:37 -------- d-----w- c:\documents and settings\HelpAssistant
    2010-01-17 21:08 . 2010-01-17 21:08 50672 ----a-w- C:\GDIPFONTCACHEV1.DAT

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-07 22:16 . 2003-09-04 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-07 15:41 . 2007-12-24 04:41 -------- d-----w- c:\program files\uTorrent
    2010-02-07 15:19 . 2007-12-24 04:41 -------- d-----w- c:\documents and settings\Carr\Application Data\uTorrent
    2010-02-07 01:40 . 2005-08-25 22:56 -------- d-----w- c:\program files\Common Files\Java
    2010-02-07 01:40 . 2003-09-07 01:04 -------- d-----w- c:\program files\Java
    2010-02-03 01:46 . 2010-01-06 04:35 -------- d-----w- c:\program files\WinFamily 2009
    2010-02-03 01:39 . 2003-06-17 13:27 -------- d-----w- c:\program files\Real
    2010-02-03 01:38 . 2003-06-17 13:17 -------- d-----w- c:\program files\QUICKENW
    2010-02-03 01:36 . 2003-06-17 13:17 -------- d-----w- c:\program files\Dell Computer
    2010-02-01 19:28 . 2003-08-03 03:30 -------- d-----w- c:\program files\Agent
    2010-01-26 23:14 . 2008-02-28 13:53 -------- d-----w- c:\program files\Common Files\Adobe
    2010-01-22 19:40 . 2008-09-13 01:24 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-10 00:51 . 2003-07-02 00:24 50672 -c--a-w- c:\documents and settings\Carr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-07 22:11 . 2004-08-22 18:44 -------- d-----w- c:\program files\Monkey's Audio
    2010-01-06 23:19 . 2010-01-06 23:19 -------- d-----w- c:\program files\MSBuild
    2010-01-06 23:18 . 2010-01-06 23:18 -------- d-----w- c:\program files\Reference Assemblies
    2010-01-06 04:35 . 2010-01-06 04:35 -------- d-----w- c:\documents and settings\Carr\Application Data\Win Family
    2010-01-06 04:33 . 2010-01-06 04:33 -------- d-----w- c:\program files\Business Objects
    2009-12-21 19:14 . 2005-06-18 03:49 916480 ------w- c:\windows\system32\wininet.dll
    2009-12-17 22:14 . 2008-11-30 03:39 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-11-21 15:51 . 2002-08-29 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
    "ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
    backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Carr^Start Menu^Programs^Startup^Kremlin Sentry.lnk]
    path=c:\documents and settings\Carr\Start Menu\Programs\Startup\Kremlin Sentry.lnk
    backup=c:\windows\pss\Kremlin Sentry.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    2003-02-24 23:34 122880 -c--a-w- c:\windows\BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BTCLiveUpdate]
    2004-03-08 17:50 430080 ----a-w- c:\program files\LiveUpdate\LiveUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    2005-06-22 03:44 126976 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    2005-06-22 03:48 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2001-07-09 15:50 155648 -c--a-w- c:\windows\SYSTEM32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ERSvc "=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "7101:TCP "= 7101:TCP:BitComet 7101 TCP
    "7101:UDP "= 7101:UDP:BitComet 7101 UDP
    "65533:TCP "= 65533:TCP:Services
    "52344:TCP "= 52344:TCP:Services
    "3246:TCP "= 3246:TCP:Services
    "2479:TCP "= 2479:TCP:Services
    "3389:TCP "= 3389:TCP:Remote Desktop

    R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2/3/2010 4:56 PM 163280]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2/3/2010 4:56 PM 19024]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [3/11/2009 7:04 PM 598856]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
    S0 Cdr4vsd;Cdr4vsd; [x]
    S2 PPSCAN;PPSCAN;c:\windows\SYSTEM32\DRIVERS\PPSCAN.SYS [7/5/2003 3:08 PM 115136]
    S2 SMPCLS;SMPCLS; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2003-07-02 c:\windows\Tasks\ISP signup reminder 1.job
    - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://clarkhoward.com/shownotes/category/10/355/
    uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
    uInternet Settings,ProxyServer = 210.51.14.197:80
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
    FF - ProfilePath - c:\documents and settings\Carr\Application Data\Mozilla\Firefox\Profiles\gcruaftg.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://clarkhoward.com/shownotes/category/10/355/
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-MCODS
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-07 17:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2568)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-02-07 17:31:46
    ComboFix-quarantined-files.txt 2010-02-07 22:31

    Pre-Run: 9,379,844,096 bytes free
    Post-Run: 9,445,347,328 bytes free

    - - End Of File - - F7D3F4BDDB79B87A1BF828126F098ABA
     
    ga5150,
    #9
  11. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    HiJack This log



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:39:25 PM, on 2/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://clarkhoward.com/shownotes/category/10/355/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 210.51.14.197:80
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techtools/dl/Comcast Activation Controls.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://www.toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 5332 bytes
     
    ga5150,
    #10
  12. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    I posted the logs you requested a while back, but it told me the posts had to be approved by a moderator. Just didn't want you to think I had vanished....
     
    ga5150,
    #11
  13. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I only received email notification right now (?), so hold on there while I'll review logs.
     
    broni,
    #12
  14. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts.
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
     
    broni,
    #13
  15. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    mbr log

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x03944E1A
    malicious code @ sector 0x03944E1D !
    PE file found in sector at 0x03944E33 !
     
    ga5150,
    #14
  16. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    Sorry about the duplicate posts of mbr log. I didn't think they went through.
     
    ga5150,
    #15
  17. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Go Start>Run, type in:
    cmd
    Click OK.

    At the DOS prompt type:
    mbr.exe -f (<------make sure you have a space before the -f)
    Hit Enter.

    Type:
    exit
    Hit Enter.

    Restart the computer normally.

    Run the mbr.exe again.
    Post new log.
     
    broni,
    #16
  18. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    New mbr log

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x03944E1A
    malicious code @ sector 0x03944E1D !
    PE file found in sector at 0x03944E33 !
     
    ga5150,
    #17
  19. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download [color= "#FF0000"]RootRepeal.zip[/color] (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. [color= "red"]DO NOT[/color] run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.



    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
     
    broni,
    #18
  20. 2010/02/07
    ga5150

    ga5150 Inactive Thread Starter

    Joined:
    2010/02/05
    Messages:
    17
    Likes Received:
    0
    When I run the root repeal program, before anything starts it throws up an error message that says- Error Invalid PE Image Found!

    Should I just click ok and continue?
     
    ga5150,
    #19
  21. 2010/02/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    .....
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...