Software > Computer viruses and spyware
Problem With Trojan-aax5
SuperDave:
We will clear your Restore points when I'm satisfied that the computer is clean just in case something is hiding there. Please be very careful when in the Registry that you don't change anything.
Registry cleaners (Eusing Free Registry Cleaner) are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.
For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.
Further reading: XP Fixes Myth #1: Registry Cleaners
***************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
--- Code: ---c:\windows\REGBK00.ZIP
c:\windows\system32\eEmpty.exe
--- End code ---
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
**********************************
Re-running ComboFix to remove infections:
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[*]Open notepad and copy/paste the text in the quotebox below into it:
--- Quote ---KillAll::
File::
c:\windows\logo1_.exe
c:\windows\system32\runouce.exe
c:\windows\RUNDL132.EXE
c:\windows\logo_1.exe
c:\windows\VDLL.DLL
c:\windows\system32\T.COM
c:\windows\R.COM
Folder::
c:\windows\system32\T.COM
c:\windows\R.COM
DDS::
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
--- End quote ---
[*]Save this as CFScript.txt, in the same location as ComboFix.exe
[*]Referring to the picture above, drag CFScript into ComboFix.exe
[*]When finished, it shall produce a log for you at C:\ComboFix.txt
[*]Please post the contents of the log in your next reply.
[/list]
************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip
* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
PixelOz:
Here are the addresses of the first two files scans:
http://virusscan.jotti.org/en/scanresult/e6852ba9f5888fca2f933434f3accef4b4eb4b49
http://virusscan.jotti.org/en/scanresult/b1128c2f49b2d1c2543fc22ed0c1b2aba36b7255/150ad70df8416dd28bc88abe502f9a8fea5a6d98
Here is the new ComboFix log:
ComboFix 10-09-03.02 - Gladimir 09/04/2010 7:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.530 [GMT -3:00]
Running from: c:\documents and settings\Gladimir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gladimir\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FILE ::
"c:\windows\logo_1.exe"
"c:\windows\logo1_.exe"
"c:\windows\R.COM"
"c:\windows\RUNDL132.EXE"
"c:\windows\system32\runouce.exe"
"c:\windows\system32\T.COM"
"c:\windows\VDLL.DLL"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\R.COM
c:\windows\system32\T.COM
.
((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Artweaver
2010-09-01 20:47 . 2010-09-01 20:47 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Malwarebytes
2010-09-01 17:37 . 2010-09-01 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-09-01 17:35 . 2010-09-03 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-31 19:09 . 2010-08-31 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\MicroWorld
2010-08-31 18:59 . 2010-08-31 19:05 -------- d-----w- c:\documents and settings\Gladimir\Application Data\Download Manager
2010-08-30 22:11 . 2010-08-30 22:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}
2010-08-30 20:31 . 2010-08-30 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-30 05:16 . 2010-09-04 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-28 19:02 . 2010-08-30 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-27 19:33 . 2008-10-15 21:02 -------- d-----w- c:\documents and settings\Gladimir\Application Data\InstallShield
2010-08-27 19:33 . 2008-08-15 18:10 -------- d-----w- c:\documents and settings\Gladimir\Application Data\SiteAdvisor
2010-08-19 23:27 . 2010-08-20 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 16:44 . 2010-08-20 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 00:46 . 2010-08-17 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 04:28 . 2010-09-03 04:28 -------- d-----w- c:\program files\Artweaver 1.0
2010-09-03 04:18 . 2008-08-15 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-03 02:48 . 2010-09-03 02:48 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 02:47 . 2010-07-10 23:13 -------- d-----w- c:\program files\Java
2010-09-03 02:03 . 2010-09-03 02:03 388096 ----a-r- c:\documents and settings\Gladimir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 02:02 . 2010-09-03 02:02 -------- d-----w- c:\program files\Trend Micro
2010-09-02 17:48 . 2010-09-02 17:48 344 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-01 17:42 . 2010-09-01 17:42 692224 ---ha-w- C:\SZKGFS.dat
2010-09-01 17:35 . 2010-09-01 17:35 -------- d-----w- c:\program files\Common Files\iS3
2010-09-01 05:24 . 2010-08-21 13:36 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-01 02:21 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-01 00:52 . 2010-09-01 00:43 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-08-31 19:26 . 2010-08-31 19:24 5392374 ----a-w- c:\windows\REGBK00.ZIP
2010-08-31 19:10 . 2010-08-31 19:10 632064 ----a-w- c:\windows\system32\msvcr80.dll
2010-08-31 19:10 . 2010-08-31 19:10 554240 ----a-w- c:\windows\system32\msvcp80.dll
2010-08-31 19:10 . 2010-08-31 19:10 34048 ----a-w- c:\windows\system32\eEmpty.exe
2010-08-31 19:10 . 2010-08-31 19:10 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-08-31 05:32 . 2010-08-31 05:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-30 23:25 . 2010-03-11 04:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-30 22:12 . 2010-08-30 22:12 -------- d-----w- c:\program files\Webroot
2010-08-30 04:58 . 2010-08-30 04:58 -------- d-----w- c:\program files\Alwil Software
2010-08-29 05:02 . 2010-08-29 05:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-29 02:34 . 2010-03-11 04:45 -------- d-----w- c:\program files\Norton SystemWorks
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\program files\Symantec
2010-08-29 01:53 . 2010-03-11 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-27 19:44 . 2010-08-27 19:44 503808 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcp71.dll
2010-08-27 19:44 . 2010-08-27 19:44 499712 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\jmc.dll
2010-08-27 19:44 . 2010-08-27 19:44 61440 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-sse.dll
2010-08-27 19:44 . 2010-08-27 19:44 348160 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcr71.dll
2010-08-27 19:44 . 2010-08-27 19:44 12800 ----a-w- c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-d3d.dll
2010-08-27 19:38 . 2010-08-27 19:36 65720 ----a-w- c:\documents and settings\Gladimir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-21 10:35 . 2010-08-21 10:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-21 10:23 . 2010-08-27 19:33 38784 ----a-w- c:\documents and settings\Gladimir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-20 04:49 . 2010-08-19 16:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-19 22:32 . 2010-05-27 08:54 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-19 21:37 . 2010-03-10 23:13 -------- d-----w- c:\program files\Windows Media Connect 2
2010-08-19 20:07 . 2010-08-19 19:52 164 ----a-w- c:\windows\install.dat
2010-08-18 00:30 . 2010-08-18 00:30 -------- d-----w- c:\program files\Panda Security
2010-08-17 05:30 . 2010-08-17 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:47 . 2010-08-17 00:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 00:12 . 2010-08-17 00:12 90112 ----a-w- c:\windows\system32\YmsgCrypt.dll
2010-08-17 00:12 . 2010-08-17 00:12 139264 ----a-w- c:\windows\system32\DartCertificate.dll
2010-08-17 00:12 . 2010-08-17 00:12 147456 ----a-w- c:\windows\system32\DartSecure2.dll
2010-08-17 00:12 . 2010-08-17 00:11 212992 ----a-w- c:\windows\system32\DartSock.dll
2010-08-16 18:20 . 2010-08-30 22:12 3199328 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\WRInstall.exe
2010-08-16 18:18 . 2010-08-30 22:10 385928 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-08-16 18:18 . 2010-08-30 22:10 433072 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-08-16 18:17 . 2010-08-30 22:10 1266336 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-08-16 18:15 . 2010-08-30 22:10 50984 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-08-16 18:13 . 2010-08-30 22:10 3035616 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-08-16 18:07 . 2010-08-30 22:10 121856 -c--a-w- c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-07-17 08:00 . 2010-07-10 23:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 21:13 . 2010-05-22 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-06 21:13 . 2010-05-22 17:19 -------- d-----w- c:\program files\Common Files\Apple
2010-06-30 12:31 . 2008-04-15 03:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-08-30 04:59 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-08-30 04:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-08-30 05:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-08-30 05:00 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-08-30 05:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-08-30 05:00 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-08-30 05:00 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-08-30 05:00 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-08-30 05:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-15 03:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-15 03:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 17:49 . 2010-08-30 22:18 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-06-17 17:49 . 2010-08-30 22:18 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-06-17 17:49 . 2010-08-30 22:18 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-06-17 14:03 . 2008-04-15 03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-15 03:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-15 03:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-08-27 19:44 . 2010-08-27 19:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-16 1266336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDExplo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDWIZARD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 1 (0x1)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/17/2010 9:30 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2010 2:00 AM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 3:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2010 2:00 AM 17744]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [8/30/2010 7:18 PM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/16/2010 3:13 PM 3035616]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 1:01 PM 254976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/20/2009 3:30 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/20/2009 3:34 PM 96856]
.
Contents of the 'Scheduled Tasks' folder
2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]
2010-09-04 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gladimir\Application Data\Mozilla\Firefox\Profiles\fedsd5fu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 07:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2010-09-04 08:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-04 11:07
ComboFix2.txt 2010-09-03 05:28
Pre-Run: 136,135,667,712 bytes free
Post-Run: 136,135,733,248 bytes free
- - End Of File - - 05C16ABB34E21D9070BFD6330EA3CC9A
Here is the RootRepeal log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/04 17:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xA8F7C000 Size: 31744 File Visible: No Signed: -
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7587000 Size: 60416 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA981E000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A23000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA7CF5000 Size: 143744 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF79ED000 Size: 8192 File Visible: No Signed: -
Status: -
Name: mbr.sys
Image Path: C:\DOCUME~1\Gladimir\LOCALS~1\Temp\mbr.sys
Address: 0xF785F000 Size: 20864 File Visible: No Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF726C000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7A69000 Size: 7872 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7DE9000 Size: 49152 File Visible: No Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA9A29000 Size: 361600 File Visible: - Signed: -
Status: Hidden from the Windows API!
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1eb8
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dcd2
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987db8e
#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86bbf290
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x86bbf218
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86b5c240
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e142
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e06c
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d764
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dc68
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d6a4
#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d708
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd88
#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86bd1f30
#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1dc8
#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e210
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd48
#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86bd1020
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86ba3200
#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86bc4250
#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86b5c150
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dec8
#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86b5c2b8
#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86bd1fa8
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86bc42c8
#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86b5c1c8
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1e40
Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x85c4ab70 Size: 1169
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85c4b150 Size: 2695
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x85c3fce0 Size: 111
Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x85df2448 Size: 1371
Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x86883680 Size: 2433
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85fe54a0 Size: 2912
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86883ce8 Size: 793
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x85c497d0 Size: 1459
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x86aa18a0 Size: 1888
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86aa1a60 Size: 1440
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86aa5678 Size: 306
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85c4c3a8 Size: 3161
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869e4238 Size: 196
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8629b5b8 Size: 2632
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a8ece0 Size: 800
Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c40410 Size: 1789
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c3a188 Size: 195
Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8607f418 Size: 3049
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x85c3f428 Size: 279
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85c478a8 Size: 382
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86aa03b8 Size: 3145
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86aa0340 Size: 3265
Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x85c2a8c0 Size: 455
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85c2a848 Size: 575
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85c2a7d0 Size: 695
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85c2a758 Size: 815
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85c2a6e0 Size: 935
Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x85c2a668 Size: 1055
Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84550d58
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86ae7530
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86a79e28
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84af1630
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86acef10
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a89fa8
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85bb8678
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84a98830
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84a2eef0
==EOF==
I disable real time antivirus antipyware egine and I also disabled the firewall as you instructed and now the Avast engine and firewall are back on after scans.
I did everything as you told me.
Just in case I took a look at those registry keys that were locked and they are still locked. There is still no access to them. But other than looking at that I haven't done anything else to the PC except what you told me.
SuperDave:
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[*]Click on to download the ESET Smart Installer. Save it to your desktop.
[*]Double click on the icon on your desktop.
[/list]
•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
PixelOz:
I ran it and in the two screens that I was shown at the end I couldn't find any link or button to export a report. Anyway it came out at zero.
I had already run it before this thread and it was 0 results, now I scanned the PC with it again and it gave me the same results 0, not even a bad cookie.
SuperDave:
If there are no other issues, we can do some clean-up.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
***********************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*******************************************
Download OTC by OldTimer and save it to your desktop.
1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.
******************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.
Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.
Remember only install ONE firewall
1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
****************************************
Use the Secunia Software Inspector to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update and get all critical updates.
----------
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ
Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version