Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: GaLee on April 23, 2010, 07:41:06 AM
-
Hey fellas,
A little bit help will be very appreciated
I've got some sort of virus which they want to open some sort of website
However, it got blocked by Malwarebytes
So, every few minutes, there will be this popup
(http://i257.photobucket.com/albums/hh201/galee89/untitled-7.jpg)
I've tried scanning with both Bit defender and MBAM
And the virus keep on doing this
Here's the result from Hijackit
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nitro PDF\NitroPDFDriverService.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Raxco Perfect Disk 2008\PD91Agent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Downloads\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/url]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [url]http://www.bitdefender.com[/url] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\WINDOWS\system32\NLSSRV32.EXE
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco Perfect Disk 2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco Perfect Disk 2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
--
End of file - 8137 bytes
Please advise what I'm supposed to do....
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
-
I have used the ComboFix
And here's the result...
ComboFix 10-04-21.01 - G 24/04/2010 11:10:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.314 [GMT 10:00]
Running from: d:\downloads\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Galih\Application Data\chrtmp
c:\windows\Fjamea.exe
c:\windows\Fjameb.exe
c:\windows\system32\OGACheckControl.dll
.
((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.
2010-04-23 12:33 . 2010-04-23 12:33 -------- d-----w- c:\program files\MSXML 4.0
2010-04-23 08:30 . 2010-04-23 08:30 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-04-23 08:30 . 2010-04-23 08:30 16 ----a-w- c:\windows\system32\asdict.dat
2010-04-23 08:21 . 2010-04-23 08:21 -------- d-----w- c:\documents and settings\Galih\Application Data\BitDefender
2010-04-23 08:20 . 2010-04-23 08:20 -------- d-----w- C:\Binaries
2010-04-23 08:19 . 2010-04-23 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-04-23 08:19 . 2010-04-23 08:20 -------- d-----w- c:\program files\BitDefender
2010-04-23 08:16 . 2010-04-23 08:20 -------- d-----w- c:\program files\Common Files\BitDefender
2010-04-23 05:35 . 2010-04-23 05:35 70656 --sha-r- c:\windows\system32\ialmuHUNT.dll
2010-04-23 05:32 . 2010-04-23 05:32 -------- d-----w- c:\program files\Common Files\Nitro PDF
2010-04-23 05:32 . 2010-04-23 05:32 104960 --sh--r- c:\documents and settings\Galih\Application Data\wayh.exe
2010-04-23 05:26 . 2010-04-23 05:26 -------- d-----w- c:\documents and settings\Galih\Application Data\Nitro PDF
2010-04-23 05:11 . 2009-12-15 23:50 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-04-23 05:11 . 2009-12-15 23:50 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2010-04-23 05:11 . 2010-04-23 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2010-04-23 05:11 . 2010-04-23 05:32 -------- d-----w- c:\program files\Nitro PDF
2010-04-23 05:10 . 2010-04-23 05:10 -------- d-----w- c:\documents and settings\Galih\Application Data\Downloaded Installations
2010-04-17 12:11 . 2010-04-17 12:11 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-13 02:21 . 2010-04-13 02:21 -------- d-----w- c:\program files\Disable Spyware
2010-04-12 15:06 . 2010-04-23 13:45 -------- d-----w- c:\program files\Farm Mania 2
2010-04-12 15:05 . 2010-04-12 15:05 -------- d-----w- c:\program files\ReflexiveArcade
2010-04-11 10:45 . 2010-04-11 10:45 131 ----a-w- C:\DeletePrintJobs.cmd
2010-04-10 06:22 . 2010-04-10 06:22 -------- d-----w- c:\windows\system32\Futuremark
2010-04-10 06:22 . 2008-09-17 05:14 27672 ----a-r- c:\windows\system32\drivers\Entech.sys
2010-04-10 06:22 . 2010-04-10 06:22 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2010-04-06 11:43 . 2010-04-06 11:43 -------- d-----w- c:\documents and settings\Galih\Local Settings\Application Data\Cranium_Consulting_and_Cu
2010-03-31 13:02 . 2010-03-31 13:02 -------- d-----w- c:\program files\iPod
2010-03-31 13:02 . 2010-04-06 11:45 -------- d-----w- c:\program files\iTunes
2010-03-31 13:02 . 2010-03-31 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 12:58 . 2010-03-31 12:59 -------- d-----w- c:\program files\QuickTime
2010-03-31 12:54 . 2010-03-31 12:54 -------- d-----w- c:\program files\Bonjour
2010-03-31 12:51 . 2010-03-31 12:51 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-31 09:20 . 2010-03-31 09:20 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 09:20 . 2010-03-31 09:20 503808 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\msvcp71.dll
2010-03-31 09:20 . 2010-03-31 09:20 499712 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\jmc.dll
2010-03-31 09:20 . 2010-03-31 09:20 348160 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-513900ed-n\msvcr71.dll
2010-03-31 09:20 . 2010-03-31 09:20 12800 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7801014c-n\decora-d3d.dll
2010-03-31 09:20 . 2010-03-31 09:20 61440 ----a-w- c:\documents and settings\Galih\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7801014c-n\decora-sse.dll
2010-03-26 10:30 . 2010-03-26 10:30 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-03-26 10:19 . 2010-03-26 10:23 -------- d-----w- c:\program files\VS Revo Group
2010-03-26 10:08 . 2010-03-26 10:09 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 00:54 . 2009-02-15 01:41 -------- d-----w- c:\documents and settings\Galih\Application Data\DMCache
2010-04-23 08:42 . 2009-02-15 01:39 -------- d-----w- c:\program files\Internet Download Manager
2010-04-23 08:24 . 2009-02-15 01:40 -------- d-----w- c:\program files\Avast
2010-04-23 05:27 . 2009-03-18 11:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-22 12:51 . 2009-02-15 01:53 -------- d-----w- c:\documents and settings\Galih\Application Data\mIRC
2010-04-22 12:45 . 2009-02-15 01:53 -------- d-----w- c:\program files\mIRC
2010-04-18 02:29 . 2010-03-19 10:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:56 . 2009-02-15 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 06:22 . 2009-02-15 00:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 11:50 . 2010-03-16 13:27 -------- d-----w- c:\program files\iPhone Folders
2010-03-31 13:02 . 2009-02-16 08:27 -------- d-----w- c:\program files\Common Files\Apple
2010-03-31 09:18 . 2009-02-16 06:42 -------- d-----w- c:\program files\Java
2010-03-29 14:46 . 2010-03-19 10:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 14:45 . 2010-03-19 10:18 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 10:34 . 2009-08-11 11:56 -------- d-----w- c:\program files\Westward III Gold Rush
2010-03-26 10:34 . 2009-08-07 13:08 -------- d-----w- c:\program files\Ranch Rush
2010-03-26 10:30 . 2009-04-30 04:27 -------- d-----w- c:\documents and settings\Galih\Application Data\URSoft
2010-03-25 10:01 . 2009-04-08 11:32 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 13:58 . 2010-03-23 13:58 -------- d-----w- c:\documents and settings\Galih\Application Data\Leawo
2010-03-23 13:46 . 2010-03-23 13:45 9 ----a-w- c:\windows\system32\iPhone Video Converter0902.dat
2010-03-23 13:39 . 2010-03-23 13:39 -------- d-----w- c:\documents and settings\Galih\Application Data\ImTOO Software Studio
2010-03-23 13:19 . 2010-03-23 13:19 -------- d-----w- c:\documents and settings\Galih\Application Data\AnvSoft
2010-03-19 10:18 . 2010-03-19 10:18 -------- d-----w- c:\documents and settings\Galih\Application Data\Malwarebytes
2010-03-19 10:18 . 2010-03-19 10:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 09:36 . 2009-02-16 07:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-10 06:15 . 2005-01-07 00:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:28 . 2009-02-16 06:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 10:49 . 2010-03-08 10:49 -------- d-----w- c:\program files\Unlocker
2010-03-05 00:59 . 2009-02-15 01:41 -------- d-----w- c:\documents and settings\Galih\Application Data\IDM
2010-03-05 00:59 . 2009-04-21 10:28 198064 ----a-w- c:\documents and settings\Galih\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2010-03-05 00:43 . 2009-04-21 10:26 3153784 ----a-w- c:\documents and settings\Galih\Application Data\IDM\idmupdt.exe
2010-02-28 10:45 . 2010-02-28 10:45 -------- d-----w- c:\program files\Audacity
2010-02-25 06:24 . 2005-01-07 00:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-01-07 00:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 04:58 . 2010-02-22 04:58 291352 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-02-16 14:08 . 2005-01-07 00:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-01-07 00:00 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2005-01-07 00:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 00:46 . 2010-02-12 00:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 00:46 . 2010-02-12 00:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-11 12:02 . 2005-01-07 00:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-03 03:57 . 2010-02-03 03:57 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-03 03:56 . 2010-02-03 03:56 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-03-05 3179952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2005-01-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-01-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2005-01-07 455168]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-29 437584]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-03-18 1123360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\RO\\FeelRO.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [22/09/2009 9:22 AM 83208]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [19/03/2010 8:18 PM 303952]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\NitroPDFDriverService.exe [16/12/2009 10:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [16/12/2009 10:11 AM 65856]
R2 PD91Agent;PD91Agent;c:\program files\Raxco Perfect Disk 2008\PD91Agent.exe [31/12/2008 12:12 PM 693512]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [3/02/2010 1:57 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [4/01/2010 7:41 PM 110984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/03/2010 8:18 PM 20824]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [19/10/2009 5:06 PM 183880]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [24/05/2009 1:31 PM 16512]
S3 cpuz130;cpuz130;\??\c:\docume~1\Galih\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Galih\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 PD91Engine;PD91Engine;c:\program files\Raxco Perfect Disk 2008\PD91Engine.exe [31/12/2008 12:12 PM 910600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1637723038-725345543-1003Core.job
- c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 13:11]
2010-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1637723038-725345543-1003UA.job
- c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-11 13:11]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Galih\Application Data\Mozilla\Firefox\Profiles\u7b16pg3.default\
FF - component: c:\documents and settings\Galih\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Galih\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{7B13EC3E-999A-4B70-B9CB-2617B8323822} - (no file)
MSConfigStartUp-CTFMON - (no file)
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\SetID\Internal]
@Denied: (A 2) (LocalSystem)
"DATA"="<settings expireTime=\"0\" productStatus=\"1\" obSize=\"0\" InstallTS=\"2145870353\" isSubsc=\"0\" version=\"12.0.1\" timeDiff=\"1\" oldDevice=\"\" authStatus_ts=\"0\" />"
"Device"="yM29zbvPzMnLvrm+x8fPzce+zro="
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):63,72,23,a9,60,25,5b,06,89,9a,36,83,0c,5e,02,d7,79,17,31,5c,0a,
ac,fd,e8,ce,76,90,19,07,42,c6,43,89,dc,b0,3c,0b,1e,5b,54,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{f3b10485-11ca-4f60-b05d-8e59c673246a}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ab
"Therad"=dword:0000001f
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
Completion time: 2010-04-24 11:16:53
ComboFix-quarantined-files.txt 2010-04-24 01:16
Pre-Run: 36,559,245,312 bytes free
Post-Run: 36,781,961,216 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 07DD5740208AFCFC955E12270F2BCF43
-
GMER
Note about this tool:
- This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
- This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
- No matter what is in the log, please post all the information/contents of the log.
Please download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
==============================
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from Malwarebytes.org (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Alternate link: BleepingComputer.com (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe).
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)
Double Click mbam-setup.exe to install the application.
(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
- Copy and paste the entire report in your next reply.
-
As I have said, I have updated and do a full scan with MBAM
There's some malwares detected but the problem still persist...
I'll try the other one soon...
-
Ok. Post the GMER log when you can.
-
I have just restarted my computer
and I'm not really sure why but the problem has been fixed
My guess would be from the ComboFix...
Thanks a lot fellas
If the problem come up again in the future, I'll be sure to let you guys know...
-
Umm...ok
Please uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i582.photobucket.com/albums/ss269/Cat_Byte/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
Remember: do not use this tool without expert supervision. It can cause unpredictable damage, if used incorrectly.