Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Virus/Malware Infection Part 1  (Read 11964 times)

0 Members and 1 Guest are viewing this topic.

mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Virus/Malware Infection Part 1
« on: April 30, 2012, 12:32:29 AM »
I recently updated my AV from Avira Personal to Avira Free Edition. It found a few trojans that Spybot S&D missed. It was suggested on the Chat that I run the steps suggested in !virus2. It appears that SuperAnti and MBAM found a few more things that Avira and Spybot S&D missed. I may well switch to SuperAnti and MBAM.
This is my primary laptop, used both for personal and general business use (I'm self-employed, computer repair).
Due to certain legal issues, I have RemoteCOM monitoring software also installed on this computer.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/29/2012 at 08:21 PM

Application Version : 5.0.1134

Core Rules Database Version : 7848
Trace Rules Database Version: 5660

Scan type       : Complete Scan
Total Scan Time : 00:51:59

Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 498
Memory threats detected   : 0
Registry items scanned    : 34623
Registry threats detected : 4
File items scanned        : 100097
File threats detected     : 1

Disabled.SecurityCenterOption
   HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY
   HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY
   HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\CHRIS FARR\Cookies\UFG6FWU0.txt [ Cookie:chris [email protected]/accounts/ ]

Adware.MyWebSearch
   HKU\S-1-5-21-2025429265-842925246-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.30.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Chris Farr :: FARR-C [administrator]

4/29/2012 11:56:23 PM
mbam-log-2012-04-29 (23-56-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243502
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Chris Farr\My Documents\Downloads\7zip.exe (PUP.Adware.Installer) -> Quarantined and deleted successfully.

(end)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_31
Run by Chris Farr at 1:27:07 on 2012-04-30
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.204 [GMT -4:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: WinToFlash Suggestor: {fc36b0bd-27f0-4cdd-8ab1-50651efc3efd} - c:\program files\wintoflash suggestor\WinToFlashSuggestor.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\chrisf~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {A52C66B3-D4A9-4d10-A67D-2BEF0A85AB3F} - {FC36B0BD-27F0-4cdd-8AB1-50651EFC3EFD} - c:\program files\wintoflash suggestor\WinToFlashSuggestor.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1   www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris farr\application data\mozilla\firefox\profiles\rmuxnpyx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\chris farr\application data\mozilla\firefox\profiles\rmuxnpyx.default\extensions\{c57d6078-75b4-11e0-9b04-07284924019b}\plugins\npdriverzone.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Ghostery: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DriverZonePlugin for Firefox and Opera: {C57D6078-75B4-11E0-9B04-07284924019B} - %profile%\extensions\{C57D6078-75B4-11E0-9B04-07284924019B}
FF - Ext: Adblock Plus Pop-up Addon: [email protected] - %profile%\extensions\[email protected]
FF - Ext: BrowserProtect: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: WinToFlash Suggestor: {285ACFBB-8E53-4feb-90E6-F02A128927F3} - %profile%\extensions\{285ACFBB-8E53-4feb-90E6-F02A128927F3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-11-1 14776]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-4-23 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-4-23 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-4-23 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-4-22 74640]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2012-1-25 21992]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [2011-11-1 26624]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2011-11-10 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2011-11-10 273536]
S2 svcboot_kdiclgjee;svcboot_kdiclgjee;c:\windows\system32\svchost.exe -k svcboot_kdiclgjee [2008-4-14 14336]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-2-6 23456]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
.
=============== Created Last 30 ================
.
2012-04-30 03:36:10   --------   d-----w-   c:\documents and settings\chris farr\application data\Malwarebytes
2012-04-30 03:32:11   --------   d-----w-   c:\documents and settings\all users.windows\application data\Malwarebytes
2012-04-30 03:32:07   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-04-30 03:32:07   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-04-29 22:13:18   --------   d-----w-   c:\documents and settings\chris farr\application data\SUPERAntiSpyware.com
2012-04-29 22:12:03   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-04-29 22:12:03   --------   d-----w-   c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com
2012-04-24 09:03:53   5504   ----a-w-   c:\windows\system32\drivers\StarOpen.sys
2012-04-24 06:52:12   --------   d-----w-   c:\program files\WinToFlash Suggestor
2012-04-24 00:20:34   --------   d-----w-   c:\documents and settings\chris farr\application data\Avira
2012-04-24 00:10:52   36000   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2012-04-24 00:10:43   --------   d-----w-   c:\documents and settings\all users.windows\application data\Avira
2012-04-22 10:37:09   74640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2012-04-22 10:37:05   --------   d-----w-   c:\program files\Avira
2012-04-04 05:53:56   182160   ----a-w-   c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-04-04 05:53:56   182160   ----a-w-   c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2012-04-30 04:20:27   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-04-30 04:20:26   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2012-03-01 11:01:32   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01:32   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16   177664   ----a-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10:16   148480   ----a-w-   c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40   385024   ----a-w-   c:\windows\system32\html.iec
2012-02-23 14:18:36   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-06 06:16:09   23456   ----a-w-   c:\windows\system32\drivers\DrvAgent32.sys
2012-02-03 09:22:18   1860096   ----a-w-   c:\windows\system32\win32k.sys
.
============= FINISH:  1:27:44.19 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/1/2011 11:06:45 PM
System Uptime: 4/30/2012 12:08:14 AM (1 hours ago)
.
Motherboard: Hewlett-Packard         |  | 0850                   
Processor:               Intel(R) Pentium(R) 4 CPU 2.40GHz | WMT478/NWD | 2392/mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 27.172 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 802.11b/g WLAN
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00E70E11&REV_02\3&61AAA01&0&48
Manufacturer: Broadcom
Name: Broadcom 802.11b/g WLAN
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00E70E11&REV_02\3&61AAA01&0&48
Service: BCM43XX
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\A085480ABCD71
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\A085480ABCD71
Service: NIC1394
.
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ROOT\*PNP0501\1_0_17_0_0_0
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ROOT\*PNP0501\1_0_17_0_0_0
Service: Serial
.
==== System Restore Points ===================
.
RP103: 2/22/2012 3:59:45 AM - Software Distribution Service 3.0
RP104: 2/25/2012 11:32:57 PM - Software Distribution Service 3.0
RP105: 2/29/2012 1:29:42 AM - Software Distribution Service 3.0
RP106: 3/4/2012 12:32:18 AM - Software Distribution Service 3.0
RP107: 3/5/2012 1:20:54 AM - Software Distribution Service 3.0
RP108: 3/6/2012 1:41:55 AM - System Checkpoint
RP109: 3/14/2012 1:35:52 AM - Software Distribution Service 3.0
RP110: 3/14/2012 3:00:25 AM - Software Distribution Service 3.0
RP111: 3/15/2012 2:04:32 AM - Software Distribution Service 3.0
RP112: 3/17/2012 12:22:47 AM - Software Distribution Service 3.0
RP113: 3/23/2012 6:00:58 PM - Software Distribution Service 3.0
RP114: 3/26/2012 12:49:26 AM - Software Distribution Service 3.0
RP115: 3/27/2012 2:29:18 AM - Software Distribution Service 3.0
RP116: 3/30/2012 11:02:30 PM - Software Distribution Service 3.0
RP117: 4/3/2012 12:03:08 AM - Software Distribution Service 3.0
RP118: 4/9/2012 1:14:01 AM - Software Distribution Service 3.0
RP119: 4/18/2012 6:07:20 PM - Software Distribution Service 3.0
RP120: 4/18/2012 6:32:32 PM - Software Distribution Service 3.0
RP121: 4/19/2012 2:27:16 AM - Software Distribution Service 3.0
RP122: 4/19/2012 7:52:50 PM - Software Distribution Service 3.0
RP123: 4/21/2012 4:06:37 AM - Software Distribution Service 3.0
RP124: 5/22/2012 2:47:56 AM - System Checkpoint
RP125: 4/22/2012 6:25:53 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP126: 4/22/2012 6:34:15 AM - Avira AntiVir Personal - 4/22/2012 6:34
RP127: 4/23/2012 5:25:37 PM - System Checkpoint
RP128: 4/23/2012 8:00:13 PM - Avira AntiVir Personal - 4/23/2012 19:59
RP129: 4/24/2012 3:00:37 AM - Software Distribution Service 3.0
RP130: 4/28/2012 6:03:35 PM - System Checkpoint
RP131: 4/29/2012 6:05:50 PM - System Checkpoint
RP132: 4/30/2012 12:19:36 AM - Removed Java(TM) 6 Update 29
RP133: 4/30/2012 12:19:56 AM - Installed Java(TM) 6 Update 31
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avira Free Antivirus
Broadcom 802.11 Wireless LAN Adapter
Canon MP Navigator EX 1.0
Canon MP610 series
Canon MP610 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner
CDBurnerXP
Conexant 56K ACLink Modem
Conexant AC-Link Audio
CPUID CPU-Z 1.59
Free Window Registry Repair
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Java(TM) 6 Update 31
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Automated Troubleshooting Services Shim
Microsoft Fix it Center
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Firefox (3.6.25)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.3
PIXMA Extended Survey Program
QuickTime
Revo Uninstaller 1.93
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Smart Defrag 2
Speccy
SpeedFan (remove only)
Spybot - Search & Destroy
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
WinToFlash Suggestor
.
==== Event Viewer Messages From Past Week ========
.
4/30/2012 12:08:47 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume.
4/29/2012 3:52:51 PM, error: Removable Storage Service [111]  - RSM could not load media in drive Drive 0 of library SanDisk Cruzer USB Device.
4/24/2012 12:24:25 AM, error: Service Control Manager [7023]  - The svcboot_kdiclgjee service terminated with the following error:  The system cannot find the file specified.
4/24/2012 12:24:25 AM, error: Service Control Manager [7000]  - The StarOpen service failed to start due to the following error:  The system cannot find the file specified.
4/24/2012 12:00:03 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/24/2012 12:00:03 AM, error: Service Control Manager [7000]  - The IMAPI CD-Burning COM Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/23/2012 8:08:11 PM, error: Disk [11]  - The driver detected a controller error on \Device\Harddisk0\D.
4/23/2012 6:56:32 PM, error: Service Control Manager [7022]  - The Avira AntiVir Guard service hung on starting.
4/23/2012 6:55:01 PM, error: Service Control Manager [7022]  - The Avira AntiVir Scheduler service hung on starting.
4/23/2012 4:50:57 AM, error: Service Control Manager [7011]  - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
4/23/2012 11:51:33 PM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
4/23/2012 11:51:33 PM, error: Service Control Manager [7000]  - The Application Layer Gateway Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
4/23/2012 11:46:58 PM, error: atapi [9]  - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================


mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Re: Virus/Malware Infection Part 1
« Reply #1 on: April 30, 2012, 01:13:14 AM »
This is the original Avira Free Edition scan log that led to the question on Chat and suggestion to run the !virus2 steps. All the detections seem to come from a file labeled C:\WINDOWS\system32\anliq\...



Avira Free Antivirus
Report file date: Monday, April 23, 2012  23:13

Scanning for 3683079 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - Free Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : Chris Farr
Computer name   : FARR-C

Version information:
BUILD.DAT       : 12.0.0.898     41963 Bytes   1/31/2012 14:50:00
AVSCAN.EXE      : 12.1.0.20     492496 Bytes   1/31/2012 12:56:54
AVSCAN.DLL      : 12.1.0.18      54224 Bytes   1/31/2012 12:57:27
LUKE.DLL        : 12.1.0.19      68304 Bytes   1/31/2012 12:57:02
AVSCPLR.DLL     : 12.1.0.22     100048 Bytes   1/31/2012 12:56:54
AVREG.DLL       : 12.1.0.36     229128 Bytes   4/24/2012 01:23:31
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 13:05:36
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 12:57:15
VBASE002.VDF    : 7.11.19.170 14374912 Bytes  12/20/2011 12:57:20
VBASE003.VDF    : 7.11.21.238  4472832 Bytes    2/1/2012 00:40:13
VBASE004.VDF    : 7.11.26.44   4329472 Bytes   3/28/2012 00:58:23
VBASE005.VDF    : 7.11.26.45      2048 Bytes   3/28/2012 00:58:29
VBASE006.VDF    : 7.11.26.46      2048 Bytes   3/28/2012 00:58:30
VBASE007.VDF    : 7.11.26.47      2048 Bytes   3/28/2012 00:58:35
VBASE008.VDF    : 7.11.26.48      2048 Bytes   3/28/2012 00:58:36
VBASE009.VDF    : 7.11.26.49      2048 Bytes   3/28/2012 00:58:38
VBASE010.VDF    : 7.11.26.50      2048 Bytes   3/28/2012 00:58:40
VBASE011.VDF    : 7.11.26.51      2048 Bytes   3/28/2012 00:58:42
VBASE012.VDF    : 7.11.26.52      2048 Bytes   3/28/2012 00:58:44
VBASE013.VDF    : 7.11.26.53      2048 Bytes   3/28/2012 00:58:46
VBASE014.VDF    : 7.11.26.107   221696 Bytes   3/30/2012 00:59:57
VBASE015.VDF    : 7.11.26.179   224768 Bytes    4/2/2012 01:01:12
VBASE016.VDF    : 7.11.26.241   142336 Bytes    4/4/2012 01:01:21
VBASE017.VDF    : 7.11.27.41    247808 Bytes    4/8/2012 01:02:51
VBASE018.VDF    : 7.11.27.107   161280 Bytes   4/12/2012 01:02:57
VBASE019.VDF    : 7.11.27.159   148992 Bytes   4/13/2012 01:03:12
VBASE020.VDF    : 7.11.27.201   207360 Bytes   4/17/2012 01:04:49
VBASE021.VDF    : 7.11.28.3     237568 Bytes   4/19/2012 01:06:22
VBASE022.VDF    : 7.11.28.49    193536 Bytes   4/20/2012 01:06:30
VBASE023.VDF    : 7.11.28.99    195072 Bytes   4/23/2012 01:06:41
VBASE024.VDF    : 7.11.28.100     2048 Bytes   4/23/2012 01:06:43
VBASE025.VDF    : 7.11.28.101     2048 Bytes   4/23/2012 01:06:45
VBASE026.VDF    : 7.11.28.102     2048 Bytes   4/23/2012 01:06:47
VBASE027.VDF    : 7.11.28.103     2048 Bytes   4/23/2012 01:06:49
VBASE028.VDF    : 7.11.28.104     2048 Bytes   4/23/2012 01:06:52
VBASE029.VDF    : 7.11.28.105     2048 Bytes   4/23/2012 01:06:54
VBASE030.VDF    : 7.11.28.106     2048 Bytes   4/23/2012 01:06:56
VBASE031.VDF    : 7.11.28.112     2048 Bytes   4/23/2012 01:06:58
Engineversion   : 8.2.10.52
AEVDF.DLL       : 8.1.2.2       106868 Bytes   1/31/2012 12:56:42
AESCRIPT.DLL    : 8.1.4.17      446842 Bytes   4/24/2012 01:22:15
AESCN.DLL       : 8.1.8.2       131444 Bytes   4/24/2012 01:22:08
AESBX.DLL       : 8.2.5.5       606579 Bytes   4/24/2012 01:23:14
AERDL.DLL       : 8.1.9.15      639348 Bytes   1/31/2012 12:56:42
AEPACK.DLL      : 8.2.16.9      807287 Bytes   4/24/2012 01:22:05
AEOFFICE.DLL    : 8.1.2.27      201082 Bytes   4/24/2012 01:20:21
AEHEUR.DLL      : 8.1.4.19     4673910 Bytes   4/24/2012 01:20:17
AEHELP.DLL      : 8.1.19.1      254327 Bytes   4/24/2012 01:10:19
AEGEN.DLL       : 8.1.5.27      422261 Bytes   4/24/2012 01:10:14
AEEXP.DLL       : 8.1.0.29       82293 Bytes   4/24/2012 01:23:16
AEEMU.DLL       : 8.1.3.0       393589 Bytes   1/31/2012 12:56:38
AECORE.DLL      : 8.1.25.6      201078 Bytes   4/24/2012 01:09:04
AEBB.DLL        : 8.1.1.0        53618 Bytes   1/31/2012 12:56:38
AVWINLL.DLL     : 12.1.0.17      27344 Bytes   1/31/2012 12:56:55
AVPREF.DLL      : 12.1.0.17      51920 Bytes   1/31/2012 12:56:53
AVREP.DLL       : 12.1.0.17     179408 Bytes   1/31/2012 12:56:53
AVARKT.DLL      : 12.1.0.23     209360 Bytes   1/31/2012 12:56:49
AVEVTLOG.DLL    : 12.1.0.17     169168 Bytes   1/31/2012 12:56:50
SQLITE3.DLL     : 3.7.0.0       398288 Bytes   1/31/2012 12:57:08
AVSMTP.DLL      : 12.1.0.17      62928 Bytes   1/31/2012 12:56:54
NETNT.DLL       : 12.1.0.17      17104 Bytes   1/31/2012 12:57:04
RCIMAGE.DLL     : 12.1.0.17    4450000 Bytes   1/31/2012 12:57:30
RCTEXT.DLL      : 12.1.1.16      96208 Bytes   1/31/2012 12:57:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: quarantine
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended
Deviating risk categories...........: -ADSPY,-ADWARE,

Start of the scan: Monday, April 23, 2012  23:13

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!

Starting search for hidden objects.
The repair of rootkits is only in interactive mode possible!

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '64' Module(s) have been scanned
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avcenter.exe' - '82' Module(s) have been scanned
Scan process 'wuauclt.exe' - '38' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'avshadow.exe' - '35' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'svchost.exe' - '42' Module(s) have been scanned
  Module is infected -> <c:\WINDOWS\system32\anliq\mck_bwbicwgpi.dll>
  [DETECTION] Is the TR/Agent.2091757 Trojan
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
Scan process 'svchost.exe' - '67' Module(s) have been scanned
  Module is infected -> <c:\WINDOWS\system32\anliq\svcboot_kdiclgjee.dll>
  [DETECTION] Is the TR/Skillis.aoe Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\Director_mteaylwph.dll>
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\dprx_geewisoev.dll>
  [DETECTION] Is the TR/Buzy.2425 Trojan
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\ccp_jbnhwjfvc.dll>
  [DETECTION] Is the TR/Gendal.kdv.379669 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcmsg_mxejiwefc.dll>
  [DETECTION] Is the TR/Skillis.arl Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcy_eeyemrgnq.dll>
  [DETECTION] Is the TR/Buzy.2421 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mco_arhqsxtvt.dll>
  [DETECTION] Is the TR/Skillis.anz Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcoexp_oxeucpqpt.dll>
  [DETECTION] Is the TR/Skillis.aof Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mclmd_iqnohcznj.dll>
  [DETECTION] Is the TR/Skillis.avi Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mck_bwbicwgpi.dll>
  [DETECTION] Is the TR/Agent.2091757 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcie_evqpfdpyt.dll>
  [DETECTION] Is the TR/Gendal.kdv.378488.1 Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcff_dxuldivfp.dll>
  [DETECTION] Is the TR/Skillis.aob Trojan
  Module is infected -> <c:\WINDOWS\system32\anliq\mcgc_vodhvvdsi.dll>
  [DETECTION] Is the TR/Gendal.kdv.374002 Trojan
Scan process 'svchost.exe' - '41' Module(s) have been scanned
  Module is infected -> <c:\WINDOWS\system32\anliq\svcboot_kdiclgjee.dll>
  [DETECTION] Is the TR/Skillis.aoe Trojan
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'IJPLMSVC.EXE' - '16' Module(s) have been scanned
Scan process 'avguard.exe' - '74' Module(s) have been scanned
Scan process 'soffice.bin' - '104' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'soffice.exe' - '15' Module(s) have been scanned
Scan process 'ctfmon.exe' - '38' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'avgnt.exe' - '67' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'atiptaxx.exe' - '44' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'Explorer.EXE' - '96' Module(s) have been scanned
  Module is OK -> <c:\windows\system32\anliq\shim_sbxvbxorb.dll>
  [WARNING]   The file could not be opened!
  [NOTE]      The file does not exist!
  Module is infected -> <c:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll>
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'sched.exe' - '41' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '62' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '173' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '55' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '27' Module(s) have been scanned
Scan process 'winlogon.exe' - '73' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).
The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\Debugger> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations> could not be removed.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20120424-000116-3F069D7B\ARKA.tmp
  [DETECTION] Is the TR/Skillis.avh Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '55d59859.qua'.
  [WARNING]   The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations> could not be repaired.
  [NOTE]      For the final repair, a restart of the computer is instigated.
  [NOTE]      The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations> was successfully repaired.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcboot_kdiclgjee\Parameters> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svcboot_kdiclgjee\Parameters> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\svcboot_kdiclgjee\Parameters> was removed successfully.
C:\WINDOWS\system32\anliq\svcboot_kdiclgjee.dll
  [DETECTION] Is the TR/Skillis.aoe Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '61a58dbe.qua'.
  [NOTE]      The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcboot_kdiclgjee\Parameters\ServiceDll> was successfully repaired.
  [NOTE]      The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svcboot_kdiclgjee\Parameters\ServiceDll> was successfully repaired.
  [NOTE]      The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\svcboot_kdiclgjee\Parameters\ServiceDll> was successfully repaired.

The registry was scanned ( '992' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20120423-231318-DA112CAB\ARK10.tmp
  [DETECTION] Is the TR/Skillis.aoe Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '5b22ba72.qua'.
C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\TEMP\AVSCAN-20120423-231318-DA112CAB\ARKF.tmp
  [DETECTION] Is the TR/Skillis.avh Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '6b82d6a0.qua'.
C:\Program Files\Mozilla Firefox\components\1256501.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '46f2d051.qua'.
C:\WINDOWS\system32\anliq\ccp_jbnhwjfvc.dll
  [DETECTION] Is the TR/Gendal.kdv.379669 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '2c0bc426.qua'.
C:\WINDOWS\system32\anliq\Director_mteaylwph.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '53a6cd63.qua'.
C:\WINDOWS\system32\anliq\dprx_geewisoev.dll
  [DETECTION] Is the TR/Buzy.2425 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '1f84b085.qua'.
C:\WINDOWS\system32\anliq\ffe35_ifbfyomeu.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '5836a191.qua'.
C:\WINDOWS\system32\anliq\ffe36_vodhvvdsi.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '74c2d852.qua'.
C:\WINDOWS\system32\anliq\ffe3_ewevcevtu.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '4a3cb888.qua'.
C:\WINDOWS\system32\anliq\ffe_xdkvjiedd.dll
  [DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '293293fa.qua'.
C:\WINDOWS\system32\anliq\mcff_dxuldivfp.dll
  [DETECTION] Is the TR/Skillis.aob Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '3d69a038.qua'.
C:\WINDOWS\system32\anliq\mcgc_vodhvvdsi.dll
  [DETECTION] Is the TR/Gendal.kdv.374002 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '087eeef4.qua'.
C:\WINDOWS\system32\anliq\mcie_evqpfdpyt.dll
  [DETECTION] Is the TR/Gendal.kdv.378488.1 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '2328e61d.qua'.
C:\WINDOWS\system32\anliq\mck_bwbicwgpi.dll
  [DETECTION] Is the TR/Agent.2091757 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '2d1d8333.qua'.
C:\WINDOWS\system32\anliq\mclmd_iqnohcznj.dll
  [DETECTION] Is the TR/Skillis.avi Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '709bdacf.qua'.
C:\WINDOWS\system32\anliq\mcmsg_mxejiwefc.dll
  [DETECTION] Is the TR/Skillis.arl Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '6295f706.qua'.
C:\WINDOWS\system32\anliq\mcoexp_oxeucpqpt.dll
  [DETECTION] Is the TR/Skillis.aof Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '53af8942.qua'.
C:\WINDOWS\system32\anliq\mco_arhqsxtvt.dll
  [DETECTION] Is the TR/Skillis.anz Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '19cfa4a2.qua'.
C:\WINDOWS\system32\anliq\mcsc_aheffwadi.dll
  [DETECTION] Is the TR/Gendal.kdv.378413.2 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '6c91e69f.qua'.
C:\WINDOWS\system32\anliq\mcy_eeyemrgnq.dll
  [DETECTION] Is the TR/Buzy.2421 Trojan
  [NOTE]      The file was moved to the quarantine directory under the name '681b85af.qua'.

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Virus/Malware Infection Part 1
« Reply #2 on: April 30, 2012, 12:55:43 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Quote
It appears that SuperAnti and MBAM found a few more things that Avira and Spybot S&D missed. I may well switch to SuperAnti and MBAM.
SAS and MBAM are not Anti-virus programs. They target different malware.

Download Combofix from any of the links below, and save it to your DESKTOP

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:


Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Windows 8 and Windows 10 dual boot with two SSD's

mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Re: Virus/Malware Infection Part 1
« Reply #3 on: April 30, 2012, 04:23:03 PM »
Hello Dave  :)
Thanks for your reply and help. Here is the ComboFix logfile you requested.
ComboFix 12-04-31.02 - Chris Farr 04/30/2012  17:57:04.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.447.127 [GMT -4:00]
Running from: c:\documents and settings\Chris Farr\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\urttemp
.
.
(((((((((((((((((((((((((   Files Created from 2012-03-28 to 2012-04-30  )))))))))))))))))))))))))))))))
.
.
2012-05-22 06:09 . 2012-05-22 06:09   --------   d-sh--w-   c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2012-04-30 17:54 . 2012-04-30 18:55   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-30 03:36 . 2012-04-30 03:36   --------   d-----w-   c:\documents and settings\Chris Farr\Application Data\Malwarebytes
2012-04-30 03:32 . 2012-04-30 03:32   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-04-30 03:32 . 2012-04-30 03:32   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-04-30 03:32 . 2012-04-04 19:56   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-04-29 22:13 . 2012-04-29 22:13   --------   d-----w-   c:\documents and settings\Chris Farr\Application Data\SUPERAntiSpyware.com
2012-04-29 22:12 . 2012-04-29 22:13   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-04-29 22:12 . 2012-04-29 22:12   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2012-04-24 09:03 . 2009-11-12 18:48   5504   ----a-w-   c:\windows\system32\drivers\StarOpen.sys
2012-04-24 06:52 . 2012-04-24 06:52   --------   d-----w-   c:\program files\WinToFlash Suggestor
2012-04-24 00:20 . 2012-04-24 00:20   --------   d-----w-   c:\documents and settings\Chris Farr\Application Data\Avira
2012-04-24 00:10 . 2012-01-31 12:57   137416   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-04-24 00:10 . 2011-09-16 20:09   36000   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2012-04-24 00:10 . 2012-04-24 00:10   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2012-04-22 10:50 . 2012-04-22 10:50   --------   d-sh--w-   c:\documents and settings\LocalService.NT AUTHORITY\PrivacIE
2012-04-22 10:50 . 2012-04-22 10:50   --------   d-sh--w-   c:\documents and settings\LocalService.NT AUTHORITY\IECompatCache
2012-04-22 10:37 . 2012-01-31 12:57   74640   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2012-04-22 10:37 . 2012-04-22 10:37   --------   d-----w-   c:\program files\Avira
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53   182160   ----a-w-   c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-30 18:55 . 2011-11-02 08:56   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-30 04:20 . 2011-12-29 09:20   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2012-04-30 04:20 . 2011-12-29 09:20   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2012-03-01 11:01 . 2008-04-14 12:00   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2008-04-14 12:00   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2008-04-14 12:00   177664   ----a-w-   c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 12:00   148480   ----a-w-   c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-14 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2012-02-23 14:18 . 2011-11-02 20:05   237072   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-06 06:16 . 2012-02-06 06:16   23456   ----a-w-   c:\windows\system32\drivers\DrvAgent32.sys
2012-02-03 09:22 . 2008-04-14 12:00   1860096   ----a-w-   c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC36B0BD-27F0-4cdd-8AB1-50651EFC3EFD}]
2012-02-09 20:12   230192   ----a-w-   c:\program files\WinToFlash Suggestor\WinToFlashSuggestor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Chris Farr\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"CARPService"=carpserv.exe
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [11/1/2011 11:32 PM 14776]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [4/23/2012 8:10 PM 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2012 8:10 PM 86224]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [1/25/2012 1:23 AM 21992]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [11/1/2011 2:50 PM 26624]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [11/10/2011 1:30 AM 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/10/2011 1:30 AM 273536]
S2 svcboot_kdiclgjee;svcboot_kdiclgjee;c:\windows\system32\svchost.exe -k svcboot_kdiclgjee [4/14/2008 8:00 AM 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/30/2012 1:54 PM 253088]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2/6/2012 2:16 AM 23456]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ADOBEFLASHPLAYERUPDATESVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
svcboot_kdiclgjee   REG_MULTI_SZ      svcboot_kdiclgjee
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 18:55]
.
2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 01:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: {{A52C66B3-D4A9-4d10-A67D-2BEF0A85AB3F} - {FC36B0BD-27F0-4cdd-8AB1-50651EFC3EFD} - c:\program files\WinToFlash Suggestor\WinToFlashSuggestor.dll
TCP: DhcpNameServer = 67.142.175.10 67.142.175.11
FF - ProfilePath - c:\documents and settings\Chris Farr\Application Data\Mozilla\Firefox\Profiles\rmuxnpyx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Ghostery: [email protected] - %profile%\extensions\[email protected]
FF - Ext: DriverZonePlugin for Firefox and Opera: {C57D6078-75B4-11E0-9B04-07284924019B} - %profile%\extensions\{C57D6078-75B4-11E0-9B04-07284924019B}
FF - Ext: Adblock Plus Pop-up Addon: [email protected] - %profile%\extensions\[email protected]
FF - Ext: BrowserProtect: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: WinToFlash Suggestor: {285ACFBB-8E53-4feb-90E6-F02A128927F3} - %profile%\extensions\{285ACFBB-8E53-4feb-90E6-F02A128927F3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-30 18:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2025429265-842925246-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(576)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1208)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-04-30  18:07:50
ComboFix-quarantined-files.txt  2012-04-30 22:07
.
Pre-Run: 28,927,582,208 bytes free
Post-Run: 28,913,479,680 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
- - End Of File - - 0CDA2BDF745A3432E0257291DD8D842C
 

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Virus/Malware Infection Part 1
« Reply #4 on: May 01, 2012, 01:36:36 PM »
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected
  • At the bottom of the page
    • Hidden Objects Only << Selected
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
Windows 8 and Windows 10 dual boot with two SSD's

mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Re: Virus/Malware Infection Part 1
« Reply #5 on: May 01, 2012, 05:19:06 PM »
Hello again Dave,
Here is the SysProt logfile you requested. BTW, should I navigate to and erase the anliq subfolder in C:\WINDOWS\system32\ that the trojans found in the original scan seem to come from?
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F2B61000
Module End: F2B79000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A8B000
Module End: F7A8D000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwNotifyChangeKey
Address: F2804004
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwNotifyChangeMultipleKeys
Address: F28040D4
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwOpenProcess
Address: F2803D76
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwTerminateProcess
Address: F2803E1E
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwTerminateThread
Address: F2803EBA
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

Function Name: ZwWriteVirtualMemory
Address: F2803F56
Driver Base: F2803000
Driver End: F2806000
Driver Name: \SystemRoot\system32\DRIVERS\avgidsshimx.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied



SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Virus/Malware Infection Part 1
« Reply #6 on: May 02, 2012, 01:23:46 PM »
Quote
should I navigate to and erase the anliq subfolder in C:\WINDOWS\system32\ that the trojans found in the original scan seem to come from?
Just leave it be for now.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
Windows 8 and Windows 10 dual boot with two SSD's

mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Re: Virus/Malware Infection Part 1
« Reply #7 on: May 02, 2012, 09:00:41 PM »
Hello Dave;
Here is the ESET logfile.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9f3048816f79ac44a30bcf0cd0c77d57
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-03 12:27:29
# local_time=2012-05-02 08:27:29 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=54808
# found=0
# cleaned=0
# scan_time=7191
ESETSmartInstaller@High as downloader log:
all ok
 

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Virus/Malware Infection Part 1
« Reply #8 on: May 03, 2012, 01:10:40 PM »
How's the computer working now? Any other issues?
Windows 8 and Windows 10 dual boot with two SSD's

mopar

    Topic Starter


    Rookie
  • Experienced, yet still learning...
    • Yes
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows XP
Re: Virus/Malware Infection Part 1
« Reply #9 on: May 04, 2012, 04:22:04 AM »
Hello Dave;
Thanks again for your help. I very much appreciate it. In answer to your question, except for 2 things, the laptop is running well now. Firefox (version 3.6.25) takes almost 2 minutes to load and open and the chat window for CH blinks, jumps, and acts as if it's auto-refreshing every time someone posts or leaves the room. In normal browsing, that doesn't happen. Others on chat say their window doesn't do that.
It is an '02 Compaq Presario 2545US/DC970A. I will soon be upgrading the SDRAM to 1GB from 512MB. But no matter how hard I look, I can't find what CPU the motherboard supports. The mobo is a Quanta model 31KT9MB0030-CC3D, Compaq p/n 326682-001. The CPU is an Intel P4D 2.40GHz (SL6RZ) Intel p/n RK80532PE056512, Compaq p/n 323223-001. I'd like to upgrade to a P4D 2.80GHz (SL6HL/SL6K6/SL6S4) if the mobo will support it. I don't think I can go higher due to power requirements and thermal management issues.
Any help would be greatly appreciated. Thanks.

SuperDave

  • Malware Removal Specialist


  • Genius
  • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: Virus/Malware Infection Part 1
« Reply #10 on: May 04, 2012, 01:00:16 PM »
Sorry, I can't help you very much with that information but you could start a new thread in one of the other forums to get expert advice there. I think we should clean up now.

To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall


(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
***********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
************************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
Windows 8 and Windows 10 dual boot with two SSD's