Jump to content


Photo
- - - - -

removing startnow.com


  • This topic is locked This topic is locked
3 replies to this topic

#1 insky

insky

    New Member

  • Members
  • Pip
  • 22 posts

Posted 26 May 2011 - 10:21 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM
mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 318481
Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.


GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-25 22:54:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0
Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys

Attached Files



#2 insky

insky

    New Member

  • Members
  • Pip
  • 22 posts

Posted 28 May 2011 - 12:46 AM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM
mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 318481
Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.


GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-25 22:54:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0
Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys


DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by dw at 15:12:03 on 2011-05-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.679 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\dw\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.azulstar.com/
mWindow Title = scraps, jean, richard overfield
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110513172951.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Google Update] "c:\documents and settings\dw\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-22 387480]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 84200]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-4-23 54776]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-2 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
R1 SASDIFSV;SASDIFSV;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-4-13 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-26 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-22 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-22 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]
S2 gupdate1c982565c6b24b6;Google Update Service (gupdate1c982565c6b24b6);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 84488]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-05-24 20:46:36 388096 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-24 15:48:49 -------- d-----w- c:\documents and settings\dw\local settings\application data\WeatherBug
2011-05-24 15:48:38 -------- d-----w- c:\documents and settings\dw\application data\WeatherBug
2011-05-24 15:48:31 18944 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\IconBB6A16301.exe
2011-05-24 15:47:35 -------- d-----w- c:\program files\kikin
2011-05-24 15:47:35 -------- d-----w- c:\documents and settings\dw\application data\kikin
2011-05-24 15:46:57 -------- d-----w- c:\program files\Ploose
2011-05-18 18:07:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-13 23:28:16 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-05-12 22:18:21 102400 ----a-w- c:\windows\RegBootClean.exe
2011-05-12 14:08:03 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-04-28 20:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M ====================
.
2011-04-14 20:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 20:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 20:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 20:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 20:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 20:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 20:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 20:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 20:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-08 15:38:00 0 ----a-w- c:\windows\Ppita.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:14:01.92 ===============

#3 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 30 May 2011 - 01:09 PM

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.


Next, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 June 2011 - 12:33 PM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users