Wooster
Honorary Members-
Posts
22 -
Joined
-
Last visited
Reputation
0 Neutral-
Since I am unable to run DDS.scr, I ran HijackThis instead. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:04:44 PM, on 12/20/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVAST Software\Avast\avastUI.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Spybot\TeaTimer.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Dell\Bluetooth Software\BTTray.exe C:\Program Files\YZ Dock\YzDock.exe C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Wooster\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [speedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe O4 - Startup: YzDock.lnk = C:\Program Files\YZ Dock\YzDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PEVSystemStart - Unknown owner - C:\Combo-Fix\pev.3XE (file missing) O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7007 bytes
-
I had an isse with a virus called XP Antispyware 2012. I ran Malwarebytes and it seemed to remove all the obvious traces of the program, but right now the computer still has the following problems: 1) Unable to start Windows Firewall 2) Unable to turn on Avast's web shield 3) Unable to connect to the internet Malwarebyte's quick scan finds nothing anymore, as does Avast. I downloaded and ran DDS.scr as per the instructions, but every time it hung and failed to run to completion. Any help you could provide would be most appreciated. Bump.
-
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
Malwarebytes log: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3989 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/15/2010 12:59:27 AM mbam-log-2010-04-15 (00-59-27).txt Scan type: Quick scan Objects scanned: 108548 Time elapsed: 8 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
ComboFix log: ComboFix 10-04-14.01 - User 04/15/2010 0:02.6.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.221 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys . ((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:39 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-15 00:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2504) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashWebSv.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-15 00:30:15 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-15 07:30 ComboFix2.txt 2010-04-14 22:00 ComboFix3.txt 2010-04-13 08:07 ComboFix4.txt 2010-04-13 06:53 ComboFix5.txt 2010-04-15 06:23 Pre-Run: 15,259,136,000 bytes free Post-Run: 15,218,479,104 bytes free - - End Of File - - C4736639F86389E703799D13E03C4A95 HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:38:17 AM, on 4/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\WINDOWS\system32\spoolsv.exe C:\MSCAN\Msoffice\panel.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6958 bytes Internet connection is back, and I can now enable the firewall. I haven't seen any popups yet, but they were pretty sporadic to start with. -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
ComboFix log: ComboFix 10-04-14.01 - User 04/14/2010 14:31:40.4.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.162 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100413-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PRAGMAyycvksevpe -------\Service_PRAGMAyycvksevpe ((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 ))))))))))))))))))))))))))))))) . 2010-04-13 20:30 . 2010-04-13 20:30 -------- d-----w- c:\documents and settings\User\DoctorWeb 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 21:41 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys 2010-04-13 19:04 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ------- Sigcheck ------- [-] 2010-04-13 21:41 . F8B2F0BB355F55573D7738B96D8A36E2 . 361600 . . [------] . . c:\windows\system32\drivers\tcpip.sys [7] 2010-04-13 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtServicePackUninstall$\tcpip.sys [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys [-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys [-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys [-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys [-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys [-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-14 14:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(132) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\mscan\Msoffice\panel.exe c:\windows\system32\nvsvc32.exe c:\program files\Avast\ashMaiSv.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-14 15:00:11 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-14 22:00 ComboFix2.txt 2010-04-13 08:07 ComboFix3.txt 2010-04-13 06:53 ComboFix4.txt 2010-04-12 07:41 Pre-Run: 15,390,220,288 bytes free Post-Run: 15,274,008,576 bytes free - - End Of File - - 836780DBFCBB06C3D86EA803AB879A4C -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
DrWeb log: A0101706.sys;C:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1576;BackDoor.Tdss.2459;Cured.; App06868.exe\hp/tmp/Install.JS;D:\I386\APPS\APP06868\App06868.exe;Probably SCRIPT.Virus;; App06868.exe;D:\I386\APPS\APP06868;Archive contains infected objects;Moved.; A0101720.exe\hp/tmp/Install.JS;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577\A0101720.exe;Probably SCRIPT.Virus;; A0101720.exe;D:\System Volume Information\_restore{8CC6B88E-C138-43A8-906D-A7A1EF8D664E}\RP1577;Archive contains infected objects;Moved.; The quick scan also found BackDoor.Tdss.2459 in c:\windows\system32\drivers\tcpip.sys and cured it. HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:45:32 PM, on 4/14/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Avast\ashMaiSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6719 bytes I am also getting 4 Avast errors on startup (all Error 10050) and can't connect to the internet (won't recognize the connection). -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
I'm still running the complete scan. It's taking a long time. -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
The quick scan seems to be curing the same file (c:\windows\system32\drivers\tcpip.sys) over and over again. -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
I noticed that there was an option to update DrWeb. Should I have done this before starting the scan? -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
There does not appear to be any change. Still getting occasional popups and I can't enable the firewall. -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
TDSSKiller log: 12:03:14:187 2508 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 12:03:14:187 2508 =========================================================================== ===== 12:03:14:187 2508 SystemInfo: 12:03:14:187 2508 OS Version: 5.1.2600 ServicePack: 3.0 12:03:14:187 2508 Product type: Workstation 12:03:14:187 2508 ComputerName: FAMILYCOMPUTER 12:03:14:187 2508 UserName: User 12:03:14:187 2508 Windows directory: C:\WINDOWS 12:03:14:187 2508 Processor architecture: Intel x86 12:03:14:187 2508 Number of processors: 1 12:03:14:187 2508 Page size: 0x1000 12:03:14:234 2508 Boot type: Normal boot 12:03:14:234 2508 =========================================================================== ===== 12:03:14:250 2508 UnloadDriverW: NtUnloadDriver error 2 12:03:14:250 2508 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 12:03:14:359 2508 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 12:03:14:359 2508 wfopen_ex: Trying to KLMD file open 12:03:14:359 2508 wfopen_ex: File opened ok (Flags 2) 12:03:14:359 2508 Initialize success 12:03:14:359 2508 12:03:14:359 2508 Scanning Services ... 12:03:16:000 2508 Raw services enum returned 314 services 12:03:16:015 2508 12:03:16:015 2508 Scanning Kernel memory ... 12:03:16:015 2508 Devices to scan: 3 12:03:16:015 2508 12:03:16:015 2508 Driver Name: Disk 12:03:16:015 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:015 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:015 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:015 2508 IRP_MJ_READ : F8656D1F 12:03:16:015 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:015 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:015 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:015 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:015 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:015 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:015 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:015 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:015 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:015 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:015 2508 IRP_MJ_POWER : F8658C82 12:03:16:015 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:015 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:015 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:015 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:046 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:046 2508 12:03:16:046 2508 Driver Name: Disk 12:03:16:046 2508 IRP_MJ_CREATE : F865CBB0 12:03:16:046 2508 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E 12:03:16:046 2508 IRP_MJ_CLOSE : F865CBB0 12:03:16:046 2508 IRP_MJ_READ : F8656D1F 12:03:16:046 2508 IRP_MJ_WRITE : F8656D1F 12:03:16:046 2508 IRP_MJ_QUERY_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_EA : 804FA88E 12:03:16:046 2508 IRP_MJ_FLUSH_BUFFERS : F86572E2 12:03:16:046 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E 12:03:16:046 2508 IRP_MJ_DIRECTORY_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_DEVICE_CONTROL : F86573BB 12:03:16:046 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : F865AF28 12:03:16:046 2508 IRP_MJ_SHUTDOWN : F86572E2 12:03:16:046 2508 IRP_MJ_LOCK_CONTROL : 804FA88E 12:03:16:046 2508 IRP_MJ_CLEANUP : 804FA88E 12:03:16:046 2508 IRP_MJ_CREATE_MAILSLOT : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_SECURITY : 804FA88E 12:03:16:046 2508 IRP_MJ_POWER : F8658C82 12:03:16:046 2508 IRP_MJ_SYSTEM_CONTROL : F865D99E 12:03:16:046 2508 IRP_MJ_DEVICE_CHANGE : 804FA88E 12:03:16:046 2508 IRP_MJ_QUERY_QUOTA : 804FA88E 12:03:16:046 2508 IRP_MJ_SET_QUOTA : 804FA88E 12:03:16:078 2508 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 12:03:16:078 2508 12:03:16:078 2508 Driver Name: atapi 12:03:16:078 2508 IRP_MJ_CREATE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_NAMED_PIPE : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLOSE : 826DEAC8 12:03:16:078 2508 IRP_MJ_READ : 826DEAC8 12:03:16:078 2508 IRP_MJ_WRITE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_EA : 826DEAC8 12:03:16:078 2508 IRP_MJ_FLUSH_BUFFERS : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_VOLUME_INFORMATION : 826DEAC8 12:03:16:078 2508 IRP_MJ_DIRECTORY_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_FILE_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_INTERNAL_DEVICE_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_SHUTDOWN : 826DEAC8 12:03:16:078 2508 IRP_MJ_LOCK_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_CLEANUP : 826DEAC8 12:03:16:078 2508 IRP_MJ_CREATE_MAILSLOT : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_SECURITY : 826DEAC8 12:03:16:078 2508 IRP_MJ_POWER : 826DEAC8 12:03:16:078 2508 IRP_MJ_SYSTEM_CONTROL : 826DEAC8 12:03:16:078 2508 IRP_MJ_DEVICE_CHANGE : 826DEAC8 12:03:16:078 2508 IRP_MJ_QUERY_QUOTA : 826DEAC8 12:03:16:078 2508 IRP_MJ_SET_QUOTA : 826DEAC8 12:03:16:078 2508 Driver "atapi" infected by TDSS rootkit! 12:03:16:140 2508 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1 12:03:16:140 2508 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:03:16:140 2508 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 12:03:16:140 2508 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 12:03:17:109 2508 vfvi6 12:03:17:890 2508 !dsvbh1 12:03:27:203 2508 dsvbh2 12:03:27:203 2508 fdfb2 12:03:27:203 2508 Backup copy found, using it.. 12:03:27:250 2508 will be cured on next reboot 12:03:27:250 2508 Reboot required for cure complete.. 12:03:27:250 2508 Cure on reboot scheduled successfully 12:03:27:250 2508 12:03:27:250 2508 Completed 12:03:27:250 2508 12:03:27:250 2508 Results: 12:03:27:250 2508 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 12:03:27:250 2508 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 12:03:27:250 2508 File objects infected / cured / cured on reboot: 1 / 0 / 1 12:03:27:250 2508 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 12:03:27:250 2508 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 12:03:27:250 2508 UnloadDriverW: NtUnloadDriver error 1 12:03:27:250 2508 KLMD(ARK) unloaded successfully -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
Sample sent, still getting popups. I am also still unable to start Windows Firewall (unsure if this is related to other issues). -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
ComboFix log: ComboFix 10-04-12.04 - User 04/13/2010 0:34.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.314 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} file zipped: c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat file zipped: c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe file zipped: c:\windows\Fonts\On6WEm.com . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe c:\windows\Fonts\On6WEm.com c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 07:33 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-13 07:33 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-05 180269] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-13 00:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826DEAC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(668) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(732) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1268) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avast\aswUpdSv.exe c:\program files\Avast\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\mscan\Msoffice\panel.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2010-04-13 01:07:40 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-13 08:07 ComboFix2.txt 2010-04-13 06:53 ComboFix3.txt 2010-04-12 07:41 Pre-Run: 12,701,638,656 bytes free Post-Run: 12,670,218,240 bytes free - - End Of File - - C1013AC9FC1045731FAB51DCA312454A HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:16:08 AM, on 4/13/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast\aswUpdSv.exe C:\Program Files\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Avast\ashDisp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE C:\MSCAN\Msoffice\panel.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avast\ashMaiSv.exe C:\Program Files\Avast\ashWebSv.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'SYSTEM') O4 - .DEFAULT Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE (User 'Default user') O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\WATCH.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {21BB8360-F943-447E-98F3-3C22345375A7} (CPlayFirstChocolatierControl Object) - http://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.mumbojumbo.com/assets/22/webgame/ReflexiveWebGameLoader.cab O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://portal.drsclinic.com/XTSAC.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123648936968 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/assets/mjolauncher.cab O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} (LHGLauncherXForm Control) - http://www.mumbojumbo.com/assets/HLGLauncher.CAB O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://webgames.d.tmsrv.com/c=1e991847199ced6add9da66556822a7f/aff=t_03cm_wg/p/release/playfirst/wg_zenerchi/zenerchi/ZenerchiWeb.1.0.0.10.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6990 bytes -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
File has already been analysed: MD5: 1cc9fd3ba73aaa6020eb1a23640a49c6 First received: 2010.04.12 22:36:48 UTC Date: 2010.04.13 01:37:17 UTC [<1D] Results: 5/40 Permalink: analisis/609e408839986a721d5039d1a8f5d35954c67bcea16bd171a1ed7f59038dd99a-1271122637 -
Fake AV software preventing Malwarebytes install
Wooster replied to Wooster's topic in Resolved Malware Removal Logs
ComboFix log: ComboFix 10-04-12.04 - User 04/12/2010 23:24:01.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.224 [GMT -7:00] Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100412-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-12 01:41 . 2010-04-12 01:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2010-04-11 06:57 . 2010-04-11 18:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft 2010-04-11 06:57 . 2010-04-11 06:58 -------- d-----w- c:\documents and settings\Administrator 2010-04-09 05:13 . 2010-04-11 06:25 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-28 23:08 . 2010-03-28 23:10 -------- d-----w- c:\program files\HRBlock2009 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 05:30 . 2010-04-12 21:58 112 ----a-w- c:\documents and settings\All Users\Application Data\7JN6Jyf3W.dat 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:30 . 2010-04-13 05:30 71170 ----a-w- c:\documents and settings\All Users\Application Data\Kb7M1GA8.exe 2010-04-13 05:16 . 2005-08-19 03:11 -------- d-----w- c:\program files\QuickTime 2010-04-12 21:55 . 2009-01-22 03:44 -------- d-----w- c:\program files\iTunes 2010-04-12 21:55 . 2010-04-12 21:55 41472 ----a-w- c:\windows\Fonts\On6WEm.com 2010-04-12 08:13 . 2005-08-13 18:50 -------- d-----w- c:\program files\Common Files\Adobe 2010-04-12 01:39 . 2010-04-12 00:01 -------- d-----w- c:\program files\Spybot 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\program files\Malwarebytes 2010-04-12 00:58 . 2010-04-12 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-04-12 00:10 . 2005-08-06 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-04-11 21:58 . 2010-04-11 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 18:21 . 2010-04-11 18:21 279816 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-11 15:03 . 2010-04-11 15:02 -------- d-----w- c:\program files\Scanner 2010-04-07 03:20 . 2007-11-23 06:41 -------- d-----w- c:\program files\Avast 2010-04-05 06:27 . 2006-08-29 03:43 -------- d-----w- c:\documents and settings\User\Application Data\Azureus 2010-03-30 07:46 . 2010-04-12 00:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 07:45 . 2010-04-12 00:58 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-28 23:14 . 2010-03-28 23:13 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe 2010-03-28 23:12 . 2008-01-29 01:49 -------- d-----w- c:\documents and settings\User\Application Data\TaxCut 2010-03-28 22:59 . 2008-01-29 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll . <pre> c:\program files\Common Files\Real\Update_OB\realsched .exe c:\program files\iTunes\iTunesHelper .exe c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe c:\program files\QuickTime\qttask .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2010-04-12 41476] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-12 41476] "avast!"="c:\progra~1\Avast\ashDisp.exe" [2009-11-24 81000] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-12 41476] c:\documents and settings\User\Start Menu\Programs\Startup\ Watch.lnk - c:\windows\twain_32\A4S2_600\WATCH.EXE [2005-9-25 184320] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/10/2008 5:27 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/10/2008 5:27 PM 20560] . Contents of the 'Scheduled Tasks' folder 2010-04-12 c:\windows\Tasks\At1.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At10.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At11.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At12.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At13.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At14.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At15.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At16.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At17.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At18.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At19.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At2.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At20.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At21.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At22.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At23.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-13 c:\windows\Tasks\At24.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At3.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At4.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At5.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At6.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At7.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At8.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] 2010-04-12 c:\windows\Tasks\At9.job - c:\windows\Fonts\On6WEm.com [2010-04-12 21:55] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000 DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://webgames.d.tmsrv.com/c=6938673a4cc9aaa50d6f456aaa8f0b47/aff=t_03cm_wg/p/release/playfirst/wg_chocolatier/chocolatier/ChocolatierWeb.1.0.0.13.cab FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4bgulz0o.default\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-12 23:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\flaB.tmp 11873910 bytes scan completed successfully hidden files: 1 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x826D8AC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf865af28 \Driver\ACPI -> ACPI.sys @ 0xf85adcb8 \Driver\atapi -> atapi.sys @ 0xf8565852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8471bb0 PacketIndicateHandler -> NDIS.sys @ 0xf847ea21 SendHandler -> NDIS.sys @ 0xf845c87b user & kernel MBR OK ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\windows\system32\WININET.dll - - - - - - - > 'lsass.exe'(716) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(856) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-12 23:53:52 ComboFix-quarantined-files.txt 2010-04-13 06:53 ComboFix2.txt 2010-04-12 07:41 Pre-Run: 12,227,772,416 bytes free Post-Run: 12,685,619,200 bytes free - - End Of File - - F78102C23AD23CD2FA86BB53103C8E15