isao

Members
  • Content count

    7
  • Joined

  • Last visited

About isao

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Elise - For you, and for any who may see this forum entry in the future, please know that your assistance was truly excellent. Your advice was always effective, timely, and good-natured as well. I am very grateful, not only for your technical assistance, but also for your demonstrating that there are very good and very smart people in this world. Thank you for all your help. isao
  2. Elise - I am very pleased to see the words "All Clean". I have uninstalled Combofix, and deleted DDS and GMER. Should I do anything to DeFogger? Perhaps just delete the executable file? I will go through the advice you provided on preventing re-infection. I want to thank you again for all your help. I will, of course, be happily making a donation. I wonder though if it would be appropriate for me to also provide some feedback to your organization, commending you for all the help you provided to me. If it would be appropriate for me to do so, please let me know how I might be able to do that. Thank you so much, isao
  3. Elise - Thank you for your suggesting I scan the computer with ESET OnlineScan. I ran the scan last night, and it found "win32/olmarik.zc trojan" in two files, cleaned, and quarantined them. The report from ESET OnlineScan is shown below. I also ran full scans with Ad-Aware and Norton. However, you were correct in thinking they would not find anything If there are other scans I should run, please let me know. Thanks again, isao __________________________________ C:\Qoobox\32788R22FWJFW\termdd.sys Win32/Olmarik.ZC trojan cleaned - quarantined C:\System Volume Information\_restore{4DB066B1-ECB2-4042-82BD-5CA135493541}\RP7\A0001793.sys Win32/Olmarik.ZC trojan cleaned - quarantined
  4. Hi Elise - I updated MBAM and ran a full scan. The resulting log is posted below. So far, so good; the MBAM full scan did not appear to find anything. Later today, I will update and run full scans with Norton Security Suite and Ad-Aware. Please let me know if I should post the results of these scans as well, or if there are other scans I should run. I am keeping my fingers crossed, hoping the computer actually is clean . . . I will be traveling and not have internet access this weekend. So, please excuse me if it takes me a couple days to reply to your next post. Thanks, isao ___________________________________ Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4399 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 8/6/2010 2:13:02 PM mbam-log-2010-08-06 (14-13-02).txt Scan type: Full scan (C:\|) Objects scanned: 281652 Time elapsed: 2 hour(s), 5 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  5. Elise - First of all, thank you very much for helping me with this problem. I downloaded and ran ComboFix. The following is the ComboFix.txt file. Also, I have a question. Since ComboFix ran successfully, can I re-enable the AntiVirus and AntiSpyware program? Perhaps I am being paranoid. But, I am anxious about having them turned off. Thanks again, Isao ____________________________ ComboFix 10-08-03.04 - Offline 08/04/2010 19:01:55.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1691 [GMT -7:00] Running from: c:\documents and settings\Offline\Desktop\ComboFix.exe AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk c:\windows\system32\klgd.bmp c:\windows\winhelp.ini . ((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 ))))))))))))))))))))))))))))))) . 2010-08-04 23:37 . 2010-08-04 23:37 -------- d-----w- c:\documents and settings\Offline\TOSHIBA 2010-08-02 22:45 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-08-02 21:28 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-08-02 20:50 . 2010-08-02 20:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E} 2010-08-02 20:50 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe 2010-08-02 20:50 . 2010-08-02 20:50 -------- d-----w- c:\program files\Lavasoft 2010-08-01 21:40 . 2010-05-06 04:01 361904 ----a-w- c:\windows\system32\drivers\symtdi.sys 2010-08-01 21:40 . 2010-04-22 03:02 173104 ----a-w- c:\windows\system32\drivers\symefa.sys 2010-08-01 21:40 . 2010-04-22 02:29 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys 2010-08-01 21:40 . 2009-10-15 03:50 328752 ----a-r- c:\windows\system32\drivers\symds.sys 2010-08-01 21:39 . 2010-04-29 05:03 116784 ----a-w- c:\windows\system32\drivers\ironx86.sys 2010-08-01 21:39 . 2010-02-26 00:22 501888 ----a-w- c:\windows\system32\drivers\cchpx86.sys 2010-08-01 20:52 . 2009-05-18 22:17 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys 2010-08-01 20:52 . 2008-04-17 21:12 107368 ----a-r- c:\windows\system32\GEARAspi.dll 2010-08-01 20:52 . 2010-08-01 20:52 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-08-01 20:52 . 2010-08-01 20:52 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-08-01 20:50 . 2010-08-02 03:36 -------- d-----w- c:\windows\system32\drivers\N360 2010-08-01 20:50 . 2010-08-01 20:50 -------- d-----w- c:\program files\Norton Security Suite 2010-08-01 20:50 . 2010-08-01 20:50 -------- d-----w- c:\program files\Windows Sidebar 2010-08-01 20:49 . 2010-08-01 20:49 -------- d-----w- c:\program files\NortonInstaller 2010-08-01 20:49 . 2010-08-01 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-08-01 20:48 . 2010-08-01 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-07-29 23:08 . 2010-08-02 21:28 -------- dc----w- c:\windows\system32\DRVSTORE 2010-07-29 23:07 . 2010-07-29 23:07 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-07-29 22:37 . 2010-07-29 22:37 -------- d-----w- c:\documents and settings\wshijo\Local Settings\Application Data\Sunbelt Software 2010-07-29 22:33 . 2010-08-02 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-07-29 21:43 . 2010-07-29 21:43 -------- d-----w- c:\documents and settings\wshijo\Local Settings\Application Data\Apple Computer 2010-07-27 23:47 . 2010-07-27 23:47 -------- d-----w- c:\documents and settings\wshijo.KDALTP001\Application Data\Malwarebytes 2010-07-27 23:32 . 2010-07-27 23:32 -------- d-sh--w- c:\documents and settings\wshijo.KDALTP001\IETldCache 2010-07-26 18:18 . 2010-07-30 18:21 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-07-16 05:16 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-04 23:19 . 2008-05-17 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-08-01 21:05 . 2004-05-05 05:19 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-08-01 20:52 . 2004-05-05 05:19 -------- d-----w- c:\program files\Symantec 2010-08-01 20:52 . 2010-08-01 20:52 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-08-01 20:52 . 2010-08-01 20:52 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-08-01 20:40 . 2010-05-17 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2010-08-01 20:39 . 2010-05-17 20:37 -------- d-----w- c:\program files\McAfee 2010-06-14 14:31 . 2004-05-01 07:40 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe 2010-06-10 22:13 . 2010-06-10 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-05-13 15:48 . 2010-04-24 03:44 0 ----a-w- c:\windows\Sviwidogodobuv.bin 2010-05-12 20:53 . 2010-04-24 03:44 120 ----a-w- c:\windows\Ozuzig.dat 2010-05-10 15:24 . 2004-05-01 16:10 78765 ----a-w- c:\windows\system32\nvModes.dat 2009-01-08 18:32 . 2009-01-08 18:32 52402132 ----a-w- c:\program files\TraffixW Back-up Before Installing Ver 8_0.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nwiz"="nwiz.exe" [2004-10-26 921600] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-02-16 417792] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "Iomega ImIconXP"="c:\program files\Iomega\REV System Software\imiconxp.exe" [2004-10-14 57344] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Explorer.lnk - c:\windows\explorer.exe [2003-5-11 1033728] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave1"=c_625384.nls "aux1"=c_625384.nls "wave2"=c_625384.nls "mixer1"=c_625384.nls "midi2"=c_625384.nls "mixer2"=c_625384.nls "midi1"=c_625384.nls "aux2"=c_625384.nls [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM95\\aim.exe"= "c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= R0 imdrvfsf;Iomega File System Filter Driver;c:\windows\system32\drivers\imdrvfsf.sys [7/13/2004 11:22 AM 16006] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/2/2010 2:28 PM 64288] R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [8/1/2010 2:40 PM 328752] R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [8/1/2010 2:40 PM 173104] R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [7/9/2010 9:44 PM 691248] R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [8/1/2010 2:39 PM 501888] R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2/24/2008 9:07 PM 49592] R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [8/1/2010 2:39 PM 116784] R2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [5/25/2004 2:07 PM 38176] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/25/2010 10:23 PM 304464] R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [8/1/2010 2:39 PM 126392] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:49 PM 24652] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/1/2010 1:53 PM 102448] R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2/6/2003 7:23 PM 59328] R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100803.001\IDSXpx86.sys [8/4/2010 4:14 PM 331640] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/25/2010 10:23 PM 20952] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 10:44 AM 135664] S3 DK2USB;DK2usb Driver;c:\windows\system32\drivers\DK2USB.sys [2/24/2008 9:07 PM 18232] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1352832] --- Other Services/Drivers In Memory --- *Deregistered* - revfs [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder 2010-08-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55] 2010-08-05 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-17 04:02] 2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:44] 2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:44] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ixquick.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dot.ca.gov/hq/traffops/saferesr/trafdata/index.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - Notify-WgaLogon - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-04 19:15 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360] "ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . Completion time: 2010-08-04 19:22:26 ComboFix-quarantined-files.txt 2010-08-05 02:22 Pre-Run: 15,016,906,752 bytes free Post-Run: 15,145,472,000 bytes free - - End Of File - - 10183C409C322982E9A3D495CC6272F9
  6. I have been infected with malware and I hope you can help. I should start out by noting this is the first time I have used a forum, and also I am not familiar with much of the nomenclature I have seen in other forum entries. I hope you will excuse my inexperience. I do not know the identify of the malware. There are two symptoms that I notice. One is a message from the Malwarebytes program. The second occurs when browsing with Internet Explorer. 1) The message from the Malwarebytes program is "Malwarebytes' Anti-Malware Ad_Aware_Scan_Log_File.txt Norton_Security_Suite___Recent_History.txt ark.zip Attach.zip