insky

removing startnow.com

4 posts in this topic

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM

mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 318481

Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-25 22:54:15

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0

Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys

Shortcut to attach.zip

ark.txt

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6629

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

5/24/2011 2:31:45 PM

mbam-log-2011-05-24 (14-31-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 318481

Time elapsed: 1 hour(s), 43 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039423.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039424.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039425.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039435.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039436.dll (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP179\A0039437.exe (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

c:\system volume information\_restore{202550a8-7a33-4bca-9586-051d24ddbf8f}\RP180\A0039498.exe (Adware.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-25 22:54:15

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Maxtor_6Y160M0 rev.YAR51HW0

Running: me2sl0be.exe; Driver: C:\DOCUME~1\dw\LOCALS~1\Temp\pxloypob.sys

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24

Run by dw at 15:12:03 on 2011-05-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.679 [GMT -6:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\msdtc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\McAfee Online Backup\MOBKbackup.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

c:\PROGRA~1\mcafee\msc\mcupdmgr.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\dw\My Documents\Downloads\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.azulstar.com/

mWindow Title = scraps, jean, richard overfield

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110513172951.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

uRun: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [Google Update] "c:\documents and settings\dw\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [2009-11-17 63080]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-22 387480]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 84200]

R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-4-23 54776]

R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-2 57144]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]

R1 SASDIFSV;SASDIFSV;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\docume~1\dw\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-4-13 47640]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-26 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792]

R2 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 56064]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-22 153280]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-22 52320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 314088]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]

S2 gupdate1c982565c6b24b6;Google Update Service (gupdate1c982565c6b24b6);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-1-29 133104]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-5-13 88736]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 84488]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-05-24 20:46:36 388096 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-05-24 15:48:49 -------- d-----w- c:\documents and settings\dw\local settings\application data\WeatherBug

2011-05-24 15:48:38 -------- d-----w- c:\documents and settings\dw\application data\WeatherBug

2011-05-24 15:48:31 18944 ----a-r- c:\documents and settings\dw\application data\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\IconBB6A16301.exe

2011-05-24 15:47:35 -------- d-----w- c:\program files\kikin

2011-05-24 15:47:35 -------- d-----w- c:\documents and settings\dw\application data\kikin

2011-05-24 15:46:57 -------- d-----w- c:\program files\Ploose

2011-05-18 18:07:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-13 23:28:16 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-05-12 22:18:21 102400 ----a-w- c:\windows\RegBootClean.exe

2011-05-12 14:08:03 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-04-28 20:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

.

==================== Find3M ====================

.

2011-04-14 20:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-04-14 20:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-04-14 20:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-04-14 20:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-04-14 20:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-04-14 20:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-04-14 20:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-04-14 20:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-04-14 20:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-04-08 15:38:00 0 ----a-w- c:\windows\Ppita.bin

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 15:14:01.92 ===============

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.