We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Rogue scanner infected my computer
stulaunch
Posts: 564 Forumite
in Techie Stuff
Rogue scanner infected my computer,
Ran Malwarebytes then Combofix then Hijackthis.
Combofix found Rootkit activity then restated, not sure its relevent.
Both Malwarebytes and Combofix found things which i fixed.
Now my Antivirus keeps blocking the a rogue address about every 30 seconds so i guess there is something there.
Will post logs next in order i did them.
Would be grateful if somebody would look over them.
Thanks
Ran Malwarebytes then Combofix then Hijackthis.
Combofix found Rootkit activity then restated, not sure its relevent.
Both Malwarebytes and Combofix found things which i fixed.
Now my Antivirus keeps blocking the a rogue address about every 30 seconds so i guess there is something there.
Will post logs next in order i did them.
Would be grateful if somebody would look over them.
Thanks
0
Comments
-
Malwarebytes
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4532
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
03/09/2010 13:35:01
mbam-log-2010-09-03 (13-35-01).txt
Scan type: Full scan (C:\|)
Objects scanned: 220009
Time elapsed: 50 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\mmduch.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\mmx.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A209FA92-F00C-46C1-A3EC-0FA532B18FB7}\RP403\A0065309.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A209FA92-F00C-46C1-A3EC-0FA532B18FB7}\RP403\A0065310.dll (Trojan.BHO) -> Quarantined and deleted successfully.0 -
Combofix
ComboFix 10-09-02.03 - Stu 03/09/2010 13:49:42.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2621 [GMT 1:00]
Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.
2010-09-02 21:01 . 2010-09-02 21:01
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-09-02 20:21 . 2010-09-02 19:15 183296 ----a-w- c:\windows\Opolib.exe
2010-09-02 20:03 . 2010-09-02 20:03
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-02 19:14 . 2010-09-02 19:14 183296 ----a-w- c:\windows\Opolia.exe
2010-08-31 08:15 . 2010-08-31 08:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-28 13:52 . 2010-08-28 13:52
d
w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-08-28 13:40 . 2010-09-02 17:24
d
w- c:\documents and settings\Stu\Application Data\Xfire
2010-08-28 13:40 . 2010-08-29 08:00
d-s---w- c:\program files\Xfire
2010-08-28 09:46 . 2010-08-28 09:46 15360 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E910.exe
2010-08-28 09:46 . 2010-08-28 09:46 11264 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E96.exe
2010-08-28 09:41 . 2010-08-28 09:41
d
w- C:\DirectX9
2010-08-27 19:14 . 2010-08-27 19:14
d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-22 17:31 . 2010-08-22 17:31 6144 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F734.exe
2010-08-22 17:31 . 2010-08-22 17:31 15360 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F738.exe
2010-08-22 17:31 . 2010-08-22 17:31 10752 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon8255BBAC1.exe
2010-08-22 17:23 . 2010-08-22 17:23
d
w- C:\Extras
2010-08-22 17:23 . 2010-08-22 17:23
d
w- C:\Autorun
2010-08-17 07:19 . 2010-08-17 07:19
d
w- c:\documents and settings\Stu\Local Settings\Application Data\Help
2010-08-16 21:56 . 2010-08-16 22:08
d
w- c:\program files\EASEUS
2010-08-16 21:13 . 2010-08-16 21:13
d
w- c:\program files\7-Zip
2010-08-16 19:08 . 2010-08-16 19:08
d
w- c:\program files\Symantec
2010-08-14 14:39 . 2010-08-14 14:39
d
w- c:\program files\PPSGame
2010-08-14 14:38 . 2010-08-14 14:39
d
w- c:\documents and settings\Stu\Application Data\PPStream
2010-08-14 14:38 . 2010-08-14 14:39
d
w- c:\program files\PPStream
2010-08-13 22:15 . 2010-08-13 22:15
d
w- c:\program files\Recuva
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 20:29 . 2009-08-13 19:51
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-02 20:27 . 2009-08-17 15:54
d
w- c:\program files\cleanmypc.exe
2010-09-02 20:18 . 2009-11-10 10:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-02 04:37 . 2010-01-21 15:36
d
w- c:\documents and settings\Stu\Application Data\vlc
2010-08-30 09:13 . 2009-08-28 13:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-08-28 13:33 . 2009-12-25 10:39
d
w- c:\program files\THQ
2010-08-28 13:33 . 2009-08-13 19:18
d--h--w- c:\program files\InstallShield Installation Information
2010-08-13 18:09 . 2009-08-13 22:05
d
w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-08 08:27 . 2009-12-27 10:53
d
w- c:\program files\Steam
2010-07-29 07:02 . 2010-07-29 07:02
d
w- c:\program files\Free WMA to MP3 Converter
2010-07-29 06:33 . 2010-07-29 06:33
d
w- c:\documents and settings\Stu\Application Data\MP3toiPodAudioBookConverter
2010-07-29 06:33 . 2010-07-29 06:33
d
w- c:\program files\MP3ToIpodAudioBookConverter
2010-07-25 12:07 . 2009-08-13 21:01 69648 ----a-w- c:\documents and settings\Stu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-25 10:23 . 2010-07-25 10:23
d
w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-07-25 10:23 . 2010-07-25 10:23
d
w- c:\program files\Innovative Solutions
2010-07-22 10:19 . 2010-07-22 10:19 388096 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 10:19 . 2010-07-22 10:19
d
w- c:\program files\Trend Micro
2010-07-17 16:49 . 2010-07-17 16:48
d
w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-07-17 16:46 . 2009-08-15 19:33
d
w- c:\program files\Electronic Arts
2010-07-17 16:29 . 2010-07-17 16:29
d
w- c:\program files\Common Files\Adobe AIR
2010-07-17 16:28 . 2010-07-17 16:29 38784 ----a-w- c:\documents and settings\Stu\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-14 19:22 . 2010-07-14 19:20
d
w- c:\program files\Adventure Pinball
2010-07-12 21:43 . 2010-07-12 21:43 159776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-08 21:10 . 2010-07-08 21:10
d
w- c:\program files\AMD
2010-07-08 21:02 . 2010-07-08 21:02
d
w- c:\documents and settings\All Users\Application Data\ATI
2010-07-08 20:55 . 2010-07-08 20:55
d
w- c:\program files\Realtek AC97
2010-07-08 20:54 . 2009-08-13 20:51
d
w- c:\program files\ATI Technologies
2010-07-08 17:20 . 2010-07-08 17:20
d
w- c:\program files\Driver-Soft
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-08-13 17:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe
2010-06-10 15:52 . 2010-06-10 15:52 5430 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-09-02_20.55.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-03 12:49 . 2010-09-03 12:49 16384 c:\windows\Temp\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-04 118600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Stu\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 08:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\PPSGame\\PPSGame.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/09/2009 14:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29/09/2009 14:05 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29/09/2009 14:03 735960]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [13/08/2009 22:22 54008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 10:38 92008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [13/08/2009 22:36 598856]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [21/03/2010 10:53 42880]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [13/08/2009 20:18 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [20/04/2010 14:36 24576]
.
Contents of the 'Scheduled Tasks' folder
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004Core.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004UA.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
.
.
Supplementary Scan
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\dvvxgj6r.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 14:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x895FCEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> 0x892831b0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> 0x892831b0
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9ddabb0
PacketIndicateHandler -> NDIS.sys @ 0xb9de7a21
SendHandler -> NDIS.sys @ 0xb9dc587b
user & kernel MBR OK
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-03 14:04:09
ComboFix-quarantined-files.txt 2010-09-03 13:04
ComboFix2.txt 2010-09-02 20:58
ComboFix3.txt 2010-07-22 10:16
Pre-Run: 190,535,294,976 bytes free
Post-Run: 190,529,613,824 bytes free
- - End Of File - - 6A76E4F8A384DB71BE6332BA1F1E79720 -
Try superantispyware as well, also run all scans in safemode.0
-
Open notepad and copy/paste the text in RED below
File::
c:\windows\Opolib.exe
c:\windows\Opolia.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E910.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E96.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F734.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F738.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon8255BBAC1.exe
c:\program files\cleanmypc.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
(If SNAPSHOT is stupidly large, leave that part out)
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
...............................................................................
Download HostsXpert
http://www.softpedia.com/progDownload/Hoster-Download-27041.html
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program
...............................................................................
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
How is it now?:idea:0 -
Ok Rik I'm doing Combofix ATM. Halfway through scan I did get box that said PEV.executive encountered problem and had to close, is that ok?
Will do other thing next0 -
Try combofix again but remove all the 'installer' entries:idea:0
-
ComboFix 10-09-02.04 - Stu 03/09/2010 18:15:35.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2630 [GMT 1:00]
Running from: c:\documents and settings\Stu\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stu\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
FILE ::
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon8255BBAC1.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F734.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F738.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E910.exe"
"c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E96.exe"
"c:\program files\cleanmypc.exe"
"c:\windows\Opolia.exe"
"c:\windows\Opolib.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_1BD05DE3FCEFE82B9BA625.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{4A24CAC1-90A5-4325-A4FB-B32CE815C780}\_BDA3CDDBF57ADE3854651C.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon8255BBAC1.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F734.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{83F12F73-D52E-40C0-93B1-463C311C4E17}\Icon83F12F738.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E910.exe
c:\documents and settings\Stu\Application Data\Microsoft\Installer\{DD8408E9-9421-484F-979D-DB6361E3E828}\IconDD8408E96.exe
c:\windows\Opolia.exe
c:\windows\Opolib.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.
2010-09-03 15:24 . 2010-09-03 15:24 63488 ----a-w- c:\documents and settings\Stu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-03 15:24 . 2010-09-03 15:24 52224 ----a-w- c:\documents and settings\Stu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-02 21:01 . 2010-09-02 21:01
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-09-02 20:03 . 2010-09-02 20:03
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-31 08:15 . 2010-08-31 08:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-28 13:52 . 2010-08-28 13:52
d
w- c:\documents and settings\NetworkService\Application Data\Xfire
2010-08-28 13:40 . 2010-09-03 17:02
d
w- c:\documents and settings\Stu\Application Data\Xfire
2010-08-28 13:40 . 2010-08-29 08:00
d-s---w- c:\program files\Xfire
2010-08-28 09:41 . 2010-08-28 09:41
d
w- C:\DirectX9
2010-08-27 19:14 . 2010-08-27 19:14
d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-22 17:23 . 2010-08-22 17:23
d
w- C:\Extras
2010-08-22 17:23 . 2010-08-22 17:23
d
w- C:\Autorun
2010-08-17 07:19 . 2010-08-17 07:19
d
w- c:\documents and settings\Stu\Local Settings\Application Data\Help
2010-08-16 21:56 . 2010-08-16 22:08
d
w- c:\program files\EASEUS
2010-08-16 21:13 . 2010-08-16 21:13
d
w- c:\program files\7-Zip
2010-08-16 19:08 . 2010-08-16 19:08
d
w- c:\program files\Symantec
2010-08-14 14:39 . 2010-08-14 14:39
d
w- c:\program files\PPSGame
2010-08-14 14:38 . 2010-08-14 14:39
d
w- c:\documents and settings\Stu\Application Data\PPStream
2010-08-14 14:38 . 2010-08-14 14:39
d
w- c:\program files\PPStream
2010-08-13 22:15 . 2010-08-13 22:15
d
w- c:\program files\Recuva
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 15:58 . 2009-11-10 10:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-03 15:24 . 2009-09-20 08:41 117760 ----a-w- c:\documents and settings\Stu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-03 15:24 . 2009-09-20 08:41
d
w- c:\program files\SUPERAntiSpyware
2010-09-02 20:29 . 2009-08-13 19:51
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-02 20:27 . 2009-08-17 15:54
d
w- c:\program files\cleanmypc.exe
2010-09-02 04:37 . 2010-01-21 15:36
d
w- c:\documents and settings\Stu\Application Data\vlc
2010-08-30 09:13 . 2009-08-28 13:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-08-28 13:33 . 2009-12-25 10:39
d
w- c:\program files\THQ
2010-08-28 13:33 . 2009-08-13 19:18
d--h--w- c:\program files\InstallShield Installation Information
2010-08-13 18:09 . 2009-08-13 22:05
d
w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-08 08:27 . 2009-12-27 10:53
d
w- c:\program files\Steam
2010-07-29 07:02 . 2010-07-29 07:02
d
w- c:\program files\Free WMA to MP3 Converter
2010-07-29 06:33 . 2010-07-29 06:33
d
w- c:\documents and settings\Stu\Application Data\MP3toiPodAudioBookConverter
2010-07-29 06:33 . 2010-07-29 06:33
d
w- c:\program files\MP3ToIpodAudioBookConverter
2010-07-25 12:07 . 2009-08-13 21:01 69648 ----a-w- c:\documents and settings\Stu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-25 10:23 . 2010-07-25 10:23
d
w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-07-25 10:23 . 2010-07-25 10:23
d
w- c:\program files\Innovative Solutions
2010-07-22 10:19 . 2010-07-22 10:19 388096 ----a-r- c:\documents and settings\Stu\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 10:19 . 2010-07-22 10:19
d
w- c:\program files\Trend Micro
2010-07-17 16:49 . 2010-07-17 16:48
d
w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-07-17 16:46 . 2009-08-15 19:33
d
w- c:\program files\Electronic Arts
2010-07-17 16:29 . 2010-07-17 16:29
d
w- c:\program files\Common Files\Adobe AIR
2010-07-17 16:28 . 2010-07-17 16:29 38784 ----a-w- c:\documents and settings\Stu\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-14 19:22 . 2010-07-14 19:20
d
w- c:\program files\Adventure Pinball
2010-07-12 21:43 . 2010-07-12 21:43 159776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-08 21:10 . 2010-07-08 21:10
d
w- c:\program files\AMD
2010-07-08 21:02 . 2010-07-08 21:02
d
w- c:\documents and settings\All Users\Application Data\ATI
2010-07-08 20:55 . 2010-07-08 20:55
d
w- c:\program files\Realtek AC97
2010-07-08 20:54 . 2009-08-13 20:51
d
w- c:\program files\ATI Technologies
2010-07-08 17:20 . 2010-07-08 17:20
d
w- c:\program files\Driver-Soft
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2009-08-13 17:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2010-09-02_20.55.11"]SnapShot@2010-09-02_20.55.11[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-03 17:12 . 2010-09-03 17:12 16384 c:\windows\Temp\Perflib_Perfdata_7d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2008-01-04 118600]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Stu\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2010-7-9 3493776]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPZRCV01.LNK]
backup=c:\windows\pss\HPZRCV01.LNKCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 08:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\PPLive\\PPLive.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\napoleon total war\\Napoleon.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\PPStream\\PPStream.exe"=
"c:\\Program Files\\PPStream\\PPSAP.exe"=
"c:\\Program Files\\PPSGame\\PPSGame.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [29/09/2009 14:02 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [29/09/2009 14:05 96408]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [29/09/2009 14:03 735960]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [13/08/2009 22:22 54008]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/08/2010 10:38 92008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [13/08/2009 22:36 598856]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [21/03/2010 10:53 42880]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [13/08/2009 20:18 17149]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [20/04/2010 14:36 24576]
.
Contents of the 'Scheduled Tasks' folder
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004Core.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
2010-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1563985344-839522115-1004UA.job
- c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-28 19:21]
.
.
Supplementary Scan
.
uStart Page = hxxp://news.bbc.co.uk/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
FF - ProfilePath - c:\documents and settings\Stu\Application Data\Mozilla\Firefox\Profiles\dvvxgj6r.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - plugin: c:\documents and settings\Stu\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 18:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x895FFEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f37852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> 0x892c41b0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> 0x892c41b0
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9ddabb0
PacketIndicateHandler -> NDIS.sys @ 0xb9de7a21
SendHandler -> NDIS.sys @ 0xb9dc587b
user & kernel MBR OK
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-03 18:28:25
ComboFix-quarantined-files.txt 2010-09-03 17:28
ComboFix2.txt 2010-09-03 13:04
ComboFix3.txt 2010-09-02 20:58
ComboFix4.txt 2010-07-22 10:16
Pre-Run: 190,417,657,856 bytes free
Post-Run: 190,447,521,792 bytes free
- - End Of File - - 84D4D026060A5B64F3EBC2F8026A24420 -
Sorry Rik i didn't see your last post before i posted Combofix log.
I take it you want me to run it again still.
Still getting address blocked every 30 seconds says something like lKcKclcK1i1i.com/ then some other letters.0 -
No need to run combofix again (Well ive not been through the log yet, but I mean no need to follow my previous instructions)
So youve run HostsXpert? If not then do so
Then/or run LSP FIX
http://www.cexx.org/LSPFix.exe:idea:0 -
So youve run HostsXpert? If not then do so
Then/or run LSP FIX
http://www.cexx.org/LSPFix.exe
OK i've done that as well. Said no problems found
Eset is still continuously blocking the same address0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.7K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards