Infected with something, please see logs

[Deleted User] · 27 April 2011 at 11:29AM

Hi,

Aftr switching on my laptop this morning a few dubius popups came up...

- Windows Firewall advising it'd blocked:
Name: Windows Explorer
Publisher: Microsoft Corporation

- A IE session pointing to (pr0N): http://hotbox.com/go?pid=p14497.submad_3548_9_1458

- An empty Adobe Reader window

- Another IE session pointing to: https://www.google.com/adsense/support/bin/request.py?contact=abg_afc&hideleadgen=1

- One final IE window pointing to: http://www.mcafee-downloads.co.uk/?gclid=CO2OtY6tvKgCFcJP4QodYQKwBA

Any help is appreciated!

MBAM, hijackthis and Avira logs below:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6455

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/04/2011 10:27:51
mbam-log-2011-04-27 (10-27-51).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 212653
Time elapsed: 40 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Deleted User] · 27 April 2011 at 11:29AM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:08:38, on 27/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282449575671
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

--
End of file - 7629 bytes

[Deleted User] · 27 April 2011 at 11:30AM

Avira AntiVir Personal
Report file date: 27 April 2011 10:34

Scanning for 2610427 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DAVID

Version information:
BUILD.DAT : 10.0.0.648 31823 Bytes 4/1/2011 18:36:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 4/27/2011 09:32:54
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 12:57:06
LUKE.DLL : 10.0.3.2 104296 Bytes 12/10/2010 19:22:16
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:50
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 09:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 19:46:26
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 15:29:50
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 17:11:26
VBASE004.VDF : 7.11.5.226 2048 Bytes 4/7/2011 17:11:26
VBASE005.VDF : 7.11.5.227 2048 Bytes 4/7/2011 17:11:26
VBASE006.VDF : 7.11.5.228 2048 Bytes 4/7/2011 17:11:26
VBASE007.VDF : 7.11.5.229 2048 Bytes 4/7/2011 17:11:26
VBASE008.VDF : 7.11.5.230 2048 Bytes 4/7/2011 17:11:28
VBASE009.VDF : 7.11.5.231 2048 Bytes 4/7/2011 17:11:28
VBASE010.VDF : 7.11.5.232 2048 Bytes 4/7/2011 17:11:28
VBASE011.VDF : 7.11.5.233 2048 Bytes 4/7/2011 17:11:28
VBASE012.VDF : 7.11.5.234 2048 Bytes 4/7/2011 17:11:28
VBASE013.VDF : 7.11.6.28 158208 Bytes 4/11/2011 19:49:42
VBASE014.VDF : 7.11.6.74 116224 Bytes 4/13/2011 20:53:06
VBASE015.VDF : 7.11.6.113 137728 Bytes 4/14/2011 20:53:06
VBASE016.VDF : 7.11.6.150 146944 Bytes 4/18/2011 19:25:58
VBASE017.VDF : 7.11.6.192 138240 Bytes 4/20/2011 21:05:12
VBASE018.VDF : 7.11.6.237 156160 Bytes 4/22/2011 10:41:34
VBASE019.VDF : 7.11.6.238 2048 Bytes 4/22/2011 10:41:34
VBASE020.VDF : 7.11.6.239 2048 Bytes 4/22/2011 10:41:34
VBASE021.VDF : 7.11.6.240 2048 Bytes 4/22/2011 10:41:34
VBASE022.VDF : 7.11.6.241 2048 Bytes 4/22/2011 10:41:34
VBASE023.VDF : 7.11.6.242 2048 Bytes 4/22/2011 10:41:34
VBASE024.VDF : 7.11.6.243 2048 Bytes 4/22/2011 10:41:34
VBASE025.VDF : 7.11.6.244 2048 Bytes 4/22/2011 10:41:34
VBASE026.VDF : 7.11.6.245 2048 Bytes 4/22/2011 10:41:34
VBASE027.VDF : 7.11.6.246 2048 Bytes 4/22/2011 10:41:34
VBASE028.VDF : 7.11.6.247 2048 Bytes 4/22/2011 10:41:34
VBASE029.VDF : 7.11.6.248 2048 Bytes 4/22/2011 10:41:34
VBASE030.VDF : 7.11.6.249 2048 Bytes 4/22/2011 10:41:34
VBASE031.VDF : 7.11.7.21 197632 Bytes 4/27/2011 09:32:54
Engineversion : 8.2.4.214
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/22/2010 03:56:56
AESCRIPT.DLL : 8.1.3.59 1261947 Bytes 4/23/2011 10:41:40
AESCN.DLL : 8.1.7.2 127349 Bytes 11/25/2010 17:35:18
AESBX.DLL : 8.1.3.2 254324 Bytes 11/25/2010 17:35:20
AERDL.DLL : 8.1.9.9 639347 Bytes 3/26/2011 17:55:34
AEPACK.DLL : 8.2.6.0 549237 Bytes 4/10/2011 18:21:08
AEOFFICE.DLL : 8.1.1.20 205177 Bytes 4/4/2011 21:57:58
AEHEUR.DLL : 8.1.2.105 3453303 Bytes 4/23/2011 10:41:38
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/4/2011 16:10:58
AEGEN.DLL : 8.1.5.4 397684 Bytes 4/4/2011 21:57:54
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/25/2010 17:35:14
AECORE.DLL : 8.1.20.2 196982 Bytes 4/10/2011 18:21:00
AEBB.DLL : 8.1.1.0 53618 Bytes 8/22/2010 03:56:50
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:40
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 12:03:36
AVREP.DLL : 10.0.0.9 174120 Bytes 4/27/2011 09:32:54
AVREG.DLL : 10.0.3.2 53096 Bytes 11/4/2010 16:08:16
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 4/27/2011 09:32:54
AVARKT.DLL : 10.0.22.6 231784 Bytes 12/10/2010 19:22:14
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 09:53:32
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:58:00
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:58
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:02
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 13:10:22
RCTEXT.DLL : 10.0.58.0 97128 Bytes 11/4/2010 16:08:16

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,

, G:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 27 April 2011 10:34

Starting search for hidden objects.
c:\program files\adobe\reader 9.0\reader\acrord32.exe
c:\program files\adobe\reader 9.0\reader\acrord32.exe
[NOTE] The process is not visible.
c:\program files\adobe\reader 9.0\reader\acrord32.exe
c:\program files\synaptics\syntp\syntplpr.exe
c:\program files\synaptics\syntp\syntplpr.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'sched.exe' - '55' Module(s) have been scanned
Scan process 'avgnt.exe' - '53' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '29' Module(s) have been scanned
Scan process 'iexplore.exe' - '94' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '49' Module(s) have been scanned
Scan process 'iexplore.exe' - '102' Module(s) have been scanned
Scan process 'iexplore.exe' - '73' Module(s) have been scanned
Scan process 'jucheck.exe' - '51' Module(s) have been scanned
Scan process 'wuauclt.exe' - '39' Module(s) have been scanned
Scan process 'firefox.exe' - '97' Module(s) have been scanned
Scan process 'rundll32.exe' - '37' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '43' Module(s) have been scanned
Scan process 'vmware-authd.exe' - '62' Module(s) have been scanned
Scan process 'vmnetdhcp.exe' - '15' Module(s) have been scanned
Scan process 'vmware-usbarbitrator.exe' - '24' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'anbmServ.exe' - '40' Module(s) have been scanned
Scan process 'SbieCtrl.exe' - '33' Module(s) have been scanned
Scan process 'ctfmon.exe' - '28' Module(s) have been scanned
Scan process 'vmware-tray.exe' - '22' Module(s) have been scanned
Scan process 'jusched.exe' - '29' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '27' Module(s) have been scanned
Scan process 'Wbutton.exe' - '38' Module(s) have been scanned
Scan process 'OSDCtrl.exe' - '26' Module(s) have been scanned
Scan process 'HotkeyApp.exe' - '58' Module(s) have been scanned
Scan process 'PowerKey.exe' - '19' Module(s) have been scanned
Scan process 'LaunchAp.exe' - '21' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '37' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '29' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '22' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'spoolsv.exe' - '54' Module(s) have been scanned
Scan process 'Explorer.EXE' - '185' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '22' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '175' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '17' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '69' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1021' files ).

Starting the file scan:

Begin scan in 'C:\' <ACER>
Begin scan in 'D:\' <ACERDATA>
Begin scan in 'G:\' <My Book>

End of the scan: 27 April 2011 11:27
Used time: 53:06 Minute(s)

The scan has been done completely.

7726 Scanned directories
388918 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
388918 Files not concerned
7518 Archives were scanned
0 Warnings
2 Notes
346732 Objects were scanned with rootkit scan
3 Hidden objects were found

Trinitrotoluene · 27 April 2011 at 11:34AM

Sounds like Rootkit level activity. Run this and see if it detects anything:

http://www.surfright.nl/en/downloads

[Deleted User] · 27 April 2011 at 11:54AM

Trinitrotoluene wrote: »

Sounds like Rootkit level activity. Run this and see if it detects anything:

http://www.surfright.nl/en/downloads

Clean (struggling to find a log to upload)

Trinitrotoluene · 27 April 2011 at 11:59AM

Hmm. Just out of interest have you restarted to see if this happens every time? If it does at what point of the loading process does it occur?

Browntoa · 27 April 2011 at 12:01PM

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

post the log file

if it fails to run then download Rkill (and its variaints) and try them untill a black dos screen opens and it runs , then try combofix again straight away

http://www.bleepingcomputer.com/download/anti-virus/rkill

[Deleted User] · 27 April 2011 at 12:04PM

Trinitrotoluene wrote: »

Hmm. Just out of interest have you restarted to see if this happens every time? If it does at what point of the loading process does it occur?

I have and the windows / programs load ~5 mins after getting to the desktop.

[Deleted User] · 27 April 2011 at 12:05PM

Browntoa wrote: »

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

post the log file

if it fails to run then download Rkill (and its variaints) and try them untill a black dos screen opens and it runs , then try combofix again straight away

http://www.bleepingcomputer.com/download/anti-virus/rkill

Thanks - I'll post the results in a little while.

[Deleted User] · 27 April 2011 at 12:31PM

Browntoa wrote: »

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

post the log file

if it fails to run then download Rkill (and its variaints) and try them untill a black dos screen opens and it runs , then try combofix again straight away

http://www.bleepingcomputer.com/download/anti-virus/rkill

While copying the log file here a 'Windows Security Alert' has popped up again:

ComboFix 11-04-26.03 - Dave 27/04/2011 12:19:57.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.292 [GMT 1:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\841563141.dll
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-27 10:59 . 2011-04-27 10:59

d

w- c:\program files\Sophos
2011-04-27 10:51 . 2011-04-27 10:51

d

w- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2011-04-27 10:50 . 2011-04-27 10:50

d

w- c:\program files\SUPERAntiSpyware
2011-04-27 10:46 . 2011-04-27 10:46 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-27 10:45 . 2011-04-27 10:45

d

w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-25 21:26 . 2011-04-25 21:27

d

w- c:\program files\Common Files\Data
2011-04-25 21:24 . 2011-04-25 21:24 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
2011-04-23 15:39 . 2011-04-23 15:39

d

w- c:\documents and settings\Dave\Application Data\Convivea
2011-04-23 15:39 . 2011-04-23 15:39

d

w- c:\program files\Bit Che
2011-04-17 20:32 . 2011-04-17 20:32

d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-19 17:33 . 2010-08-22 03:55 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2004-09-14 12:03 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 1979-12-31 23:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 1979-12-31 23:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 1979-12-31 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 1979-12-31 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 1979-12-31 23:00 1469440

w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:42 . 1979-12-31 23:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 1979-12-31 23:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 1979-12-31 23:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-08-21 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 1979-12-31 23:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 12:53 . 1979-12-31 23:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 12:53 . 1979-12-31 23:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 1979-12-31 23:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 1979-12-31 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 06:58 . 2004-09-14 12:01 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Dave\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Online Files]
@="{B82655E9-B81D-4A97-8154-0D84A4C048E4}"
[HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}]
2011-04-25 21:24 197632 ----a-w- c:\program files\Common Files\OnlineFilesManager.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-20 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2004-04-20 40960]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-03-30 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-05-19 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2004-10-11 245760]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-04-18 81920]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-11-11 129648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\SteamApps\\origdav\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/08/2010 04:55 136360]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 13:48 70768]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 539248]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [01/01/1980 200192]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\18.tmp --> c:\windows\system32\18.tmp [?]
R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [22/08/2010 04:38 2343]
S1 mailKmd;mailKmd; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2010 15:24 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [01/01/1980 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MEMSWEEP2
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 14:24]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-21 14:24]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\r2nc36eo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [EMAIL="jqs@sun.com"]jqs@sun.com[/EMAIL] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: British English Dictionary: [EMAIL="en-GB@dictionaries.addons.mozilla.org"]en-GB@dictionaries.addons.mozilla.org[/EMAIL] - %profile%\extensions\en-GB@dictionaries.addons.mozilla.org
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 12:23
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\18.tmp"
.

DLLs Loaded Under Running Processes

.
- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-04-27 12:24:42
ComboFix-quarantined-files.txt 2011-04-27 11:24
.
Pre-Run: 1,507,196,928 bytes free
Post-Run: 1,679,065,088 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
.
- - End Of File - - CFADE70EDF227509B95567AF98FE7118

[Deleted User] · 27 April 2011 at 1:17PM

More logs...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/27/2011 at 01:02 PM

Application Version : 4.51.1000

Core Rules Database Version : 6933
Trace Rules Database Version: 4745

Scan type : Complete Scan
Total Scan Time : 00:29:47

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 5777
Registry threats detected : 0
File items scanned : 22244
File threats detected : 1

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\11265435941.DLL

Infected with something, please see logs

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free