What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
2 Pages V   1 2 >  
 Closed TopicStart new topic
> [Resolved] Koobface worm infection
teebee17
post Oct 25 2009, 10:51 AM
Post #1


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
I have been infected with the Koobface worm it appears. I went through the self help steps, ran ATF Cleaner and Malwarebytes' Anti-Malware, followed all steps including reboot and I am posting the log.

Malwarebytes' Anti-Malware 1.41
Database version: 3030
Windows 6.0.6002 Service Pack 2

10/25/2009 12:33:24 PM
mbam-log-2009-10-25 (12-33-24).txt

Scan type: Quick Scan
Objects scanned: 89170
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\Windows\pp12.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\010112010146116101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\0101120101464955.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\0101120101465050.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\ld15.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\pp12.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 25 2009, 12:35 PM
Post #2


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
Hello teebee17! Welcome to WTT.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your log , I will post back shortly with instructions.
Go to the top of the page
 
+Quote Post
teebee17
post Oct 25 2009, 12:52 PM
Post #3


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
Thank you. I'll wait for your response.
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 25 2009, 01:35 PM
Post #4


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. The logs from our tools can take a while to research, so please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • You will need to run all tools as an Administrator. To run a program as an Administrator you must right click on the program and select "Run as Administrator"
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please do not delete anything unless instructed to.

STEP 1.
Please download DDS by sUBs from one of the following links and save it to your desktop.

  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
    • Under the reply panel is the Attachments Panel
    • Browse for the attachment file you want to upload, then click the green Upload button
    • Once it has uploaded, click the Manage Current Attachments drop down box
    • Click on to insert the attachment into your post
____________________________________________________
STEP 2.
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Right Click on the GMER.exe icon and select "Run as Administrator".
Accept the prompt to allow GMER to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.
____________________________________________________
Please make sure you include the following items in your next post:
1. The logs that were produced after running DDS.
2. The log that was produced after running GMER.
3. An update on how your computer is currently running as well as if you are experiencing any problems?
Go to the top of the page
 
+Quote Post
teebee17
post Oct 25 2009, 10:44 PM
Post #5


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
Hi,
I think I have everything you asked for. The computer has been fine since I ran Malwarebytes' Anti-Malware before I posted. i was getting a lot of pop-ups for virus scan, etc. I posted to make sure it is totally cleaned.


Ok, here is the attachment:

Attached File  Attach.txt ( 5.42K ) Number of downloads: 62


Here is the DDS.txt:


DDS (Ver_09-10-24.04) - NTFSx86
Run by jayFREE at 23:39:46.86 on Sun 10/25/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.274 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WinService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\jayFREE\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Bar = about:blank
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\jayfree\appdata\roaming\microsoft\windows\start menu\programs\startup\YPOPs.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Kodak EasyShare software.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\jayfree\appdata\roaming\mozilla\firefox\profiles\4bex005d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://fruttisearch.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://fruttisearch.com/search.php?q=
FF - component: c:\users\jayfree\appdata\roaming\mozilla\firefox\profiles\4bex005d.default\extensions\{39124730-0779-11de-8c30-0800200c9a66}\components\daff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\jayfree\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\jayfree\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\jayfree\appdata\roaming\mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

As per the instructions you would have received, kindly ensure any onboard
script blocking tools have been disabled for they shall interfere with DDS.

DDS is a non-invasive diagnostic tool.

- DDS makes no registry writes/changes

- DDS does not create any permanent files/folders.

This scan should not take longer than three minutes to complete.

When the scan is complete, a logfile/report shall pop open.

Post the contents of the logfile to the forum where it was requested

We only require it to run just once. Dispose after use.


:::::::::::::::::::::::::::::::::::::::

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
FF - user.js: google.toolbar.linkdoctor.enabled - false

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-14 47640]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-10-10 42112]

=============== Created Last 30 ================

2009-10-25 15:34:16 0 d-----w- c:\windows\system32\eu-ES
2009-10-25 15:34:16 0 d-----w- c:\windows\system32\ca-ES
2009-10-25 15:34:11 0 d-----w- c:\windows\system32\vi-VN
2009-10-25 15:12:15 0 d-----w- c:\windows\system32\EventProviders
2009-10-25 15:09:13 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-10-25 14:11:05 56832 ------w- c:\windows\tqfqfkpi.knn
2009-10-25 14:09:59 2 ----a-w- c:\windows\010112010146101105.rx
2009-10-14 06:40:57 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 06:40:54 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 06:40:53 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 06:40:39 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 06:36:08 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 06:36:03 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-10 15:24:04 0 d-----w- c:\users\jayfree\Office Genuine Advantage
2009-10-10 01:03:40 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-10-01 05:07:21 0 d-----w- c:\users\jayfree\appdata\roaming\Malwarebytes
2009-10-01 05:07:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 05:07:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 05:07:07 0 d-----w- c:\programdata\Malwarebytes
2009-10-01 05:07:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 21:41:08 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-09-30 21:40:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-09-30 21:38:38 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-30 21:38:38 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================

2009-10-25 15:44:07 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-25 15:44:07 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-25 15:44:07 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-25 15:33:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-25 15:21:22 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-03 19:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-04-04 18:09:23 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:43:50.49 ===============


Here is the GMER.txt:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit quick scan 2009-10-26 00:40:32
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\jayFREE\AppData\Local\Temp\pglirkob.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C78179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C781738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C78174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C7817DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C78181F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C781710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C781724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C7817B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C781847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C781833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C78178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C781776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C78180B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C7817F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C7817C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C781762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 28 2009, 08:41 AM
Post #6


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
STEP 1.
SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
____________________________________________________
STEP 2.
Please go to: VirusTotal

  • Click the Browse button and search for the following file: c:\windows\tqfqfkpi.knn
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now"

Please post the results in your next reply
____________________________________________________
STEP 3.
Download ComboFix from one of the following locations:
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.


Please make sure you include the following items in your next post:
1. The log that was produced after running ComboFix.
2. The log that was produced after scanning the file via VirusTotal.
3. An update on how your computer is running.
Go to the top of the page
 
+Quote Post
teebee17
post Oct 28 2009, 08:22 PM
Post #7


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
Hi,

Here is the report from VirusTotal:

File tqfqfkpi.knn received on 2009.10.29 01:28:07 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 23/41 (56.1%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.28 Trojan.Packed.Hiloti!IK
AhnLab-V3 5.0.0.2 2009.10.28 -
AntiVir 7. 9.1.50 2009.10.28 Worm/Koobface.cif
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.28 -
Avast 4.8.1351.0 2009.10.28 -
AVG 8.5.0.423 2009.10.28 SHeur2.BOBF
BitDefender 7.2 2009.10.29 Trojan.Packed.Hiloti.Gen.2
CAT-QuickHeal 10.00 2009.10.28 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.10.28 -
Comodo 2761 2009.10.29 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.0.12182 2009.10.28 Win32.HLLW.Facebook.287
eSafe 7.0.17.0 2009.10.28 Suspicious File
eTrust-Vet 35.1.7088 2009.10.28 -
F-Prot 4.5.1.85 2009.10.28 -
F-Secure 9.0.15370.0 2009.10.27 Trojan:W32/Agent.MFC
Fortinet 3.120.0.0 2009.10.28 W32/Koobface.CIF!worm.im
GData 19 2009.10.29 Trojan.Packed.Hiloti.Gen.2
Ikarus T3.1.1.72.0 2009.10.28 Trojan.Packed.Hiloti
Jiangmin 11.0.800 2009.10.26 -
K7AntiVirus 7.10.881 2009.10.27 -
Kaspersky 7.0.0.125 2009.10.29 Net-Worm.Win32.Koobface.cif
McAfee 5785 2009.10.28 -
McAfee+Artemis 5785 2009.10.28 Artemis!E3D7C61BC5A4
McAfee-GW-Edition 6.8.5 2009.10.28 Heuristic.LooksLike.Trojan.Agent.B
Microsoft 1.5202 2009.10.28 VirTool:Win32/Obfuscator.HL
NOD32 4553 2009.10.28 Win32/Koobface.NCK
Norman 6.03.02 2009.10.28 -
nProtect 2009.1.8.0 2009.10.28 -
Panda 10.0.2.2 2009.10.28 W32/Koobface.FV.worm
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 P2P Share High Risk Worm
Rising 21.53.24.00 2009.10.28 -
Sophos 4.46.0 2009.10.28 Mal/Generic-A
Sunbelt 3.2.1858.2 2009.10.27 -
Symantec 1.4.4.12 2009.10.29 Packed.Generic.262
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro8.950.0.1094 2009.10.28 TROJ_MALWARE.VTG
VBA32 3.12.10.11 2009.10.27 -
ViRobot 2009.10.28.2009 2009.10.28 Worm.Win32.Net-Koobface.56832.B
VirusBuster 4.6.5.0 2009.10.28 -
Additional information
File size: 56832 bytes
MD5...: e3d7c61bc5a49b916af692402c7b5d18
SHA1..: cc914884adc24f3a4189e7109f036398ee8b802b
SHA256: ddcc8a54ded1f98f00fc810fafd506493979ad9802f3b5870936290c524bc9d9
ssdeep: 1536:bSWrJ6pfjqRPsec+05LzSTB01wAoZ8+C5I:bHNqrKPsU0RST2kZ8S
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10e6
timedatestamp.....: 0x35d1d697 (Wed Aug 12 17:53:27 1998)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa10e 0xa200 7.91 2853eebae51b5e06436e01bd2b1bb980
.data 0xc000 0x3524 0x2e00 5.52 af4c712d87b2cfaba8882835662be48d
.rsrc 0x10000 0x688 0x800 3.88 7bb5d5b29e4fad243c57ef55d6887396
.pdata 0x11000 0x9cb 0x1c2 0.00 16b41a8dee51a47cf362ec449b2a4ab0

( 1 imports )
> msvcrt.dll: _c_exit, __getmainargs, _i64tow, __initenv, isleadbyte, _getpid, _getpid

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=e3d7c61bc5a49b916af692402c7b5d18' target='_blank'>http://www.threatexpert.com/report.aspx?md5=e3d7c61bc5a49b916af692402c7b5d18</a>
sigcheck:
publisher....: Gamelab
copyright....: Copyright © 2007 by Gamelab
product......: Miss Management
description..: Miss Management
original name: Miss Management.exe
internal name: n/a
file version.: 1.0.0.0
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=52725FA400C8061BDE710006265BCB000B1F2038' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=52725FA400C8061BDE710006265BCB000B1F2038</a>


The ComboFix log:

ComboFix 09-10-28.01 - jayFREE 10/28/2009 21:43.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.288 [GMT -4:00]
Running from: c:\users\jayFREE\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\recycler\S-1-5-21-1313129572-1392768608-615481691-1008
c:\windows\010112010146101105.rx
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 01:54 . 2009-10-29 01:55 -------- d-----w- c:\users\jayFREE\AppData\Local\temp
2009-10-29 01:54 . 2009-10-29 01:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-27 23:56 . 2009-10-28 02:14 -------- d-----w- c:\users\jayFREE\AppData\Roaming\KeePass
2009-10-27 23:27 . 2009-10-27 23:27 -------- d-----w- c:\program files\KeePass Password Safe 2
2009-10-27 23:19 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:19 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 03:28 . 2009-10-26 03:28 -------- d-----w- c:\users\jayFREE\AppData\Local\Apple
2009-10-25 18:54 . 2009-10-25 18:54 -------- d-----w- c:\windows\Sun
2009-10-25 17:51 . 2009-10-25 18:12 -------- d-----w- c:\users\jayFREE\AppData\Local\Adobe
2009-10-25 16:39 . 2009-10-25 16:39 -------- d-----w- c:\users\jayFREE\AppData\Local\Apple Computer
2009-10-25 15:34 . 2009-10-25 15:36 -------- d-----w- c:\windows\system32\ca-ES
2009-10-25 15:34 . 2009-10-25 15:36 -------- d-----w- c:\windows\system32\eu-ES
2009-10-25 15:34 . 2009-10-25 15:35 -------- d-----w- c:\windows\system32\vi-VN
2009-10-25 15:12 . 2009-10-25 15:12 -------- d-----w- c:\windows\system32\EventProviders
2009-10-25 15:09 . 2009-10-25 15:09 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-10-14 06:40 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 06:40 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 06:40 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 06:40 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 06:36 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 06:36 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-10 15:24 . 2009-10-10 15:24 -------- d-----w- c:\users\jayFREE\Office Genuine Advantage
2009-10-10 01:03 . 2005-06-15 07:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-10-01 05:07 . 2009-10-01 05:07 -------- d-----w- c:\users\jayFREE\AppData\Roaming\Malwarebytes
2009-10-01 05:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 05:07 . 2009-10-01 05:07 -------- d-----w- c:\programdata\Malwarebytes
2009-10-01 05:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 05:07 . 2009-10-25 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 21:41 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-09-30 21:41 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-30 21:41 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-09-30 21:41 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-30 21:40 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-09-30 21:40 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-09-30 21:40 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-09-30 21:38 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-30 21:38 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 23:33 . 2008-06-20 23:30 -------- d-----w- c:\programdata\Google Updater
2009-10-28 07:22 . 2009-03-14 15:20 -------- d-----w- c:\program files\LogMeIn
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-25 15:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-25 15:09 . 2008-04-01 11:06 -------- d-----w- c:\program files\Viewpoint
2009-10-25 15:05 . 2008-03-31 19:16 -------- d-----w- c:\program files\McAfee
2009-10-18 00:30 . 2009-05-10 20:30 -------- d-----w- c:\users\jayFREE\AppData\Roaming\Move Networks
2009-10-14 07:06 . 2008-04-01 11:52 -------- d-----w- c:\programdata\Microsoft Help
2009-10-01 05:22 . 2008-05-24 19:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 22:41 . 2008-04-23 15:13 -------- d-----w- c:\users\jayFREE\AppData\Roaming\LimeWire
2009-09-16 14:22 . 2008-03-31 19:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2008-03-31 19:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2008-03-31 19:18 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2008-03-31 19:18 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2008-03-31 19:18 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-10 07:14 . 2008-05-15 04:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 00:57 . 2008-03-31 19:04 -------- d-----w- c:\programdata\McAfee
2009-08-29 00:27 . 2009-09-02 21:31 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 21:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 06:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 06:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 06:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 06:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 21:50 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 21:50 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 21:50 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 21:50 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 21:50 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 21:50 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 21:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 21:50 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 21:50 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 21:50 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 21:50 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-20 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-13 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\users\jayFREE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YPOPs.lnk.disabled [2008-10-25 651]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [2008-4-5 2009]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:c8,e5,90,b6,89,55,ca,01

R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\System32\drivers\SCMNdisP.sys [8/20/2009 7:01 PM 21728]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [3/14/2009 11:21 AM 47640]
S2 gupdate1c98669f8a5f3ce;Google Update Service (gupdate1c98669f8a5f3ce);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:43 PM 133104]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [10/10/2007 5:41 PM 42112]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v2.sys [8/20/2009 7:01 PM 206336]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 6:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 6:25 AM 251904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Defrag.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-20 23:28]

2009-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:43]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:43]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{0CBB3BFF-CBBC-4137-AAD2-55BFC1D339FE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\jayFREE\AppData\Roaming\Mozilla\Firefox\Profiles\4bex005d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://fruttisearch.com/search.php?q=
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://fruttisearch.com/search.php?q=
FF - component: c:\users\jayFREE\AppData\Roaming\Mozilla\Firefox\Profiles\4bex005d.default\extensions\{39124730-0779-11de-8c30-0800200c9a66}\components\daff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Abacast Client - c:\users\jayFREE\AppData\Local\Abacast\uninst.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-29 21:59
ComboFix-quarantined-files.txt 2009-10-29 01:59

Pre-Run: 108,348,473,344 bytes free
Post-Run: 108,276,187,136 bytes free

- - End Of File - - 800D970C9706EBB2C30003DACFAB60B2



So far, I haven't had any noticable problems with the computer. I just want to make sure I remove all traces of this worm.

Thanks.
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 29 2009, 01:06 PM
Post #8


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
STEP 1.

VirSCAN Suspicious File Upload
I need to get more information on a file... please perform the following:

Note: Internet Explorer should be used... for best results.
    Please go to VirSCAN.org... a free on-line file scanning service.
  1. Copy / paste the complete path and file name (below) into the "Suspicious files to scan" box... at the top of the page.

    c:\users\jayfree\appdata\roaming\mozilla\firefox\profiles\4bex005d.default\extensions\{39124730-0779-11de-8c30-0800200c9a66}\components\daff.dll

  2. Click on the Upload button. Once the file is uploaded, the scanning process will begin.
  3. Once the Scan completes... (scroll down) click on the "Copy to Clipboard" button.
  4. Open Notepad... then paste (Ctrl &V) the contents of the Clipboard into the open Notepad window.
  5. Save the Notepad file as "VirScan.txt"... save it to your desktop.
  6. Paste the contents of the VirScan.txt file, in your next reply.

____________________________________________________
STEP 2.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

CODE
KillAll::
File::
c:\windows\tqfqfkpi.knn
FireFox::
FF - ProfilePath - c:\users\jayFREE\AppData\Roaming\Mozilla\Firefox\Profiles\4bex005d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://fruttisearch.com/search.php?q=
FF - prefs.js: keyword.URL - hxxp://fruttisearch.com/search.php?q=


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
____________________________________________________
Please make sure you include the following items in your next post:
1. The contents of the VirScan.txt file.
2. The log that was produced after running ComboFix.
Go to the top of the page
 
+Quote Post
teebee17
post Oct 29 2009, 05:16 PM
Post #9


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
Hello again.

Here are the logs you requested.

VirSCAN.org Scanned Report :
Scanned time : 2009/10/29 18:04:23 (EDT)
Scanner results: Scanners did not find malware!
File Name : daff.dll
File Size : 210944 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 88af7b222fbd1901f04880c9236c0121
SHA1 : b9eee03645b7d244dc6f76bfbceebbd31edc0b4c
Online report : http://virscan.org/report/1c93c2d5c3e720bb...53fa3adb8d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 00040000000000 0004-00-00 7.11 -
AhnLab V3 2009.10.29.04 2009.10.29 2009-10-29 0.90 -
AntiVir 8.2.1.50 7.1.6.168 2009-10-29 0.29 -
Antiy 2.0.18 20091029.3153836 2009-10-29 0.02 -
Arcavir 2009 200910290807 2009-10-29 0.06 -
Authentium 5.1.1 200910291823 2009-10-29 1.70 -
AVAST! 4.7.4 091029-0 2009-10-29 0.02 -
AVG 8.5.288 270.14.39/2468 2009-10-30 0.92 -
BitDefender 7.81008.4478883 7.28644 2009-10-30 3.90 -
CA (VET) 35.1.0 7088 2009-10-28 8.14 -
ClamAV 0.95.2 9959 2009-10-29 0.05 -
Comodo 3.12 2772 2009-10-29 0.76 -
CP Secure 1.3.0.5 2009.10.29 2009-10-29 0.07 -
Dr.Web 4.44.0.9170 2009.10.29 2009-10-29 6.12 -
F-Prot 4.4.4.56 20091029 2009-10-29 1.65 -
F-Secure 7.02.73807 2009.10.29.17 2009-10-29 8.85 -
Fortinet 2.81-3.120 11.0 2009-10-29 0.19 -
GData 19.8637/19.527 20091029 2009-10-29 5.39 -
ViRobot 20091029 2009.10.29 2009-10-29 0.41 -
Ikarus T3.1.01.72 2009.10.29.74326 2009-10-29 4.33 -
JiangMin 11.0.800 2009.10.26 2009-10-26 4.04 -
Kaspersky 5.5.10 2009.10.29 2009-10-29 0.06 -
KingSoft 2009.2.5.15 2009.10.29.16 2009-10-29 0.50 -
McAfee 5.3.00 5786 2009-10-29 3.36 -
Microsoft 1.5202 2009.10.29 2009-10-29 6.14 -
Norman 6.01.09 6.01.00 2009-10-29 4.01 -
Panda 9.05.01 2009.10.29 2009-10-29 3.61 -
Trend Micro 8.700-1004 6.588.02 2009-10-29 0.05 -
Quick Heal 10.00 2009.10.29 2009-10-29 1.26 -
Rising 20.0 21.53.34.00 2009-10-29 0.82 -
Sophos 3.00.1 4.46 2009-10-30 2.78 -
Sunbelt 5476 5476 2009-10-29 1.85 -
Symantec 1.3.0.24 20091029.005 2009-10-29 0.05 -
nProtect 20091029.01 6046753 2009-10-29 7.86 -
The Hacker 6.5.0.2 v00056 2009-10-28 0.85 -
VBA32 3.12.10.11 20091028.1155 2009-10-28 1.92 -
VirusBuster 4.5.11.10 10.113.1/2021054 2009-10-29 2.51 -

****************** *********************** ****************************

ComboFix 09-10-28.08 - jayFREE 10/29/2009 18:40.2.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.316 [GMT -4:00]
Running from: c:\users\jayFREE\Desktop\ComboFix.exe
Command switches used :: c:\users\jayFREE\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active


FILE ::
"c:\windows\tqfqfkpi.knn"
.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 22:39 . 2009-04-11 06:32 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 22:39 . 2008-01-19 07:42 45112 ----a-w- c:\windows\system32\drivers\nvstor.sys
2009-10-29 22:39 . 2007-10-26 22:51 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-10-29 01:59 . 2009-10-29 23:05 -------- d-----w- c:\users\jayFREE\AppData\Local\temp
2009-10-27 23:56 . 2009-10-28 02:14 -------- d-----w- c:\users\jayFREE\AppData\Roaming\KeePass
2009-10-27 23:27 . 2009-10-27 23:27 -------- d-----w- c:\program files\KeePass Password Safe 2
2009-10-27 23:19 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:19 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 03:28 . 2009-10-26 03:28 -------- d-----w- c:\users\jayFREE\AppData\Local\Apple
2009-10-25 18:54 . 2009-10-25 18:54 -------- d-----w- c:\windows\Sun
2009-10-25 17:51 . 2009-10-25 18:12 -------- d-----w- c:\users\jayFREE\AppData\Local\Adobe
2009-10-25 16:39 . 2009-10-25 16:39 -------- d-----w- c:\users\jayFREE\AppData\Local\Apple Computer
2009-10-25 15:34 . 2009-10-25 15:36 -------- d-----w- c:\windows\system32\ca-ES
2009-10-25 15:34 . 2009-10-25 15:36 -------- d-----w- c:\windows\system32\eu-ES
2009-10-25 15:34 . 2009-10-25 15:35 -------- d-----w- c:\windows\system32\vi-VN
2009-10-25 15:12 . 2009-10-25 15:12 -------- d-----w- c:\windows\system32\EventProviders
2009-10-25 15:09 . 2009-10-25 15:09 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-10-14 06:40 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 06:40 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 06:40 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 06:40 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 06:36 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 06:36 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-10 15:24 . 2009-10-10 15:24 -------- d-----w- c:\users\jayFREE\Office Genuine Advantage
2009-10-10 01:03 . 2005-06-15 07:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-10-01 05:07 . 2009-10-01 05:07 -------- d-----w- c:\users\jayFREE\AppData\Roaming\Malwarebytes
2009-10-01 05:07 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 05:07 . 2009-10-01 05:07 -------- d-----w- c:\programdata\Malwarebytes
2009-10-01 05:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 05:07 . 2009-10-25 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 21:41 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-09-30 21:41 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-30 21:41 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-09-30 21:41 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-30 21:40 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-09-30 21:40 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-09-30 21:40 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-09-30 21:38 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-30 21:38 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 22:02 . 2009-03-14 15:20 -------- d-----w- c:\program files\LogMeIn
2009-10-28 23:33 . 2008-06-20 23:30 -------- d-----w- c:\programdata\Google Updater
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-25 15:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-25 15:36 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-25 15:09 . 2008-04-01 11:06 -------- d-----w- c:\program files\Viewpoint
2009-10-25 15:05 . 2008-03-31 19:16 -------- d-----w- c:\program files\McAfee
2009-10-18 00:30 . 2009-05-10 20:30 -------- d-----w- c:\users\jayFREE\AppData\Roaming\Move Networks
2009-10-14 07:06 . 2008-04-01 11:52 -------- d-----w- c:\programdata\Microsoft Help
2009-10-01 05:22 . 2008-05-24 19:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 22:41 . 2008-04-23 15:13 -------- d-----w- c:\users\jayFREE\AppData\Roaming\LimeWire
2009-09-16 14:22 . 2008-03-31 19:18 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2008-03-31 19:18 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2008-03-31 19:18 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2008-03-31 19:18 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2008-03-31 19:18 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-10 07:14 . 2008-05-15 04:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 00:57 . 2008-03-31 19:04 -------- d-----w- c:\programdata\McAfee
2009-08-29 00:27 . 2009-09-02 21:31 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 21:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 06:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 06:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 06:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 06:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 21:50 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 21:50 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 21:50 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 21:50 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 21:50 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 21:50 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 21:50 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 21:50 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 21:50 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 21:50 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 21:50 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-29_01.55.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-01 09:53 . 2009-10-29 22:34 40946 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-29 22:35 44060 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-10-29 23:06 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-10-29 01:55 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-10-29 01:55 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-10-29 23:06 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-10-29 23:06 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-10-29 01:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-01 09:53 . 2009-10-29 22:35 6684 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4130002868-1829355866-1881414188-1000_UserData.bin
- 2009-10-28 07:24 . 2009-10-28 07:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-29 22:53 . 2009-10-29 22:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-29 22:53 . 2009-10-29 22:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-28 07:24 . 2009-10-28 07:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-04-05 04:43 . 2009-10-29 22:02 229008 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2006-11-02 10:33 . 2009-10-29 23:01 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-28 07:32 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-28 07:32 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-29 23:01 101144 c:\windows\System32\perfc009.dat
- 2009-06-22 21:20 . 2009-10-28 22:51 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-06-22 21:20 . 2009-10-29 22:54 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-20 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-13 148888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\users\jayFREE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YPOPs.lnk.disabled [2008-10-25 651]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [2008-4-5 2009]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:c8,e5,90,b6,89,55,ca,01

R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\System32\drivers\SCMNdisP.sys [8/20/2009 7:01 PM 21728]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [3/14/2009 11:21 AM 47640]
S2 gupdate1c98669f8a5f3ce;Google Update Service (gupdate1c98669f8a5f3ce);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2009 9:43 PM 133104]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [10/10/2007 5:41 PM 42112]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\System32\drivers\wg111v2.sys [8/20/2009 7:01 PM 206336]
S3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 6:25 AM 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 6:25 AM 251904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Defrag.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-20 23:28]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:43]

2009-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 01:43]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2009-10-29 c:\windows\Tasks\User_Feed_Synchronization-{0CBB3BFF-CBBC-4137-AAD2-55BFC1D339FE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\jayFREE\AppData\Roaming\Mozilla\Firefox\Profiles\4bex005d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\users\jayFREE\AppData\Roaming\Mozilla\Firefox\Profiles\4bex005d.default\extensions\{39124730-0779-11de-8c30-0800200c9a66}\components\daff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\jayFREE\AppData\Roaming\Mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\WinService.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPod\bin\iPodService.exe
c:\hp\kbd\kbd.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-29 19:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 23:11
ComboFix2.txt 2009-10-29 01:59

Pre-Run: 108,365,348,864 bytes free
Post-Run: 108,324,274,176 bytes free

- - End Of File - - CFB8785B09FCE7A66EBAE96F63D5E8A8
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 30 2009, 11:13 AM
Post #10


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
STEP 1.
Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform full scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
____________________________________________________
STEP 2.
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET
    will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push ,
    and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
____________________________________________________
STEP 3.
Please re-run DDS by sUBs.
Make sure to pay attention to the directions below:
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
    • Under the reply panel is the Attachments Panel
    • Browse for the attachment file you want to upload, then click the green Upload button
    • Once it has uploaded, click the Manage Current Attachments drop down box
    • Click on to insert the attachment into your post
____________________________________________________
Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware.
2. The log that was produced after running the ESET Online Scanner.
3. The logs that were produced after running DDS.
4. An update on how your computer is running?
Go to the top of the page
 
+Quote Post
teebee17
post Oct 31 2009, 07:55 AM
Post #11


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
Here are your requested items:

1. Malwarebytes' Anti-Malware log

Malwarebytes' Anti-Malware 1.41
Database version: 3063
Windows 6.0.6002 Service Pack 2

10/30/2009 9:00:45 PM
mbam-log-2009-10-30 (21-00-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 445031
Time elapsed: 2 hour(s), 41 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows.old\Users\Compaq_Administrator\AppData\Roaming\VideoEgg\Loader\4665\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Windows.old\Users\Compaq_Administrator\AppData\Roaming\VideoEgg\Updater\updater.exe (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Windows.old\Users\Compaq_Administrator\AppData\Roaming\VideoEgg\Updater\VideoEggBroker.exe (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Windows.old\Users\Compaq_Administrator\AppData\Roaming\VideoEgg\Updater\VideoEggBroker.exe.old (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Windows.old\Windows\Downloaded Program Files\VideoEggPublisher.exe (Malware.Tool) -> Quarantined and deleted successfully.


2. ESETScan log

C:\hp\bin\wbug\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
C:\Users\jayFREE\Documents\LimeWire\Incomplete\Preview-T-4061074-guitarless songs [very good quality].snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\jayFREE\Documents\LimeWire\Incomplete\T-3545427-so hard to go tower of power [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\jayFREE\Documents\LimeWire\Incomplete\T-4061074-guitarless songs [very good quality].snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\KjQYycfe.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\KjQYycfe.ini2 Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\removalfile.bat Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\tihneddo.ini Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
D:\I386\APPS\APP25121\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined
D:\I386\APPS\APP25121\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application deleted - quarantined


3. DDS.txt and the Attach.txt

Attached File  Attach.txt ( 10.29K ) Number of downloads: 13


DDS (Ver_09-10-26.01) - NTFSx86
Run by jayFREE at 9:37:37.34 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.311 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\jayFREE\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
mSearch Bar = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\jayfree\appdata\roaming\microsoft\windows\start menu\programs\startup\YPOPs.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Kodak EasyShare software.lnk.disabled
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\jayfree\appdata\roaming\mozilla\firefox\profiles\4bex005d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\users\jayfree\appdata\roaming\mozilla\firefox\profiles\4bex005d.default\extensions\{39124730-0779-11de-8c30-0800200c9a66}\components\daff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\users\jayfree\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\jayfree\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\jayfree\appdata\roaming\mozilla\plugins\NPAbacheck.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: keyword.enabled - true
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-3-14 47640]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-10-10 42112]

=============== Created Last 30 ================

2009-10-31 01:18:11 0 d-----w- c:\program files\ESET
2009-10-29 22:39:12 45112 ----a-w- c:\windows\system32\drivers\nvstor.sys
2009-10-29 22:39:12 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 22:39:12 110624 ----a-w- c:\windows\system32\drivers\nvstor32.sys
2009-10-29 01:39:37 98816 ----a-w- c:\windows\sed.exe
2009-10-29 01:39:37 77312 ----a-w- c:\windows\MBR.exe
2009-10-29 01:39:37 236544 ----a-w- c:\windows\PEV.exe
2009-10-29 01:39:37 161792 ----a-w- c:\windows\SWREG.exe
2009-10-27 23:56:26 0 d-----w- c:\users\jayfree\appdata\roaming\KeePass
2009-10-27 23:27:27 0 d-----w- c:\program files\KeePass Password Safe 2
2009-10-27 23:19:17 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 23:19:08 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-25 15:34:16 0 d-----w- c:\windows\system32\eu-ES
2009-10-25 15:34:16 0 d-----w- c:\windows\system32\ca-ES
2009-10-25 15:34:11 0 d-----w- c:\windows\system32\vi-VN
2009-10-25 15:12:15 0 d-----w- c:\windows\system32\EventProviders
2009-10-25 15:09:13 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-10-14 06:40:57 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 06:40:54 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 06:40:53 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 06:40:39 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 06:36:08 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 06:36:03 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-10 15:24:04 0 d-----w- c:\users\jayfree\Office Genuine Advantage
2009-10-10 01:03:40 102400 ----a-w- c:\windows\system32\tsccvid.dll

==================== Find3M ====================

2009-10-30 23:40:05 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-30 23:40:05 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-30 23:40:05 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-25 15:33:56 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-25 15:21:22 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-16 14:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-07 01:45:15 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-08-07 01:44:40 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-08-06 23:23:06 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-08-06 22:44:46 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-08-03 19:07:42 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07:42 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07:42 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2008-04-04 18:09:23 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 9:40:53.04 ===============

4. My computer still seems to be running fine. I don't see any obvious signs of infection even though I know its there.

Thanks, are we getting close to getting rid of the problems?
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 31 2009, 12:56 PM
Post #12


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
STEP 1.
Could you please clarify what you mean here: "My computer still seems to be running fine. I don't see any obvious signs of infection even though I know its there."
____________________________________________________
STEP 2.
The ESET Online Scanner log that you provided for me looks to be incomplete.

I need to get a look at the complete file if possible.

Please do the following:
On your keyboard press the Windows key + R
By pressing those two keys at the same time this should display the run dialog box.
Once the Run Dialog box appears please copy and paste the following:
C:\Program Files\EsetOnlineScanner\log.txt
After you've copied and pasted the above please select OK.
This should display the ESET Online Scanner log.

Once the ESET Online Scanner log is displayed please copy and paste the contents of the file into your next post.
____________________________________________________
STEP 3.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and AppletsTrace and Log Files
    • Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.
____________________________________________________
Please make sure you include the following items in your next post:
1. An answer to my question under Step 1.
2. The contents of the log.txt file.
Go to the top of the page
 
+Quote Post
teebee17
post Oct 31 2009, 06:38 PM
Post #13


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
There was no log file in the place your link indicated. Should I rescan with ESET Online Scanner?

To explain what is happening with my computer I guess I should go back to the beginning. My anti-virus (McAfee) popped up saying it had detected a trojan (W32.Generic something or other) but it could not delete it. Almost immediately after that, I began getting a ridiculous amount of tabs popping up on my browser. I couldn't close them faster than they were popping up so I shut down the computer. When it restarted everything had calmed down so I went to What The Tech and I went through the self-help steps posted by LDTate at the top of the forum. I ran ATF Cleaner and Malwarebytes' Anti-Malware and it detected Koobface worm. I included that mbam log in my initial post.

Since going through the self help, I have had no problems, no pop-ups or anything to indicate an infection, however, I wanted to make sure whatever it was is gone. That is why I going through this with you. I hope that better explains my situation.

I appreciate all the help you've given.

This post has been edited by teebee17: Oct 31 2009, 08:58 PM
Go to the top of the page
 
+Quote Post
SweetTech
post Oct 31 2009, 09:23 PM
Post #14


SuperMember
Group Icon

Group: Malware Team
Posts: 2,148
Joined: 15-March 09
From: Antarctica
Member No.: 84,696
Operating System: Vista
STEP 1.
QUOTE
There was no log file in the place your link indicated. Should I rescan with ESET Online Scanner?

I believe you were unable to locate the ESET log because the file path that I gave you was incorrect.

I'd like for you to try this again.

Please do the following:
On your keyboard press the Windows key + R
By pressing those two keys at the same time this should display the run dialog box.
Once the Run Dialog box appears please copy and paste the following:
C:\Program Files\ESET\log.txt
After you've copied and pasted the above please select OK.
This should display the ESET Online Scanner log.

Once the ESET Online Scanner log is displayed please copy and paste the contents of the file into your next post.
____________________________________________________
ALTERNATIVE STEP 1.
If the above doesn't work then please do a search on your computer for a file named: log.txt

Please make sure you include the following items in your next post:
1. The contents of the log.txt file.
Go to the top of the page
 
+Quote Post
teebee17
post Oct 31 2009, 10:37 PM
Post #15


New Member
*

Group: Authentic Member
Posts: 18
Joined: 28-May 05
Member No.: 33,333
Operating System: Windows Vista Home Premium
I found it. Here it is.

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=2e7b9b7c70bd224593441336d14f739d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-31 04:33:15
# local_time=2009-10-31 12:33:15 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5121 61 100 88 30676473227941
# compatibility_mode=5889 61 66 100 562352765131449
# scanned=342647
# found=10
# cleaned=10
# scan_time=11357
C:\hp\bin\wbug\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\jayFREE\Documents\LimeWire\Incomplete\Preview-T-4061074-guitarless songs [very good quality].snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\jayFREE\Documents\LimeWire\Incomplete\T-3545427-so hard to go tower of power [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Users\jayFREE\Documents\LimeWire\Incomplete\T-4061074-guitarless songs [very good quality].snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\KjQYycfe.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\KjQYycfe.ini2 Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\removalfile.bat Win32/Adware.Virtumonde application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows.old\Users\Compaq_Administrator\AppData\Local\Temp\tihneddo.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP25121\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
D:\I386\APPS\APP25121\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application (deleted - quarantined) 00000000000000000000000000000000 C
Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

2 Pages V   1 2 >
Closed TopicStart new topic

 
RSS Time is now: 22nd March 2010 - 01:59 AM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.