Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91803 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] hijack.windowsupdates virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 20 September 2009 - 07:12 PM

Hey I've got a problem with the hijack.windowsupdates virus which cant seem to be removed by MBAM. The scans show up 37 problems, 35 of which are inside My Safe in My Documents (a folder which needs a fingerprint swipe to unlock it) and the other 2 files that seem to be to do with the registry. I click on remove all and it says all items removed successfully, but if I do another scan immediately after, the two problems in the Registry Data category are still there. After rebooting like it asks and doing another scan, all 37 problems are found again. Here is the MBAM log: Malwarebytes' Anti-Malware 1.41 Database version: 2834 Windows 5.1.2600 Service Pack 3 21/09/2009 02:04:42 mbam-log-2009-09-21 (02-04-27).txt Scan type: Quick Scan Objects scanned: 110620 Time elapsed: 5 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 35 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: D:\My Documents\My Safe\Classified.exe (Worm.Daprosy) -> No action taken. D:\My Documents\My Safe\fupipivo.dll (Fake.Malware) -> No action taken. D:\My Documents\My Safe\Games.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\HiddenFolder.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\kentut.exe (Trojan.Agent) -> No action taken. D:\My Documents\My Safe\mp3.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\My Documents.url (Trojan.Zlob) -> No action taken. D:\My Documents\My Safe\My Folder.com (Virus.Rungbu) -> No action taken. D:\My Documents\My Safe\My Music\foronandand.exe (Trojan.Agent) -> No action taken. D:\My Documents\My Safe\My Music\inout.exe (Trojan.Agent) -> No action taken. D:\My Documents\My Safe\My Music\My Music.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\My Music\My Music.url (Trojan.Zlob) -> No action taken. D:\My Documents\My Safe\My Music\New Song.lagu (Backdoor.Bot) -> No action taken. D:\My Documents\My Safe\My Music\Video.vidz (Backdoor.Bot) -> No action taken. D:\My Documents\My Safe\My Pictures\aweks.pikz (Backdoor.Bot) -> No action taken. D:\My Documents\My Safe\My Pictures\My Pictures.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken. D:\My Documents\My Safe\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> No action taken. D:\My Documents\My Safe\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> No action taken. D:\My Documents\My Safe\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> No action taken. D:\My Documents\My Safe\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> No action taken. D:\My Documents\My Safe\My Pictures\seram.pikz (Backdoor.Bot) -> No action taken. D:\My Documents\My Safe\My Secret.fold (Backdoor.Bot) -> No action taken. D:\My Documents\My Safe\My Videos\My Video.url (Trojan.Zlob) -> No action taken. D:\My Documents\My Safe\Photo.Jpg.exe (Trojan.Downloader) -> No action taken. D:\My Documents\My Safe\ppl.mdb (Fake.Malware) -> No action taken. D:\My Documents\My Safe\PrisonBreak.Jpg.exe (Trojan.Downloader) -> No action taken. D:\My Documents\My Safe\rafbsvnx.dll (Fake.Malware) -> No action taken. D:\My Documents\My Safe\Rated R Pictures.com (Virus.Rungbu) -> No action taken. D:\My Documents\My Safe\regscan.exe (Trojan.Downloader) -> No action taken. D:\My Documents\My Safe\Skofilde.Jpg.exe (Trojan.Downloader) -> No action taken. D:\My Documents\My Safe\Super Mario X.exe (Trojan.Downloader) -> No action taken. D:\My Documents\My Safe\System\Explorer1.exe (Trojan.Logger) -> No action taken. D:\My Documents\My Safe\Videos.exe (Worm.AutoRun) -> No action taken. D:\My Documents\My Safe\work9\bhobj\bhobj.dll (Adware.WebDir) -> No action taken. Thanks very much in advance for your help!

Edited by benwizz, 20 September 2009 - 07:31 PM.

    Advertisements

Register to Remove


#2 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 21 September 2009 - 02:58 PM

Hello.

Please run a DDS scan followed by RootRepeal for me.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.


  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#3 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 21 September 2009 - 07:50 PM

Here is the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by ____ at 2:16:37.75 on 22/09/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1423 [GMT 1:00] AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} AV: F-Secure Internet Security 2008 OEM 8.00 *On-access scanning enabled* (Outdated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Internet Security 2008 OEM 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\00THotkey.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Program Files\Protector Suite QL\psqltray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\TOSHIBA\TouchED\TouchED.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\HDD Thermometer\HDD Thermometer.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\TPSBattM.exe F:\Virus Removal\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.sky.com/skynews uInternet Settings,ProxyOverride = *.local BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TEXTHE~3.DLL BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [opagent] "OpAgent.exe" /agent uRun: [rsd_hddthermo] c:\program files\hdd thermometer\HDD Thermometer.exe uRun: [toscdspd] c:\program files\toshiba\toscdspd\toscdspd.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe mRun: [000stthk] 000StTHK.exe mRun: [00thotkey] c:\windows\system32\00THotkey.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [acronistimountermonitor] c:\program files\acronis\trueimage\TimounterMonitor.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [alcmtr] ALCMTR.EXE mRun: [apoint] c:\program files\apoint2k\Apoint.exe mRun: [ddwmon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe mRun: [dputil] c:\program files\toshiba\dualpointutility\TEDTray.exe mRun: [f-secure manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash mRun: [f-secure tnb] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW mRun: [hotkeyscmds] c:\windows\system32\hkcmd.exe mRun: [iaanotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [isuspm startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [isusscheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [kernelfaultcheck] %systemroot%\system32\dumprep 0 -k mRun: [persistence] c:\windows\system32\igfxpers.exe mRun: [pointer] point32.exe mRun: [psqllauncher] "c:\program files\protector suite ql\launcher.exe" /startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [rthdcpl] RTHDCPL.EXE mRun: [smoothview] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [ssbkgdupdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [taudeffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run mRun: [tfncky] TFncKy.exe mRun: [tfnf5] TFNF5.exe mRun: [thpsrv] c:\windows\system32\thpsrv /logon mRun: [tmerzctl.exe] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service mRun: [tmesrv.exe] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup mRun: [tosdcr] TOSDCR.EXE mRun: [toshkcw.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe" mRun: [touched] c:\program files\toshiba\touched\TouchED.exe mRun: [tpsmain] TPSMain.exe mRun: [tpsoddctl] TPSODDCtl.exe mRun: [trueimagemonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265007828 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192731515546 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll Notify: psfus - psqlpwd.dll Notify: TosBtNP - TosBtNP.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 relog_ap LSA: Notification Packages = scecli psqlpwd ================= FIREFOX =================== FF - ProfilePath - ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-9-4 51040] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-22 20992] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528] R1 F-Secure HIPS;F-Secure HIPS;c:\program files\f-secure internet security\hips\fshs.sys [2008-9-4 41184] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-5-30 5888] R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2008-9-4 48072] R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568] R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024] R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856] R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-5-30 114688] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008] R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2008-9-4 77824] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-31 35968] S2 gupdate1c9d3663877047e;Google Update Service (gupdate1c9d3663877047e);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176] S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-31 1174664] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-5-30 435072] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys [2008-9-4 40048] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys [2008-9-4 25456] =============== Created Last 30 ================ 2009-08-30 00:52 <DIR> --d----- c:\docume~1\benjam~1\applic~1\Malwarebytes 2009-08-30 00:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-30 00:51 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-08-30 00:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-30 00:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-30 00:32 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-08-23 11:36 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat ==================== Find3M ==================== 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll 2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-17 20:01 58,880 -------- c:\windows\system32\dllcache\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll 2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll 2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll 2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll 2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll 2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll 2009-07-03 18:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll 2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll 2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-07-03 18:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll 2009-07-03 18:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll 2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll 2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll 2009-07-03 18:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll 2009-07-03 12:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2008-04-23 16:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2008-09-04 13:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat ============= FINISH: 2:16:55.92 =============== And here is the RepealScan log: ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/22 02:19 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys Address: 0x99367000 Size: 778240 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xBA148000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Apps\2.0\C4GGBA7O.H0W\HCRYMNOC.ZV5\manifests\Click MusicalKEYS.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Apps\2.0\C4GGBA7O.H0W\HCRYMNOC.ZV5\manifests\Click MusicalKEYS.exe.manifest Status: Locked to the Windows API! Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{F4C025FB-90AD-0C45-D531-236178B514F9}\32\439-{4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{F4C025FB-90AD-0C45-D531-236178B514F9}\33\437-{4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____y@hotmail.com\DFSR\Staging\CS{F4C025FB-90AD-0C45-D531-236178B514F9}\34\438-{4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{F4C025FB-90AD-0C45-D531-236178B514F9}\35\440-{4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{F4C025FB-90AD-0C45-D531-236178B514F9}\36\436-{4AF0F48C-4AFD-4B46-870F-40CA19AEE2D5}-v436-{4AF0F48C-4AFD-4B46-870F-40CA19AEE2D5}-v436-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{596D68B0-9074-6CB5-58DC-93D2008503F3}\05\405-{4AF0F48C-4AFD-4B46-870F-40CA19AEE2D5}-v405-{4AF0F48C-4AFD-4B46-870F-40CA19AEE2D5}-v405-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: C:\Documents and Settings\Benjamin Wilson\Local Settings\Application Data\Microsoft\Messenger\____@hotmail.co.uk\SharingMetadata\____@hotmail.com\DFSR\Staging\CS{596D68B0-9074-6CB5-58DC-93D2008503F3}\68\412-{4~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS Status: Visible to the Windows API, but not on disk. Path: d:\my documents\my safe\desktop.ini Status: Size mismatch (API: 139, Raw: 65) Path: D:\My Documents\My Safe\Passwords.txt Status: Visible to the Windows API, but not on disk. Path: Volume F:\ Status: MBR Rootkit Detected! Path: Volume F:\, Sector 62 Status: Sector mismatch SSDT ------------------- #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d21740 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d2175a #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d20fb2 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d21266 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d2214e #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d21160 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d209c6 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d20c12 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d20e8e #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d208ac #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d20ade #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d20d46 Shadow SSDT ------------------- #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys" at address 0x99d22c64 ==EOF== I hope you don't mind but I replaced the email addresses from some of the lines in the logs with ____@hotmail.co.uk so theyr'e not shown, if you need them there I'll put them back in for you. Thanks for looking into it :)

Attached Files


Edited by benwizz, 22 September 2009 - 08:09 PM.


#4 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 22 September 2009 - 02:29 PM

Hello.

E-mail address, good that you edited out to avoid any spams but your username for your computer I would like to see as that helps locate path locations etc... HOWEVER, if you really don't wish to or feel comfortable to reveal it, I won't mind and can deal with it alternatively. Won't make too much of a difference.

Therefore, for the next time I tell you to run a scan, if you don't wish to show your username for the computer then you can edit out. :)

Please start with Combofix.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#5 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 22 September 2009 - 08:48 PM

I've put the name back in the path locations for you. Here's the combofix log:

ComboFix 09-09-22.02 - Benjamin Wilson 23/09/2009 3:39.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1225 [GMT 1:00]
Running from: c:\documents and settings\Benjamin Wilson\Desktop\ComboFix.exe
AV: F-Secure Internet Security 2008 OEM 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: F-Secure Internet Security 2008 OEM 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2646128191-4278396063-327579688-500
c:\recycler\S-1-5-21-335370264-2223378490-1093374705-500
c:\recycler\S-1-5-21-4252882061-2612516342-826687114-500
c:\recycler\S-1-5-21-593153778-2049585034-1883489503-500
c:\windows\Installer\$PatchCache$\Managed\6ACA9EFE6506DC043852E0B02EBC26B2\8.1.0\html.ini2
c:\windows\Installer\2cb25b9.msi
c:\windows\Installer\73ffa9d.msp
c:\windows\Installer\b64798d.msi
c:\windows\Installer\b64798e.msp
c:\windows\Installer\b64798f.msp
c:\windows\Installer\b647990.msp
c:\windows\Installer\b647991.msp
c:\windows\Installer\b647992.msp
c:\windows\Installer\b647993.msp
c:\windows\Installer\b647994.msp
c:\windows\Installer\b647995.msp
c:\windows\Installer\b647996.msp
c:\windows\Installer\b647997.msp

.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.

2009-08-29 23:52 . 2009-08-29 23:52 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Malwarebytes
2009-08-29 23:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 23:51 . 2009-09-21 00:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-29 23:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 23:51 . 2009-08-29 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 23:32 . 2009-08-29 23:32 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-22 01:15 . 2008-09-09 16:50 -------- d-----w- c:\program files\uTorrent
2009-09-21 01:19 . 2008-09-08 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\HDD Thermometer
2009-09-05 23:20 . 2008-12-08 19:58 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\skypePM
2009-09-05 23:20 . 2008-12-08 19:56 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Skype
2009-08-29 23:32 . 2008-09-09 16:50 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\uTorrent
2009-08-29 15:28 . 2008-09-11 12:05 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\LimeWire
2009-08-29 08:33 . 2008-09-04 09:31 85016 ----a-w- c:\documents and settings\Benjamin Wilson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 22:55 . 2009-02-25 22:33 -------- d-----w- c:\documents and settings\Benjamin Wilson\Application Data\Spotify
2009-08-23 10:35 . 2007-05-31 15:18 85016 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 08:30 . 2009-08-13 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-22 08:30 . 2009-08-13 17:37 -------- d-----w- c:\program files\NOS
2009-08-18 20:41 . 2009-08-18 20:40 -------- d-----w- c:\program files\mpTrim
2009-08-12 21:09 . 2007-05-31 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:01 . 2007-05-30 08:13 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 22:50 . 2008-02-29 19:14 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 19:01 . 2007-05-30 08:12 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2007-05-30 08:13 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-05-30 08:13 915456 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"rsd_hddthermo"="c:\program files\HDD Thermometer\HDD Thermometer.exe" [2005-04-01 215040]
"toscdspd"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"thpsrv"="c:\windows\system32\thpsrv" [X]
"00thotkey"="c:\windows\system32\00THotkey.exe" [2006-08-07 253952]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-05-17 140568]
"acronistimountermonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2008-05-17 909248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"ddwmon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"dputil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-08-05 155648]
"f-secure manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2007-05-25 183208]
"f-secure tnb"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2007-05-25 740208]
"hotkeyscmds"="c:\windows\system32\hkcmd.exe" [2007-04-09 162584]
"iaanotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-04-09 138008]
"isuspm startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"isusscheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"persistence"="c:\windows\system32\igfxpers.exe" [2007-04-09 138008]
"psqllauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-05 30208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"smoothview"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"ssbkgdupdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"taudeffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-09 344144]
"tmerzctl.exe"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-09-04 90112]
"tmesrv.exe"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2006-03-06 114688]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-04-02 577536]
"toshkcw.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"touched"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-08-31 102400]
"trueimagemonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-05-17 1326392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"000stthk"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"rthdcpl"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
"tfncky"="TFncKy.exe" [BU]
"tfnf5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]
"tosdcr"="TOSDCR.EXE" - c:\windows\system32\TOSDCR.exe [2005-12-12 57344]
"tpsmain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2007-04-18 299008]
"tpsoddctl"="TPSODDCtl.exe" - c:\windows\system32\TPSODDCtl.exe [2007-04-18 102400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Directrec Configuration Tool.lnk - c:\program files\Olympus\DeviceDetector\DirectrecConfig.exe [2008-9-4 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-05 16:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 02:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [04/09/2008 12:22 51040]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [22/03/2007 13:07 20992]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [09/03/2007 15:23 6528]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure Internet Security\HIPS\fshs.sys [04/09/2008 12:22 41184]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [30/05/2007 16:23 5888]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [05/05/2006 18:00 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [05/05/2006 17:59 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [05/05/2006 17:33 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 12:22 105856]
R2 Tmesrv;Tmesrv3;c:\program files\TOSHIBA\TME3\TMESRV31.exe [30/05/2007 16:23 114688]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 11:38 92008]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 12:15 134016]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [04/09/2008 12:21 77824]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [31/05/2007 16:10 35968]
S2 gupdate1c9d3663877047e;Google Update Service (gupdate1c9d3663877047e);c:\program files\Google\Update\GoogleUpdate.exe [13/05/2009 02:00 133104]
S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 13:29 162176]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [14/12/2007 19:04 551680]
S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [30/05/2007 16:26 435072]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsfilter.sys [04/09/2008 12:21 40048]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure Internet Security\Anti-Virus\win2k\fsrec.sys [04/09/2008 12:21 25456]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 01:00]

2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-13 01:00]

2009-09-22 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-SECU~1\ANTI-V~1\fsav.exe [2008-09-04 12:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com/skynews
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Benjamin Wilson\Application Data\Mozilla\Firefox\Profiles\os6m0tqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.sky.com/skynews
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-opagent - OpAgent.exe
HKLM-Run-pointer - point32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-23 03:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll
c:\program files\Protector Suite QL\mysafe.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\relog_ap.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\F-Secure Internet Security\FSPS\program\FSLSP.DLL
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll

- - - - - - - > 'csrss.exe'(868)
c:\program files\F-Secure Internet Security\FWES\Program\fsdc.dll
.
Completion time: 2009-09-23 3:44
ComboFix-quarantined-files.txt 2009-09-23 02:44

Pre-Run: 5,009,453,056 bytes free
Post-Run: 5,011,283,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /forceresetreg

262 --- E O F --- 2009-08-27 21:34


I've just ran another MBAM scan and no malicious items were detected :)

#6 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 23 September 2009 - 06:50 PM

Hello.

Glad MBAM didn't detect anything. Still a few things we will do before we are done.

Looks good overall.

Download and Run FlashDisinfector

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Update Java to Version 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#7 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 23 September 2009 - 10:13 PM

Hey During the ESET scan, my original anti-virus program F-Secure found a virus called Trojan-Downloader.Win32.Mufanom.ddy. Here's the information about it, from the F-Secure program: Scanning Report 24 September 2009 04:39:43 - 04:40:56 Computer name: BENLAPTOP Scanning type: Scan target Target: C:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP324\A0044663.dll -------------------------------------------------------------------------------- Result: 1 malware found Trojan-Downloader.Win32.Mufanom.ddy (virus) C:\System Volume Information\_restore{057EF1DB-699E-460E-A182-554DABF78B4D}\RP324\A0044663.dll Action: renamed -------------------------------------------------------------------------------- Statistics Scanned: Files: 1 Not scanned: 0 Result: Viruses: 1 Spyware: 0 Suspicious items: 0 Riskware: 0 Actions: Disinfected: 0 Renamed: 1 Deleted: 0 Quarantined: 0 Failed: 0 Boot Sectors: Scanned: 0 Infected: 0 Suspicious items: 0 Disinfected: 0 -------------------------------------------------------------------------------- Options Definitions version: Viruses: 2009-09-24_03 Spyware: 2009-09-24_01 Scanning Engines: F-Secure AVP: 7.00.171, 2009-09-23 F-Secure Libra: 2.04.05, 2009-09-22 F-Secure Orion: 1.02.41, 2009-09-24 F-Secure Draco: 1.01.00, 0-00-00 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ANI AVB BAT CEO CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TGZ JOB ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX Scan inside archives Actions: Viruses: Disinfect infected files Spyware: Ask after scan -------------------------------------------------------------------------------- I clicked on heal (recommended) but I'm not sure that it fixed it. I ran an F-Secure scan on the C:\System Volume Information folder but it showed up as all clear. I then ran an MBAM scan and it found the same 35 different malware as before (the two hijack.windowsupdates viruses weren't there this time). All of the malware are in the D:\My Documents\My Safe folder, which is protected with a fingerprint reader on the laptop, incase that helps you. Here's the log for the MBAM scan: Malwarebytes' Anti-Malware 1.41 Database version: 2834 Windows 5.1.2600 Service Pack 3 24/09/2009 04:58:01 mbam-log-2009-09-24 (04-58-01).txt Scan type: Quick Scan Objects scanned: 108640 Time elapsed: 10 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 35 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: D:\My Documents\My Safe\Classified.exe (Worm.Daprosy) -> Quarantined and deleted successfully. D:\My Documents\My Safe\fupipivo.dll (Fake.Malware) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Games.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\HiddenFolder.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\kentut.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\My Documents\My Safe\mp3.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Folder.com (Virus.Rungbu) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\foronandand.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\inout.exe (Trojan.Agent) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\My Music.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\New Song.lagu (Backdoor.Bot) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Music\Video.vidz (Backdoor.Bot) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\aweks.pikz (Backdoor.Bot) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\My Pictures.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\Sample Pictures\Blue hills.exe (Trojan.Xanib) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\Sample Pictures\Sunset.exe (Trojan.Xanib) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\Sample Pictures\Water lilies.exe (Trojan.Xanib) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\Sample Pictures\Winter.exe (Trojan.Xanib) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Pictures\seram.pikz (Backdoor.Bot) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Secret.fold (Backdoor.Bot) -> Quarantined and deleted successfully. D:\My Documents\My Safe\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Photo.Jpg.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\My Documents\My Safe\ppl.mdb (Fake.Malware) -> Quarantined and deleted successfully. D:\My Documents\My Safe\PrisonBreak.Jpg.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\My Documents\My Safe\rafbsvnx.dll (Fake.Malware) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Rated R Pictures.com (Virus.Rungbu) -> Quarantined and deleted successfully. D:\My Documents\My Safe\regscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Skofilde.Jpg.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Super Mario X.exe (Trojan.Downloader) -> Quarantined and deleted successfully. D:\My Documents\My Safe\System\Explorer1.exe (Trojan.Logger) -> Quarantined and deleted successfully. D:\My Documents\My Safe\Videos.exe (Worm.AutoRun) -> Quarantined and deleted successfully. D:\My Documents\My Safe\work9\bhobj\bhobj.dll (Adware.WebDir) -> Quarantined and deleted successfully. After running another scan, it's all clear but after rebooting and running another scan, it again showed up exactly the same 35 problems, so it's only after a restart that the viruses show up again. :unsure:

Edited by benwizz, 23 September 2009 - 10:19 PM.


#8 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 24 September 2009 - 04:13 PM

Hello.

Could you upload some of those .exe files to me if possible that Malwarebytes detected.

Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://forums.whatthetech.com/hijack_windowsupdates_virus_t107103.html
  • Click Browse and select the >>files MBAM detected. 5-6 files is enough (.exe ones)<< (Do one at a time)
  • Under the comments section, say that ExtremeBoy asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.

~Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#9 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 24 September 2009 - 08:56 PM

Hey The locations of the viruses don't actually exist so I can't upload any of them. They are all in the My Safe (finger swipe protected folder in My Documents which is only accessible after swiping the finger) but all I have in the folder is one .txt file with some passwords in. Is there anything else I can try?

#10 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 25 September 2009 - 09:19 AM

Hello. Sorry about that. I think it should be okay. You can ignore them. Take a new DDS run for me and post the logs here.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#11 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 26 September 2009 - 09:14 PM

Thanks for looking into it, I'll run a new scan tomorow and post the logs up here. Does that mean from now on I can just ignore it in the scans, and it shouldn't pose a threat? :)

#12 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 27 September 2009 - 03:23 PM

Yes. Should be fine. Post the results when done please. ~Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#13 benwizz

benwizz

    New Member

  • Authentic Member
  • Pip
  • 7 posts

Posted 27 September 2009 - 05:09 PM

Ok thanks. Here's the DDS log: DDS (Ver_09-06-26.01) - NTFSx86 Run by Benjamin Wilson at 23:53:02.82 on 27/09/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1421 [GMT 1:00] AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} AV: F-Secure Internet Security 2008 OEM 8.00 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: F-Secure Internet Security 2008 OEM 8.00 *enabled* {D4747503-0346-49EB-9262-997542F79BF4} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\WINDOWS\system32\agrsmsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\ThpSrv.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\system32\TODDSrv.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\00THotkey.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Protector Suite QL\psqltray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\thpsrv.exe C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE C:\WINDOWS\system32\igfxext.exe C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe C:\Program Files\TOSHIBA\TouchED\TouchED.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\HDD Thermometer\HDD Thermometer.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe F:\Virus Removal\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.sky.com/skynews uInternet Settings,ProxyOverride = *.local BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TEXTHE~3.DLL BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background uRun: [rsd_hddthermo] c:\program files\hdd thermometer\HDD Thermometer.exe uRun: [toscdspd] c:\program files\toshiba\toscdspd\toscdspd.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [000stthk] 000StTHK.exe mRun: [00thotkey] c:\windows\system32\00THotkey.exe mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [acronistimountermonitor] c:\program files\acronis\trueimage\TimounterMonitor.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [apoint] c:\program files\apoint2k\Apoint.exe mRun: [ddwmon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe mRun: [dputil] c:\program files\toshiba\dualpointutility\TEDTray.exe mRun: [f-secure manager] "c:\program files\f-secure internet security\common\FSM32.EXE" /splash mRun: [f-secure tnb] "c:\program files\f-secure internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW mRun: [hotkeyscmds] c:\windows\system32\hkcmd.exe mRun: [iaanotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe" mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [isuspm startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [isusscheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [persistence] c:\windows\system32\igfxpers.exe mRun: [psqllauncher] "c:\program files\protector suite ql\launcher.exe" /startup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [rthdcpl] RTHDCPL.EXE mRun: [smoothview] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe mRun: [ssbkgdupdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [taudeffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run mRun: [tfncky] TFncKy.exe mRun: [tfnf5] TFNF5.exe mRun: [thpsrv] c:\windows\system32\thpsrv /logon mRun: [tmerzctl.exe] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service mRun: [tmesrv.exe] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup mRun: [tosdcr] TOSDCR.EXE mRun: [toshkcw.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe" mRun: [touched] c:\program files\toshiba\touched\TouchED.exe mRun: [tpsmain] TPSMain.exe mRun: [tpsoddctl] TPSODDCtl.exe mRun: [trueimagemonitor.exe] c:\program files\acronis\trueimage\TrueImageMonitor.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\f-secure internet security\fspc\fspcmsie.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL LSP: c:\program files\f-secure internet security\fsps\program\FSLSP.DLL DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265007828 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192731515546 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll Notify: psfus - psqlpwd.dll Notify: TosBtNP - TosBtNP.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll LSA: Authentication Packages = msv1_0 relog_ap LSA: Notification Packages = scecli psqlpwd ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\benjam~1\applic~1\mozilla\firefox\profiles\os6m0tqw.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - www.sky.com/skynews FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-9-4 51040] R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-3-22 20992] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528] R1 F-Secure HIPS;F-Secure HIPS;c:\program files\f-secure internet security\hips\fshs.sys [2008-9-4 41184] R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-5-30 5888] R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\f-secure internet security\anti-virus\fsgk32st.exe [2008-9-4 48072] R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568] R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024] R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456] R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856] R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-5-30 114688] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008] R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\f-secure internet security\anti-virus\minifilter\fsgk.sys [2008-9-4 77824] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-31 35968] S2 gupdate1c9d3663877047e;Google Update Service (gupdate1c9d3663877047e);c:\program files\google\update\GoogleUpdate.exe [2009-5-13 133104] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [2005-2-24 162176] S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680] S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-31 1174664] S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-5-30 435072] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\f-secure internet security\anti-virus\win2k\fsfilter.sys [2008-9-4 40048] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\f-secure internet security\anti-virus\win2k\fsrec.sys [2008-9-4 25456] =============== Created Last 30 ================ 2009-09-24 03:58 <DIR> --d----- c:\program files\ESET 2009-09-24 03:57 411,368 a------- c:\windows\system32\deploytk.dll 2009-09-24 03:57 73,728 a------- c:\windows\system32\javacpl.cpl 2009-09-24 03:35 <DIR> a-dshr-- C:\autorun.inf 2009-09-23 03:56 153,088 -------- c:\windows\system32\dllcache\triedit.dll 2009-09-23 03:38 <DIR> a-dshr-- C:\cmdcons 2009-09-23 03:36 229,888 a------- c:\windows\PEV.exe 2009-09-23 03:36 161,792 a------- c:\windows\SWREG.exe 2009-09-23 03:36 98,816 a------- c:\windows\sed.exe 2009-09-23 03:36 <DIR> --d----- C:\ComboFix 2009-08-30 00:52 <DIR> --d----- c:\docume~1\benjam~1\applic~1\Malwarebytes 2009-08-30 00:51 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-30 00:51 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-08-30 00:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-08-30 00:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-08-30 00:32 <DIR> --d----- c:\windows\system32\wbem\Repository ==================== Find3M ==================== 2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll 2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll 2009-07-19 14:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll 2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll 2009-07-17 20:01 58,880 -------- c:\windows\system32\dllcache\atl.dll 2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll 2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll 2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll 2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll 2009-07-03 18:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll 2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll 2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll 2009-07-03 18:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll 2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll 2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll 2009-07-03 18:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll 2009-07-03 18:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll 2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll 2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll 2009-07-03 18:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll 2009-07-03 12:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe 2008-04-23 16:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2008-09-04 13:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat ============= FINISH: 23:53:40.04 ===============

Attached Files



#14 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 28 September 2009 - 02:39 PM

Hello.

That looks good.

 
Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :)

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Congratulations! You now appear clean! :D

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#15 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 01 October 2009 - 04:30 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users