Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91819 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Trojan Detected


  • This topic is locked This topic is locked
20 replies to this topic

#1 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 07:02 AM

There's a little backstory to this, so please bear with me. This is a shared computer so several people use it and I try my best to keep it secure and to teach them how to be safe. That said, the other day I received an e-mail from another person that uses this computer. It was from a yahoo account (I don't use any programs to store e-mail locally), and contained nothing other than a link (a google redirect to be exact). Under the "To:" field, was everyone on their contacts list. The link, as it turns out, takes you to a website to buy pharmaceuticals. (I opened the link if firefox with all scripts disabled.)

I told them to change their password to be safe and thought nothing else of it. Well, the next day I started getting a little paranoid so I ran a quick virus scan with AVG 8.5 Free. It found two files it identified as "Trojan horse Downloader.Generic8.CAMS". Both files were old keygens that have been on my storage drives for a few years and never before were identified as infected. One was in an archive, and I manually deleted that file from the archive. The other one, just a plain .exe I had moved to the Virus Vault. At this point I figured it was probably a simple false positive or some otherwise harmless detection.

Then, some 8 or so hours later, the Resident Shield detected a new infected file. This time it was a file in System Restore called "A002252.exe" with the same label as mentioned above. I had it moved to the vault, turned off System Restore. I downloaded Malwarebytes and ran a quick scan and it only found a registry key labled "Rogue.Multiple". I had it fix that entry. (Log saved if needed.) Then I ran my file shredder of choice (Eraser), and had it wipe the unused disk space on the drives that had infected files found, and subsequently removed.

*Important-ish part* The thing that's really concerning me at the moment is if I have some sort of keylogger on this machine and that's how that email was sent out. I honestly don't know how that email could have been made otherwise, and am rather troubled by that. This machine is used for paying bills online and such, so I'd be very concerned with the possibility of credit information being obtained by unwanted parties. I'm hoping the infection is taken care of... but I've learned never to make that assumption. So I'd like to be certain there is absolutely no malware whatsoever on this machine... until then, this machine has been placed off-limits to others and I'll only be posting here or running scans. (no matter how the others may hate me for it)

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:12 AM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: Registration .LNK = D:\Program Files\Valve\Steam\SteamApps\common\assassins creed\Register\RegistrationReminder.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bion1w59.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bion1w59.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209588388796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15106/CTPID.cab
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6932 bytes


I'll probably do a full thorough scan with AVG while I wait for a reply.

Edited by toyotomi, 01 November 2009 - 07:02 AM.

    Advertisements

Register to Remove


#2 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 01 November 2009 - 11:52 AM

Hello & Welcome to WTT Forums! Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#3 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 01 November 2009 - 12:44 PM

STEP 1.
Enable System Restore:

Please carry out the following:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn On System Restore.
  • Click Apply, and then click OK.
____________________________________________________
STEP 2.
Malwarebytes' Anti-Malware

  • Open Malwarebytes' Anti-Malware
  • Select the Logs tab
  • Click on the latest log. The bottom most log is the latest
  • Click Open
  • Notepad will open. Please post this log in your next reply.
____________________________________________________
STEP 3.
Please download DDS by sUBs from one of the following links and save it to your desktop.
Posted Image
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by doing the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
____________________________________________________
STEP 4.
Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

____________________________________________________
Please make sure you include the following items in your next post:
1. A confirmation that you re-enabled your system restore.
2. The log from MalwareBytes' Ant-Malware that had the infected registry key that was removed.
3. The logs that were produced after running DDS.
4. The log that was produced after running GMER.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#4 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 01 November 2009 - 03:55 PM

I enabled System Restore.

I disabled my security software as per the instructions in that link. (I also unplugged my router until scans were done and I could re-enable the software.)

Here's the requested logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3075
Windows 5.1.2600 Service Pack 2

11/1/2009 5:15:52 AM
mbam-log-2009-11-01 (05-15-52).txt

Scan type: Quick Scan
Objects scanned: 93549
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________________________________________________________


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 16:16:17.09 on Sun 11/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2898 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [POINTER] point32.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\regist~1.lnk - d:\program files\valve\steam\steamapps\common\assassins creed\register\RegistrationReminder.exe
IE: Open Link Target in Firefox - file://c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209588388796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\bion1w59.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bion1w59.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\program files\media player classic\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\program files\media player classic\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-1 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-1 108552]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-5-2 132296]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-5-2 25160]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-1 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-1 297752]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S4 gupdate1ca10adb1a95372;Google Update Service (gupdate1ca10adb1a95372);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2009-11-01 12:55:06 0 d-----w- c:\program files\Trend Micro
2009-11-01 10:06:28 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-01 10:06:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 10:06:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 10:06:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-01 10:06:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 20:46:51 704 ----a-w- c:\windows\system32\history.aaw
2009-10-30 20:46:51 2688 ----a-w- c:\windows\system32\settings.aaw
2009-10-29 21:31:46 0 d-----w- c:\program files\Sony Online Entertainment
2009-10-22 02:29:53 54156 ---ha-w- c:\windows\QTFont.qfn
2009-10-22 02:29:53 1409 ----a-w- c:\windows\QTFont.for
2009-10-12 18:20:26 0 d-----w- c:\docume~1\admini~1\applic~1\OpenOffice.org
2009-10-12 18:17:35 0 d-----w- c:\program files\JRE
2009-10-12 18:17:31 0 d-----w- c:\program files\OpenOffice.org 3
2009-10-11 20:18:29 0 d-----w- C:\dosgames
2009-10-11 20:15:10 0 d-----w- c:\program files\DOSBox-0.73
2009-10-11 19:34:40 0 d-----w- c:\program files\SHINY
2009-10-11 19:33:56 314368 ----a-w- c:\windows\IsUninst.exe
2009-10-11 19:33:00 0 d-----w- c:\documents and settings\administrator\WINDOWS
2009-10-03 20:13:36 0 d-----w- c:\program files\Microsoft
2009-10-03 20:05:30 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-10-03 05:52:36 195440 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-11-01 01:00:49 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-01 01:00:06 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-12 18:13:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-29 21:16:39 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-29 21:16:37 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-29 21:16:37 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 18:50:10 39724 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 13:54:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:49:00 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:02:00 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 16:16:47.10 ===============
__________________________________________________________

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-01 16:42:12
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fftyyaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB4DC0D46]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB4DC0250]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB4DC08EA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xB4DC12C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB4DC0132]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB4DC2254]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB4DC252C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB4DBFCF8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB4DC0F2C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB4DC10DC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB4DBFA5A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB4DC1ED6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB4DC04D4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB4DC0B2E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB4DBF78A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB4DC0764]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB4DBF902]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB4DC1688]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB4DC19F0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB4DC1C72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB4DC2084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB4DC1488]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB4DC046E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB4DC0658]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB4DBFFFC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB4DBFECA]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB3D746D0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached File  Attach.txt   14.94KB   142 downloads

#5 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 02 November 2009 - 05:04 PM

STEP 1.

While reviewing your logs I noticed that you currently have Peer to Peer program(s) installed on your computer.

You currently have the following P2P programs installed:
  • Azureus Vuze
Most of the infections that we see today are through P2P file sharing. By uninstalling the programs that I mentioned above you will be doing yourself a favor. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

Should you decide to keep these programs installed on your computer PLEASE do not use these programs while we are getting your P.C. cleaned up.

How to Uninstall the P2P Programs:

For Windows XP Users
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    Azureus Vuze
PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.
____________________________________________________
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

Note:
It is recommended to disable on board Anti-Virus program and Anti-Spyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident Anti-Virus protection along with whatever Anti-Spyware app you use.



Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
____________________________________________________

Please make sure you include the following items in your next post:
1. The log that was produced after running Kaspersky Online Scanner.
2. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#6 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 02 November 2009 - 06:15 PM

I'll do the Kaspersky scan after I post this. While awaiting your reply, I uh, got kinda bored and ran a full system scan with Malwarebytes and it found 1 infected file (scan finished a few minutes ago, and required a reboot after choosing to fix the selected problem). Here's the log from that scan. Malwarebytes' Anti-Malware 1.41 Database version: 3089 Windows 5.1.2600 Service Pack 2 11/2/2009 7:01:41 PM mbam-log-2009-11-02 (19-01-41).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 463077 Time elapsed: 2 hour(s), 8 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd (Trojan.Agent) -> Quarantined and deleted successfully.

#7 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 02 November 2009 - 07:12 PM

STEP 1.

Please open up MalwareBytes' Anti-Malware
Once you have opened up MalwareBytes' Anti-Malware click on the Quarantined Tab.
Then click on D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd and click on Restore.
____________________________________________________
STEP 2.
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply
____________________________________________________
Please make sure you include the following items in your next post:
1. The results from the file that I asked you to scan using VirusTotal.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#8 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 November 2009 - 04:18 AM

First up is the link to the Virustotal results, then the Kaspersky log:

http://www.virustota...eba4-1257242992
(21/41 found it to be a probable variant of the Win32/Agent Trojan.)

EDIT: Just to note, the Virustotal scan was performed after the Kaspersky scan had finished (took a wee bit over an hour as the log shows :P). During the scan the Dq2249.icd file was still quarantined.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 3, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 02, 2009 22:52:39
Records in database: 3115681
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan statistics:
Objects scanned: 372144
Threats found: 3
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 09:20:01


File name / Threat / Threats count
D:\Backups\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
D:\Backups\mIRC 6.21\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
D:\Backups\mIRC 6.21\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Program Files\mIRC\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.632 1
E:\Drews games\installers\mirc62.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
F:\carp** from reformat\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

Selected area has been scanned.

Edited by toyotomi, 03 November 2009 - 06:32 AM.


#9 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 03 November 2009 - 07:31 PM

STEP 1.
I believe that MalwareBytes' Anti-Malware might have detected a false positive. I need for you to save a log in developer mode.

Please do the following:

1. Click the Start Menu.
2. Click Run.
3. Type in "mbam.exe /developer", without the quotes.
4. Run the same type of scan you did before and save the logfile and post it.
____________________________________________________
STEP 2.
We need to upload a Suspicious file to Malwarebytes Anti-Malware

  • Please go to Malwarebytes' UploadNET
  • Under File 1: browse for

    D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd

    *Note: If you are asked to upload more files, please repeat these steps for each of the File boxes.
Once you have selected all the files you want to upload, click on the Upload Button.
____________________________________________________
Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware in Developer Mode.
2. An update on how your computer is currently running.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#10 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 November 2009 - 07:49 PM

When trying to start Malwarebytes with that run line, I get an error message. Here's a pic of the message as I can't copy it and typing it out would just take forever.

Posted Image

I uploaded the file to the website though without problem.

Edited by toyotomi, 03 November 2009 - 07:52 PM.

    Advertisements

Register to Remove


#11 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 03 November 2009 - 08:14 PM

Were you able to dequarantine this file: D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd ?

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#12 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 November 2009 - 08:27 PM

Were you able to dequarantine this file: D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd ?

Yes I was able to do that using Mbam in its normal mode.

#13 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 03 November 2009 - 10:11 PM

Can you please update your database version by doing the following:
  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
After you do that please exit out of MalwareBytes' Anti-Malware and then do the following:
1. Click the Start Menu.
2. Click Run.
3. Type in mbam.exe /developer
4. Run the same type of scan you did before and save the logfile and post it.

Once the scan completes please make sure you include the log that was produced for you.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image


#14 toyotomi

toyotomi

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 04 November 2009 - 02:01 AM

Malwarebytes' Anti-Malware 1.41 Database version: 3097 Windows 5.1.2600 Service Pack 2 11/4/2009 2:59:28 AM mbam-log-2009-11-04 (02-59-23).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|) Objects scanned: 465247 Time elapsed: 2 hour(s), 9 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: D:\Program Files\Sierra\Half-Life\gearbox\Dq2249.icd (Trojan.Agent) -> No action taken. [4134524130538380756679153472707985130169676617662521216869262571702021252521251 86968187118262370716922]

#15 SweetTech

SweetTech

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 04 November 2009 - 06:20 PM

I will be getting in contact with the MalwareBytes' Anti-Malware team to report what I believe is a false positive. I appreciate your assistance in providing the additional logs, and taking the time to upload the file to the MalwareBytes' Anti-Malware Upload Site. Those logs and the file in question will help to ensure that if the file in question is a false positive that it gets taken care of by the MBAM team.

Besides that one item in question I don't see any signs of malware on your computer. If you have any outstanding issues they do not appear to be malware related, if you can advise if you are still having issues, we may be able to direct you to one of our tech forums, to see if they can assist you further.

With that said please proceed with following:

Clean-Up Procedure.

Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.
  • System restore:
    We will now clear your existing system restore points and establish a new clean restore point:

o Click on the Start button to open your Start Menu.
o Click on the Control Panel menu option.
o Click on the System and Maintenance menu option.
o Click on the System menu option.
o Click on System Protection in the left-hand task list.
o Create the manual restore point you should click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.
o Type in a title for the manual restore point and press the Create button.
o Close the System window after you have been advised that the procedure has been successfully completed.

o Next, go to Start > Run and type in cleanmgr
o Select the More options tab
o Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
Make sure you do this now, as your System Restore currently has infected files in it.

We need to remove a program from your your computer. To do this please do the following:
For Windows XP Users
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    HijackThis 1.99.1
Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
OR, after uninstalling Adobe Reader, you could try installing Foxit Reader from >here<
Foxit Reader has fewer add-ons therefore loads more quickly.


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 16. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Posted Image
 

Proud Graduate of the WTT Classroom
 
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users