Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93117 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Google redirect to licosearch

Started by tonyperrin , Apr 16 2011 05:46 AM

  • This topic is locked This topic is locked
39 replies to this topic

#16 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 02 May 2011 - 06:08 AM

Hi Satchfan -

Thanks for instructions. Rogue Killer ran with no problems for me (I did have to download it to another machine). Log below, also ComboFix log:

RogueKiller V5.0.0 [04/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: tony1 [Admin rights]
Mode: Scan -- Date : 05/02/2011 12:44:12

Bad processes: 0

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt


ComboFix 11-04-30.05 - tony1 02/05/2011 12:48:14.11.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.804 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Perrin\Desktop\CFScript.txt
.
ADS - WINDOWS.0: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 11:40 . 2011-05-02 11:40 -------- d-----w- c:\windows.0\LastGood
2011-05-01 22:59 . 2011-05-01 22:59 -------- d-----w- c:\program files\ESET
2011-05-01 17:57 . 2011-04-20 23:29 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-01 17:57 . 2011-04-20 23:29 269272 ------w- c:\program files\Mozilla Firefox\freebl3.dll
2011-05-01 17:57 . 2011-04-20 23:29 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-01 17:57 . 2011-04-20 23:29 166872 ------w- c:\program files\Mozilla Firefox\softokn3.dll
2011-05-01 14:20 . 2011-05-01 20:52 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-05-01 14:19 . 2009-10-22 12:54 37392 ----a-w- c:\windows.0\system32\drivers\83466852.sys
2011-05-01 14:19 . 2009-10-09 22:31 315408 ----a-w- c:\windows.0\system32\drivers\8346685.sys
2011-05-01 14:19 . 2009-09-25 16:59 128016 ----a-w- c:\windows.0\system32\drivers\83466851.sys
2011-04-14 21:36 . 2011-05-01 14:20 -------- d-----w- c:\program files\kqhdmfdu
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-02 07:47 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
+ 2011-05-02 11:40 . 2009-10-22 12:54 37392 c:\windows.0\LastGood\system32\DRIVERS\92522832.sys
+ 2003-01-01 08:29 . 2009-03-08 14:09 638816 c:\windows.0\system32\dllcache\iexplore.exe
+ 2011-05-02 11:40 . 2009-09-25 16:59 128016 c:\windows.0\LastGood\system32\DRIVERS\92522831.sys
+ 2011-05-02 11:40 . 2009-10-09 22:31 315408 c:\windows.0\LastGood\system32\DRIVERS\9252283.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 83466852;83466852 Boot Guard Driver;c:\windows.0\system32\drivers\83466852.sys [01/05/2011 15:19 37392]
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
S1 83466851;83466851;c:\windows.0\system32\drivers\83466851.sys [01/05/2011 15:19 128016]
S1 89349221;89349221;c:\windows.0\system32\DRIVERS\89349221.sys --> c:\windows.0\system32\DRIVERS\89349221.sys [?]
S1 89349222;89349222 Boot Guard Driver;c:\windows.0\system32\DRIVERS\89349222.sys --> c:\windows.0\system32\DRIVERS\89349222.sys [?]
S1 setup_9.0.0.722_01.05.2011_15-33drv;setup_9.0.0.722_01.05.2011_15-33drv;c:\windows.0\system32\DRIVERS\8934922.sys --> c:\windows.0\system32\DRIVERS\8934922.sys [?]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 12:55
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(240)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(816)
c:\windows.0\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
.
Completion time: 2011-05-02 12:57:46
ComboFix-quarantined-files.txt 2011-05-02 11:57
ComboFix2.txt 2011-05-01 14:04
ComboFix3.txt 2011-04-21 18:54
ComboFix4.txt 2011-04-16 10:54
ComboFix5.txt 2011-05-02 11:47
.
Pre-Run: 103,652,724,736 bytes free
Post-Run: 103,670,792,192 bytes free
.
- - End Of File - - 6DE43922A2146F5CCC828037B6323128

At present I have left the machine running in safe mode until I hear further from you.

Very best - Tonyp

    Advertisements

Register to Remove

#17 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 May 2011 - 09:40 AM

Tony

We need to sort out this connection.

Run ExeHelper

Use one of these two options:

Please download exeHelper by Raktor to your desktop.• Double-click on exeHelper.com to run the fix
• A black window should pop up; press any key to close it once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)


Save to USB

Please download exeHelper by Raktor to your memory stick.• Place your memory stick in the infected computer
• Double-click on exeHelper.com to run the fix
• A black window should pop up; press any key to close it once the fix is completed
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

===================================================

Please download GooredFix from one of the locations below and save it or transfer it to your Desktop

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt)
===================================================

Reset Proxy settings

Malware can alter your proxy settings. If altered, it can affect your ability to browse or download tools required for disinfection.

Internet Explorer Proxy settings: • If you can, open Internet Explorer > click Tools > Internet Options > Connections tab.
• Click the LAN Settings... button and uncheck "Use a proxy server for your LAN"
or change the settings to the proxy you normally use if you previously reconfigured it.
• Remove any unknown addresses from the Address box - 80 is the default Port so it does not have to be changed.
• Click OK... then click OK again.
• Close Internet Explorer and -restart- the computer.
Firefox Proxy settings: • Open Firefox, click Tools > Options > Advanced and click the Network Tab.
• Under the Connection section click on the Settings button.
• Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
• Click OK then click OK again.
• Close Firefox and -restart- the computer.
Let me know if you can connect to the Internet now.

===================================================

If you still can’t connect, please try usingRogueKiller in normal, not safe mode.

===================================================

Also, it appears ComboFix was run in Safe mode, not Safe mode with networking. If you still have no connection and you didn’t try to boot in Safe mode with Networking please try it after running RogueKiller.

Thanks

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#18 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 02 May 2011 - 11:27 AM

Hi Satchfan -

I ran ExeHelper and GooredFix - logs are as follows:

exeHelper by Raktor
Build 20100414
Run at 17:11:23 on 05/02/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:12 on 02/05/2011 (tony1)
Firefox version 3.6.17 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:57 01/05/2011]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [01:39 30/12/2009]

C:\Documents and Settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\extensions\
getmail@webdesigns.ms11.net [09:46 12/08/2009]
{20a82645-c095-46ed-80e3-08825760534b} [20:24 07/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:39 30/12/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:25 05/06/2010]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files\AVG\AVG10\Firefox4\" [14:59 30/03/2011]

-=E.O.F=-

Lan and proxy settings are a bit of a cloudy area for me. IE simply refuses to launch, so I accessed LAN settings via control panel, made sure proxy was unchecked and port was already set to 80. Likewise checked No Proxy in Firefox. No change.

Ran RogueKiller in normal mode (no change) log follows:

RogueKiller V5.0.0 [04/30/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-to...-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: tony1 [Admin rights]
Mode: Scan -- Date : 05/02/2011 17:13:43

Bad processes: 0

Registry Entries: 0

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Then I rebooted into safe mode with networking, ran ComboFix ans RogueKiller - not sure if you wanted me to post ComboFix log, but I thought I would to be on the safe side:

ComboFix 11-05-01.04 - tony1 02/05/2011 17:54:17.12.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.794 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
.
ADS - WINDOWS.0: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-01 22:59 . 2011-05-01 22:59 -------- d-----w- c:\program files\ESET
2011-05-01 17:57 . 2011-04-20 23:29 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-01 17:57 . 2011-04-20 23:29 269272 ------w- c:\program files\Mozilla Firefox\freebl3.dll
2011-05-01 17:57 . 2011-04-20 23:29 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-01 17:57 . 2011-04-20 23:29 166872 ------w- c:\program files\Mozilla Firefox\softokn3.dll
2011-05-01 14:20 . 2011-05-02 12:01 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-05-01 14:19 . 2009-10-22 12:54 37392 ----a-w- c:\windows.0\system32\drivers\83466852.sys
2011-05-01 14:19 . 2009-10-09 22:31 315408 ----a-w- c:\windows.0\system32\drivers\8346685.sys
2011-05-01 14:19 . 2009-09-25 16:59 128016 ----a-w- c:\windows.0\system32\drivers\83466851.sys
2011-04-14 21:36 . 2011-05-02 12:01 -------- d-----w- c:\program files\kqhdmfdu
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-02 16:45 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
+ 2003-01-01 08:29 . 2009-03-08 14:09 638816 c:\windows.0\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 83466852;83466852 Boot Guard Driver;c:\windows.0\system32\drivers\83466852.sys [01/05/2011 15:19 37392]
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
S1 83466851;83466851;c:\windows.0\system32\drivers\83466851.sys [01/05/2011 15:19 128016]
S1 89349221;89349221;c:\windows.0\system32\DRIVERS\89349221.sys --> c:\windows.0\system32\DRIVERS\89349221.sys [?]
S1 89349222;89349222 Boot Guard Driver;c:\windows.0\system32\DRIVERS\89349222.sys --> c:\windows.0\system32\DRIVERS\89349222.sys [?]
S1 setup_9.0.0.722_01.05.2011_15-33drv;setup_9.0.0.722_01.05.2011_15-33drv;c:\windows.0\system32\DRIVERS\8934922.sys --> c:\windows.0\system32\DRIVERS\8934922.sys [?]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 17:59
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(636)
c:\windows.0\system32\WININET.dll
.
Completion time: 2011-05-02 18:01:18
ComboFix-quarantined-files.txt 2011-05-02 17:01
ComboFix2.txt 2011-05-02 11:57
ComboFix3.txt 2011-05-01 14:04
ComboFix4.txt 2011-04-21 18:54
ComboFix5.txt 2011-05-02 16:53
.
Pre-Run: 101,084,983,296 bytes free
Post-Run: 101,071,790,080 bytes free
.
- - End Of File - - EE74DB60914EA41A858070D9331A0E85

As of now, IE still refuses to launch at all. Firefox launches okay, will connect to this forum and other places, still redirects sporadically to Licosearch. It still refuses to connect to Kaspersky but will now go to Eset.

Thanks Satchfan for sticking with me (especially on a bank holiday) - very best -

Tonyp

#19 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 May 2011 - 01:59 PM

Tony Try the Eset scan again with Firefox if you can. If you get an error message, let me know what it is Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#20 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 02 May 2011 - 02:45 PM

Hi Satchfan - Soon as I hit 'Scan Now' it gives me an error - 'can't establish a connection to the server at www.eset.com'. I notice that it will go to any eset.co.uk page but not to eset.com. Tonyp

#21 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 02 May 2011 - 03:52 PM

Tony

Your version of ComboFix is out-of-date and I'd like a look at the result of a current version. Delete the version of ComboFix you have on your desktop and download a new one from one of the following locations:

Link1
Link2
Link3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browser windows
  • Double click on combofix.exe and follow the prompts.
When finished, it will produce a report for you. Please include it in your next reply.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#22 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 02 May 2011 - 04:29 PM

Hi Satchfan -

Ran the latest ComboFix (in normal mode) log follows:

ComboFix 11-05-02.03 - tony1 02/05/2011 23:17:26.13.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.658 [GMT 1:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-01 22:59 . 2011-05-01 22:59 -------- d-----w- c:\program files\ESET
2011-05-01 17:57 . 2011-04-20 23:29 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-01 17:57 . 2011-04-20 23:29 269272 ------w- c:\program files\Mozilla Firefox\freebl3.dll
2011-05-01 17:57 . 2011-04-20 23:29 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-01 17:57 . 2011-04-20 23:29 166872 ------w- c:\program files\Mozilla Firefox\softokn3.dll
2011-05-01 14:20 . 2011-05-02 12:01 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-05-01 14:19 . 2009-10-22 12:54 37392 ----a-w- c:\windows.0\system32\drivers\83466852.sys
2011-05-01 14:19 . 2009-10-09 22:31 315408 ----a-w- c:\windows.0\system32\drivers\8346685.sys
2011-05-01 14:19 . 2009-09-25 16:59 128016 ----a-w- c:\windows.0\system32\drivers\83466851.sys
2011-04-14 21:36 . 2011-05-02 17:07 -------- d-----w- c:\program files\kqhdmfdu
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-02 22:13 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
+ 2003-01-01 08:29 . 2009-03-08 14:09 638816 c:\windows.0\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 83466852;83466852 Boot Guard Driver;c:\windows.0\system32\drivers\83466852.sys [01/05/2011 15:19 37392]
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
R1 83466851;83466851;c:\windows.0\system32\drivers\83466851.sys [01/05/2011 15:19 128016]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S1 89349221;89349221;c:\windows.0\system32\DRIVERS\89349221.sys --> c:\windows.0\system32\DRIVERS\89349221.sys [?]
S1 89349222;89349222 Boot Guard Driver;c:\windows.0\system32\DRIVERS\89349222.sys --> c:\windows.0\system32\DRIVERS\89349222.sys [?]
S1 setup_9.0.0.722_01.05.2011_15-33drv;setup_9.0.0.722_01.05.2011_15-33drv;c:\windows.0\system32\DRIVERS\8934922.sys --> c:\windows.0\system32\DRIVERS\8934922.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-02 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 23:22
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1864)
c:\windows.0\system32\WININET.dll
c:\windows.0\system32\tabhook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
Completion time: 2011-05-02 23:24:27
ComboFix-quarantined-files.txt 2011-05-02 22:24
ComboFix2.txt 2011-05-02 17:01
ComboFix3.txt 2011-05-02 11:57
ComboFix4.txt 2011-05-01 14:04
ComboFix5.txt 2011-05-02 22:16
.
Pre-Run: 101,771,755,520 bytes free
Post-Run: 101,759,266,816 bytes free
.
- - End Of File - - E8E185AAB3354E8CC688C575CA554C51

Tonyp

#23 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 May 2011 - 03:22 AM

Tony

This was written by RPMcMurphy at the end of January:

I looked over your old threads and you indeed had a virut infection last August. As you were instructed then, the only remedy for that infection is to reformat the drive and reinstall windows. It would seem that whomever you had do that for you did not format the drive, but instead did a parallel installation of Windows. As a result it is entirely possible that you still have remnants of the virut infection in your PC which would explain why you are having recurring issues.

I would tend to agree with the general consensus which is that there will always be remnants of this extremely dangerous piece of malware left on your computer.

Based on the above, I would also recommend a reformat. Don’t forget, Virut infects all the machine's executable files .exe, .scr plus .html and .htm which means that you will continually be re-infected.

Let me know what your decision is. Meanwhile, let’s get rid of some nasty stuff that is here.

Open ComboFix

Please do the following:

• Close any open browsers.
Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows.0\explorermgr.exe
c:\windows.0\system32\drivers\83466852.sys
c:\windows.0\system32\drivers\8346685.sys
c:\windows.0\system32\drivers\83466851.sys
c:\windows.0\system32\DRIVERS\89349221.sys
c:\windows.0\system32\DRIVERS\89349222.sys
c:\windows.0\system32\DRIVERS\8934922.sys

Folder::
c:\program files\kqhdmfdu

Driver::
8346685
83466851
83466852
8934922
89349221
89349222

Rootkit::
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation].
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image [/color]Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

When you’ve done that, please try running Eset again and tell me if there are any changes.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#24 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 03 May 2011 - 02:51 PM

Hi Satchfan -

Thanks for your post (back in work, so unable to reply until now). Interesting thing when I booted up the machine tonight, the copy of Combofix that was on my desktop since yesterday had changed to a shortcut which would not run. Downloaded a new one (on a different machine) - this is the log:

ComboFix 11-05-02.04 - tony1 03/05/2011 19:58:44.14.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.661 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Perrin\Desktop\CFScript.txt
.
FILE ::
"c:\windows.0\explorermgr.exe"
"c:\windows.0\system32\drivers\8346685.sys"
"c:\windows.0\system32\drivers\83466851.sys"
"c:\windows.0\system32\drivers\83466852.sys"
"c:\windows.0\system32\DRIVERS\8934922.sys"
"c:\windows.0\system32\DRIVERS\89349221.sys"
"c:\windows.0\system32\DRIVERS\89349222.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\kqhdmfdu
c:\windows.0\explorermgr.exe
c:\windows.0\system32\drivers\8346685.sys
c:\windows.0\system32\drivers\83466851.sys
c:\windows.0\system32\drivers\83466852.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_83466851
-------\Legacy_83466852
-------\Legacy_89349221
-------\Service_83466851
-------\Service_83466852
-------\Service_89349221
-------\Service_89349222
.
.
((((((((((((((((((((((((( Files Created from 2011-04-03 to 2011-05-03 )))))))))))))))))))))))))))))))
.
.
2011-05-03 19:05 . 2011-05-03 19:05 -------- d-----w- c:\program files\kqhdmfdu
2011-05-01 22:59 . 2011-05-01 22:59 -------- d-----w- c:\program files\ESET
2011-05-01 17:57 . 2011-04-20 23:29 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-01 17:57 . 2011-04-20 23:29 269272 ------w- c:\program files\Mozilla Firefox\freebl3.dll
2011-05-01 17:57 . 2011-04-20 23:29 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-01 17:57 . 2011-04-20 23:29 166872 ------w- c:\program files\Mozilla Firefox\softokn3.dll
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-03 19:05 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
+ 2011-05-02 22:50 . 2011-05-02 22:50 21504 c:\windows.0\Installer\2287ad.msi
+ 2003-01-01 08:29 . 2009-03-08 14:09 638816 c:\windows.0\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows.0\system32\userinit.exe,,c:\program files\kqhdmfdu\swypwijl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S1 setup_9.0.0.722_01.05.2011_15-33drv;setup_9.0.0.722_01.05.2011_15-33drv;c:\windows.0\system32\DRIVERS\8934922.sys --> c:\windows.0\system32\DRIVERS\8934922.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-03 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-03 20:05
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3028)
c:\windows.0\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows.0\system32\tabhook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\savedump.exe
c:\windows.0\system32\Ati2evxx.exe
c:\windows.0\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows.0\system32\HPZipm12.exe
c:\windows.0\system32\Tablet.exe
c:\windows.0\system32\wscntfy.exe
c:\windows.0\SOUNDMAN.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows.0\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-05-03 20:10:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-03 19:10
ComboFix2.txt 2011-05-02 22:24
ComboFix3.txt 2011-05-02 17:01
ComboFix4.txt 2011-05-02 11:57
ComboFix5.txt 2011-05-03 18:57
.
Pre-Run: 104,319,197,184 bytes free
Post-Run: 104,231,342,080 bytes free
.
- - End Of File - - 426E046AEF02DBB4C7E2D1D87B90ADBB


I still can't scan with Eset (tried in safe mode with networking - no joy). Incidentally I haven't been running any anti-virus since we started (did the best uninstall of AVG that I could using the AVG uninstaller - it's almost like a virus itself, the number of processes it continually runs is scary!) also have firewall disabled. If I get through this lot I think I will go for some paid-for antivirus in future.

I have no idea why the 'professional' who formatted the machine chose to create a new partition on it. I suppose in the long term I will have to reformat though I'm very leery. I'm pretty good with the software I regularly use, but pretty clueless in regard to th O/S!

Tonyp

#25 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 03 May 2011 - 05:05 PM

Hi Tony

I am aware of the fact that you have no antivirus and firewall but it’s better to leave that until the system is clean so I’ll advise you when we’re finished.

I suppose in the long term I will have to reformat though I'm very leery

Unfortunately, the malware-writers now tend to attack the operating system. I think we may have to look towards that option.


Open ComboFix

Please do the following:

• Close any open browsers.
Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
Folder::
c:\program files\kqhdmfdu

Rootkit::
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image [/color]Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

Tell me if there are any changes.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove

#26 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 03 May 2011 - 06:38 PM

Hi Satchfan -

Here is latest ComboFix log:

ComboFix 11-05-03.02 - tony1 04/05/2011 1:24.15.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.711 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Perrin\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-03 19:05 . 2011-05-03 19:05 -------- d-----w- c:\program files\kqhdmfdu
2011-05-01 22:59 . 2011-05-01 22:59 -------- d-----w- c:\program files\ESET
2011-05-01 17:57 . 2011-04-20 23:29 719832 ------w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-05-01 17:57 . 2011-04-20 23:29 269272 ------w- c:\program files\Mozilla Firefox\freebl3.dll
2011-05-01 17:57 . 2011-04-20 23:29 16856 ------w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-05-01 17:57 . 2011-04-20 23:29 166872 ------w- c:\program files\Mozilla Firefox\softokn3.dll
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-03 20:37 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
+ 2011-05-02 22:50 . 2011-05-02 22:50 21504 c:\windows.0\Installer\2287ad.msi
+ 2003-01-01 08:29 . 2009-03-08 14:09 638816 c:\windows.0\system32\dllcache\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S1 setup_9.0.0.722_01.05.2011_15-33drv;setup_9.0.0.722_01.05.2011_15-33drv;c:\windows.0\system32\DRIVERS\8934922.sys --> c:\windows.0\system32\DRIVERS\8934922.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-03 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-03 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 01:29
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2880)
c:\windows.0\system32\WININET.dll
c:\windows.0\system32\tabhook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
Completion time: 2011-05-04 01:31:38
ComboFix-quarantined-files.txt 2011-05-04 00:31
ComboFix2.txt 2011-05-03 19:10
ComboFix3.txt 2011-05-02 22:24
ComboFix4.txt 2011-05-02 17:01
ComboFix5.txt 2011-05-04 00:23
.
Pre-Run: 101,430,648,832 bytes free
Post-Run: 102,265,319,424 bytes free
.
- - End Of File - - FB9DB5AC300DECCFAD93A05D7D2FF558

After this tried to scan with Eset again - no go. If I do a Google search, the first result re-directs to Licosearch - anything bvelow that goes to the right place (unless it happens to be Kaspersky!)

Very best - Tonyp

#27 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 May 2011 - 04:19 AM

Tony

I'm not holding out much hope with this infection but we can try a stronger tool to try and zap this. I would say that you might have to take a deep breath and prepare yourself to do the dreaded reformat.


1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

:
Drivers to delete:
8934922

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | kqhdmfdu

Folders to delete:
c:\program files\kqhdmfdu

Files to delete:
c:\windows.0\system32\DRIVERS\8934922.sys
c:\windows.0\Installer\2287ad.msi
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
===================================================

Flush the DNS cache
  • click on Start > Run > type: cmd
  • press OK or Hit Enter.
  • at the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • hit Enter.
  • you will get a confirmation that the flush was successful.
  • close the command box.
Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#28 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 04 May 2011 - 04:33 PM

Hi Satchfan -

I can't get Avenger to run (in normal or safe mode). I copied and pasted the script very carefully, but keep getting the following error:

Error: Invalid script. A valid script must begin with a command directive. Aborting execution!

I downloaded a new copy of HJ (on backup machine) ran it and this is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:12:20, on 04/05/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\csrss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Perrin\Desktop\HijackThis.exe
C:\WINDOWS.0\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe,,C:\Program Files\kqhdmfdu\swypwijl.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS.0\system32\WTablet\TabUserW.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O15 - Trusted Zone: http://www.ravenwoodfair.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS.0\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS.0\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS.0\system32\ASTSRV.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.0\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.0\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS.0\system32\Tablet.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 4325 bytes

- Also successfully flushed the DNS cache -

Tonyp

#29 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,813 posts
  • Interests:LFC, music, more LFC, more music

Posted 05 May 2011 - 12:37 AM

Tony

My mistake.

Please try it again and input the following script:

Drivers to delete:
8934922

Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | kqhdmfdu

Folders to delete:
c:\program files\kqhdmfdu

Files to delete:
c:\windows.0\system32\DRIVERS\8934922.sys
c:\windows.0\Installer\2287ad.msi
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe


Let’s now try a different scan

Download Dr.Web CureIt to the desktop:
  • Doubleclick the drweb-cureit icon to start the program.
  • press start
  • Allow the program to run the initial express scan
  • This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
    Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  • Once the scan is complete, the results will be displayed
  • If infections are found you will be able to save a report
  • on the menu bar, click file and choose report list.
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Close Dr.Web Cureit.
  • Please post the Dr.Web.txt report in your next reply
Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#30 tonyperrin

tonyperrin

    Authentic Member

  • Authentic Member
  • PipPip
  • 53 posts

Posted 05 May 2011 - 03:49 PM

Hi Satchfan -

Thsanks for your message. Avenger ran okay for me this time - log is:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed May 04 23:00:23 2011

23:00:23: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed May 04 23:01:13 2011

23:01:13: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\8934922" not found!
Deletion of driver "8934922" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\program files\kqhdmfdu" deleted successfully.

Error: file "c:\windows.0\system32\DRIVERS\8934922.sys" not found!
Deletion of file "c:\windows.0\system32\DRIVERS\8934922.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows.0\Installer\2287ad.msi" deleted successfully.
File "c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|kqhdmfdu"
Deletion of registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|kqhdmfdu" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed May 04 23:11:59 2011

23:11:59: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed May 04 23:31:55 2011

23:31:55: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\8934922" not found!
Deletion of driver "8934922" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\program files\kqhdmfdu" deleted successfully.

Error: file "c:\windows.0\system32\DRIVERS\8934922.sys" not found!
Deletion of file "c:\windows.0\system32\DRIVERS\8934922.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows.0\Installer\2287ad.msi" not found!
Deletion of file "c:\windows.0\Installer\2287ad.msi" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe" deleted successfully.

Error: could not delete registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|kqhdmfdu"
Deletion of registry value "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|kqhdmfdu" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

I ran Dr Web too - logfile:

Process in memory: C:\Program Files\Internet Explorer\iexplore.exe:1664;;Trojan.Rmnet;Eradicated.;
swypwijl.exe;c:\documents and settings\perrin\start menu\programs\startup;Trojan.Starter.1591;Deleted.;
atiamaxx.dll\data001;c:\program files\ati technologies\ati.ace\core-static\atiamaxx.dll;Trojan.Starter.1591;;
atiamaxx.dll;c:\program files\ati technologies\ati.ace\core-static;Container contains infected objects;Moved.;
adobelmsvc.exe\data001;c:\program files\common files\adobe systems shared\service\adobelmsvc.exe;Trojan.Starter.1591;;
adobelmsvc.exe;c:\program files\common files\adobe systems shared\service;Container contains infected objects;Moved.;
hphtra09.dll\data001;c:\program files\hp\digital imaging\bin\hphtra09.dll;Trojan.Starter.1591;;
hphtra09.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpoddcomm09.dll\data001;c:\program files\hp\digital imaging\bin\hpoddcomm09.dll;Trojan.Starter.1591;;
hpoddcomm09.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpodvd09.dll\data001;c:\program files\hp\digital imaging\bin\hpodvd09.dll;Trojan.Starter.1591;;
hpodvd09.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpotradd.dll\data001;c:\program files\hp\digital imaging\bin\hpotradd.dll;Trojan.Starter.1591;;
hpotradd.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpqcxm08.dll\data001;c:\program files\hp\digital imaging\bin\hpqcxm08.dll;Trojan.Starter.1591;;
hpqcxm08.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpqtao08.dll\data001;c:\program files\hp\digital imaging\bin\hpqtao08.dll;Trojan.Starter.1591;;
hpqtao08.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpquio08.dll\data001;c:\program files\hp\digital imaging\bin\hpquio08.dll;Trojan.Starter.1591;;
hpquio08.dll;c:\program files\hp\digital imaging\bin;Container contains infected objects;;
hpnkhta.dll\data001;c:\program files\hp\digital imaging\unload\hpnkhta.dll;Trojan.Starter.1591;;
hpnkhta.dll;c:\program files\hp\digital imaging\unload;Container contains infected objects;;
swypwijl.exe;c:\program files\kqhdmfdu;Trojan.Starter.1591;Deleted.;
msoe.dll/data002\data001;c:\program files\outlook express\msoe.dll/data002;Trojan.Starter.1591;;
data002;c:\program files\outlook express;Container contains infected objects;;
msoe.dll;c:\program files\outlook express;Container contains infected objects;;
qttask.exe\data001;c:\program files\quicktime\qttask.exe;Trojan.Starter.1591;;
qttask.exe;c:\program files\quicktime;Container contains infected objects;Moved.;
rarext.dll\data001;c:\program files\winrar\rarext.dll;Trojan.Starter.1591;;
rarext.dll;c:\program files\winrar;Container contains infected objects;;

At the end it said that since infections were found I should run the complete scan, I didn't do it yet, thought I should speak to you first. Looks like it found a lot of stuff, though I amstill getting the redirects to Licosearch and still not allowed to connect to Kaspersky at present -

Tonyp

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·