Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Notebook infected with System Tool and other malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Notebook infected with System Tool and other malware

Unread postby trestinc » March 31st, 2011, 7:18 pm

So far I know that my computer is infected with

1. System Tool
2. Window disk
3. Something that sends my searches to http://www.search-results.com/

I have done a DDS scan and the results are below.

I have also tried the System Tool removal as recommended in http://www.bleepingcomputer.com/virus-removal/remove-system-tool
I also encountered problems in using this procedure. My Internet Explorer would not open and rkill/iexplorer/ any of the other download links won't work.

I also went to the target location of System Tool and deleted the 1 of the 2 file. I left the .exe file.

I did run a scan with Malwarebytes, rebooting it afterwords, and getting a blacked out desktop in safemode. I also ran a second scan and have both logs.

Thanks, I hope to hear from you guys soon :P


Here is the DDS scan requested, the Attach.txt follows:


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Work at 18:59:44.46 on 31/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1015.718 [GMT -4:00]
.
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Work\Desktop\iExplore.exe
C:\Documents and Settings\Work\Desktop\iExplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Work\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eeepc.asus.com/global
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: BandooIEPlugin Class: {eb5cee80-030a-4ed8-8e20-454e9c68380f} - c:\program files\fun4im\plugins\ie\ieplugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DATAMNGR] c:\progra~1\wi9130~1\datamngr\DATAMN~1.EXE
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [33tck78binfed.exe] c:\documents and settings\networkservice\application data\e50896f890922196e4a03534de119750\33tck78binfed.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\work\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/sh ... wswaxd.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {531BF312-1783-41CA-9C4F-B7F769AD89B3} = 202.96.128.86,202.96.134.133
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\wi9130~1\datamngr\datamngr.dll c:\progra~1\fun4im\bndhook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\work\applic~1\mozilla\firefox\profiles\i5art0as.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=402&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\npWebLaunch.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Fun4IM for Firefox: firefox@bandoo.com - c:\documents and settings\networkservice\application data\mozilla\firefox\\extensions\firefox@bandoo.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-3-30 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-3-30 338880]
S0 3078356788;3078356788;c:\windows\system32\drivers\3078356788.sys --> c:\windows\system32\drivers\3078356788.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2011-3-30 247760]
S2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [2010-9-29 18432]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-24 54752]
S2 Fun4IM Coordinator;Fun4IM Coordinator;c:\progra~1\fun4im\Bandoo.exe [2011-1-28 1942416]
S2 gupdate1ca08f476ae4ae;Google Update Service (gupdate1ca08f476ae4ae);c:\program files\google\update\GoogleUpdate.exe [2009-7-20 133104]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-3-30 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-3-30 1150936]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-31 38224]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-10-16 17408]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-10-27 50704]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys --> c:\windows\system32\drivers\RT2860.sys [?]
.
=============== File Associations ===============
.
exefile="c:\documents and settings\networkservice\local settings\application data\uqo.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-03-31 20:20:23 -------- d-----w- c:\docume~1\work\applic~1\Malwarebytes
2011-03-31 20:20:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 20:20:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-31 20:20:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 20:20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-31 03:56:43 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-31 03:56:43 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-31 03:56:43 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-31 03:56:42 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-31 03:53:26 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-03-31 03:53:26 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-03-31 03:53:24 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-03-31 03:53:20 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-03-31 03:53:20 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-03-31 03:53:10 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-03-31 03:52:59 -------- d-----w- c:\program files\PC Tools Security
2011-03-31 03:52:59 -------- d-----w- c:\program files\common files\PC Tools
2011-03-31 03:52:59 -------- d-----w- c:\docume~1\work\applic~1\PC Tools
2011-03-31 03:51:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
.
==================== Find3M ====================
.
2011-02-24 19:39:34 77314 ----a-w- c:\docume~1\alluse~1\applic~1\5KDAbXmi.exe_
2011-02-24 19:39:34 77314 ----a-w- c:\docume~1\alluse~1\applic~1\5KDAbXmi.exe
2011-02-02 21:29:26 0 ----a-w- c:\windows\Cyikah.bin
2008-05-07 23:34:00 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160827AS rev.3.AAA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x86F0F735]<<
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f15990]; MOV EAX, [0x86f15a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86F70030]
3 CLASSPNP[0xF7757FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x86F8A3E0]
5 PCTCore[0xF7622099] -> nt!IofCallDriver[0x804E13B9] -> \Device\000000a0[0x86F709E8]
7 ACPI[0xF76CE620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F72940]
\Driver\atapi[0x86F55758] -> IRP_MJ_CREATE -> 0x86F0F735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160827AS_____________________________3.AAA___#5&18f624a4&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0F57B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:02:51.51 ===============





Attach



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 28/10/2008 2:15:07 AM
System Uptime: 31/03/2011 6:50:05 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | 1000H
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | PBGA 437 | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 80 GiB total, 9.334 GiB free.
D: is FIXED (NTFS) - 61 GiB total, 13.758 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP438: 15/11/2010 12:14:18 AM - Software Distribution Service 3.0
RP439: 16/11/2010 12:26:56 AM - System Checkpoint
RP440: 16/11/2010 8:07:47 AM - Software Distribution Service 3.0
RP441: 17/11/2010 2:58:21 PM - Software Distribution Service 3.0
RP442: 17/11/2010 5:27:50 PM - Removed Opera 10.60.
RP443: 17/11/2010 5:28:42 PM - Installed Opera 10.63.
RP444: 20/11/2010 1:32:48 AM - Removed Azurewave Wireless LAN
RP445: 21/11/2010 5:06:00 PM - System Checkpoint
RP446: 21/11/2010 7:10:18 PM - Installed Windows Media Player 11
RP447: 21/11/2010 7:11:35 PM - Installed Windows XP Wudf01000.
RP448: 21/11/2010 7:15:55 PM - Installed Windows XP MSCompPackV1.
RP449: 23/11/2010 12:25:50 PM - System Checkpoint
RP450: 23/11/2010 1:23:22 PM - Software Distribution Service 3.0
RP451: 24/11/2010 1:59:23 PM - Avg Update
RP452: 24/11/2010 2:00:38 PM - Avg Update
RP453: 24/11/2010 2:01:45 PM - Software Distribution Service 3.0
RP454: 25/11/2010 2:49:28 PM - Software Distribution Service 3.0
RP455: 27/11/2010 1:42:18 AM - Software Distribution Service 3.0
RP456: 28/11/2010 10:16:25 PM - Software Distribution Service 3.0
RP457: 30/11/2010 1:27:20 AM - Software Distribution Service 3.0
RP458: 01/12/2010 2:05:26 AM - System Checkpoint
RP459: 03/12/2010 1:20:51 PM - System Checkpoint
RP460: 05/12/2010 3:58:17 AM - Software Distribution Service 3.0
RP461: 06/12/2010 4:02:08 AM - System Checkpoint
RP462: 07/12/2010 4:20:57 AM - System Checkpoint
RP463: 08/12/2010 7:26:08 PM - Software Distribution Service 3.0
RP464: 09/12/2010 11:45:45 AM - Installed Kaspersky Internet Security 2011.
RP465: 13/12/2010 12:07:02 PM - System Checkpoint
RP466: 14/12/2010 8:02:22 PM - System Checkpoint
RP467: 16/12/2010 3:01:15 AM - Software Distribution Service 3.0
RP468: 18/12/2010 12:30:58 AM - Software Distribution Service 3.0
RP469: 18/12/2010 2:35:51 AM - Software Distribution Service 3.0
RP470: 19/12/2010 1:51:19 AM - Removed Opera 10.63.
RP471: 23/12/2010 12:23:39 AM - System Checkpoint
RP472: 30/12/2010 11:28:46 PM - System Checkpoint
RP473: 01/01/2011 4:29:45 PM - System Checkpoint
RP474: 03/01/2011 3:47:10 PM - Removed Kaspersky Internet Security 2011.
RP475: 16/01/2011 2:24:58 PM - Software Distribution Service 3.0
RP476: 17/01/2011 10:16:36 PM - System Checkpoint
RP477: 22/01/2011 11:41:30 AM - System Checkpoint
RP478: 23/01/2011 11:15:12 PM - System Checkpoint
RP479: 25/01/2011 6:33:32 PM - System Checkpoint
RP480: 28/01/2011 3:06:28 PM - System Checkpoint
RP481: 31/01/2011 9:00:50 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.4
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Alarm Clock v1.0
ALZip
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Asus ACPI Driver
ASUSUpdate for Eee PC
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
µTorrent
Audacity 1.2.6
Audacity 1.3.9 (Unicode)
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
DivX Setup
Eee Instant Key
Eee Storage 1.1.15.197
ETDWare PS/2-x86 7.0.4.3 WHQL
Foxit Reader
Fun4IM
GIZMO ver.2
Google Chrome
Google Earth
Google Update Helper
GraphCalc v4.0.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
iPresenter PC Software 1.0.0.0
iRotate
iTunes
Japanese Language Support
Java(TM) 6 Update 15
Jolicloud
Junk Mail filter update
LINGO 12.0
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft AppLocale
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
Mozilla Firefox (3.5.17)
MSVCRT
Notepad++
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
Opera 11.01
PDF Settings
Picasa 3
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Samsung ML-1640 Series
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype™ 3.6
SonicStage 4.3
Super Hybrid Engine
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2483110)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Searchqu Toolbar
WinRAR archiver
WordWeb
.
==== Event Viewer Messages From Past Week ========
.
31/03/2011 1:25:33 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022434EBAC9. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
31/03/2011 1:24:35 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0022434EBAC9. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
31/03/2011 1:01:16 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JIMMY that believes that it is the master browser for the domain on transport NetBT_Tcpip_{4CF69781-2339-42F6-899. The master browser is stopping or an election is being forced.
30/03/2011 11:52:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
30/03/2011 11:44:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
30/03/2011 11:14:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Fips i2omgmt Imapi intelppm redbook
30/03/2011 11:13:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
26/03/2011 8:22:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Cdrom Fips i2omgmt Imapi intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss redbook Tcpip
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
26/03/2011 8:22:30 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm
Advertisement
Register to Remove

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 2nd, 2011, 8:46 pm

Hello and Welcome to Anti-Malware Forums.Image
Introduction and rules :
  • I'm xixo_12 and really glad to help you.
  • You're advised to refrain running any self fixes until I give the "All Clean Speech"
  • Instruction in this topic is special create for current problem and don't apply those on another system.
  • You're advised to ask for any uncertainty.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Now, we will start the collaboration.
Do keep in mind, removing malware is one of hazardous undertaking. I'm ready to share what I have learn through years in removing malware but I'm also fallible.
You're advised to back up all the important data before we start.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

First,
***Important :
  • You're advised to reply one log per post.
    Please have a look on the Checklist. area to know what is the logs that I'm looking for.
  • While I am helping you with your computer, please don't Install, Uninstall, remove or change anything unless I ask.
  • Please minimize the exposure to the internet while you are in Safe mode with network support.


Next,
P2P software.
IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
µTorrent

  • It's not a good idea to have them.
  • You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
  • Go to Control Panel > Add/Remove Programs and uninstall the P2P program(s) listed above.
  • If you do not wish to remove your P2P programs, don't proceed with the next instruction and please tell me to close this topic.

Next,
Remove programs.
Please Click on Start > Control Panel > Add/Remove Programs
Remove the listed program(s) by clicking Remove
Fun4IM
Windows Searchqu Toolbar

If some programs listed above are not in present, please do not panic and proceed to the next step.

Next,
MBAM Logs
  • Double click on Malwarebytes' Anti-Malware icon on the desktop.
  • Choose the Logs tab.
  • You will see the this format - mbam-log-date (time).txt
  • Choose the latest log and click Open
  • Copy and paste the content into this topic.

Next,
Malwarebytes' Anti-Malware - Run
  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


What you need to post
Checklist.
  • Content of old MBAM log
  • Content of New MBAM log
  • Try to boot in normal mode, and let me know the result
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 2nd, 2011, 11:31 pm

Thanks for the reply. :P

I removed the programs and am performing a full scan with the updated Malwarebyes Anti-Malware program now. Logs, old and new, will be posted soon.

However, I forgot to mention another odd thing about my computer that might be related. Whenever I turn the notebook on, it goes to a black screen with a blinking underscore in the top left corner of the screen and doesn't go any further to start up. The only way I get around this is removing the battery, putting it back in and turning the computer back on.

This happened around the same time I got the Malwares.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 2nd, 2011, 11:36 pm

Hi,
If your mentioned method doesn't work, just proceed with safe mode with network.
But, minimize the exposure towards internet connection.. ok? ;)

Just provide the logs that i'm looking for.
We will proceed from there.

Thanks!
xixo
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 1:00 am

Ok so I just finished the scan. I'll post the logs in separate posts. Old for this one. New for the next.

Old Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6229

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

31/03/2011 6:37:49 PM
mbam-log-2011-03-31 (18-37-49).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 299433
Time elapsed: 57 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\local settings\application data\uqo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104454.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104455.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104456.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104457.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104458.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104459.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104460.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104461.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104462.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104463.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104464.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104465.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104466.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104467.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104468.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104469.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104470.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104471.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104472.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104473.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104474.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104475.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104476.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104477.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104478.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104479.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104480.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104481.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104482.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104483.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104484.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104485.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104486.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104487.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104488.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104489.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104490.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104491.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104492.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104493.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104494.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104495.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104496.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104497.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104498.dll (Trojan.Agent) -> Quarantined and deleted successfully.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 1:02 am

New Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6252

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

03/04/2011 12:57:00 AM
mbam-log-2011-04-03 (00-57-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 305453
Time elapsed: 1 hour(s), 0 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{719C626C-C5A6-8550-2CD4-C214D57922C9} (Trojan.ZbotR.Gen) -> Value: {719C626C-C5A6-8550-2CD4-C214D57922C9} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{70fd1db3-e30f-48ec-abea-2de81f03a8c6}\RP481\A0104511.exe (Trojan.Agent) -> Not selected for removal.
c:\documents and settings\Work\application data\Nebu\tuix.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 1:17 am

Alright, having restarted, the notebook after running the scan and posting the logs, I chose to start the computer in safe mode with networking. It takes a lot longer than usual to finally show my desktop with the start bar and everything else but its here. Kind of odd because it usually starts up faster by not loading everything.

Realizing I was supposed to boot in normal mode, I tried that. Clicking start bar does show some lag as it gradually fades in. Could be normal given my lack of available space (C: drive - 9.13/79.9 GB and D: drive - 13.7/47.4 GB)

Checking for "www.search-results.com" problem, I still have it. I happens whenever I search something by entering something in the address bar.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 1:30 am

I also may need some more time. Still in the 72 hour limit (Post Started: Thu 31 Mar, 2011 6:18 pm)

Also, I just encountered a problem.

"XP Total Secuirty 2011 - Unregistered version" just popped up and started scanning...

No doubt its something like System Tools.

So in response, I hit the "turn off wireless internet button" but accidentally hit the sleep button.
Got out of sleep mode back to desktop and turned off wireless through those little icons by the Time display. Shortly after all I see is my background and the "XP Total Security 2011 - Unresgistered Version" window. Can't access my desktop so I just held down the power button to shut down.

EDIT: Also I will be sleeping, its actually 1:32 AM where I am.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 3rd, 2011, 3:52 am

Hi,

Can you please clear up any data that unused in C:\ drive and transfer it into any external drive.
Let's free up until 15gb for C:\ drive.

We will work on safe mode in networking environment.

Next,
exeHelper by raktor
Please download from HERE and save to the desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,
CKScanner.
Please download from HERE and save to the desktop.
  • Double click on CKScanner.exe to run it and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

What you need to post
Checklist.
  • Content of exehelper.log
  • Content of CKFiles.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 1:46 pm

So removing some unused programs to free up some space, I restarted my computer. The computer was then trying to end program "6b8" to restart.

I'm still trying to free up enough space.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 6:09 pm

For some reason, wireless internet stopped working under safe mode so I swithced back to normal mode to post the logs.

Here is the Exehelper.log

exeHelper by Raktor
Build 20100414
Run at 17:49:25 on 04/03/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 6:10 pm

Here is the ckscanner.log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\tony\desktop\new folder\desktop\may 26 2010\desktop stuff\sea gull\new folder\new folder (3)\copy of asurf\engine\crypt.dll
c:\documents and settings\tony\desktop\new folder\desktop\may 26 2010\desktop stuff\sea gull\new folder\new folder (3)\copy of asurf\engine\channels\crypt.dll
c:\documents and settings\tony\desktop\new folder\desktop\may 26 2010\desktop stuff\sea gull\new folder\new folder (3)\new folder (2)\asurf\engine\crypt.dll
c:\documents and settings\tony\desktop\new folder\desktop\may 26 2010\desktop stuff\sea gull\new folder\new folder (3)\new folder (2)\asurf\engine\channels\crypt.dll
c:\program files\data realms\cortex command\base.rte\scenes\scripts\coalition crackdown.lua
scanner sequence 3.EM.11
----- EOF -----





EDIT: As noted above I will need some more time.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 3rd, 2011, 6:27 pm

Hi,
Let's proceed.
We will work on the normal mode environment.
These instructions works dependantly. Please have them run by following the sequence.

First,
exeHelper by raktor
Please run it again.

Next,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


What you need to post
Checklist.
  • Content of exehelperlog.txt
  • Content of ComboFix.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 6:44 pm

Second run of exeHelper by raktor

exeHelper by Raktor
Build 20100414
Run at 17:49:25 on 04/03/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 18:41:57 on 04/03/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 3rd, 2011, 7:29 pm

combofix log

ComboFix 11-04-03.01 - Work 03/04/2011 19:06:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1015.730 [GMT -4:00]
Running from: c:\documents and settings\Work\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\5KDAbXmi.exe
c:\documents and settings\All Users\Application Data\5KDAbXmi.exe_
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C}\20101207015848.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C}\Setup.ico
c:\documents and settings\All Users\Start Menu\Windows Live Messenger .lnk
c:\documents and settings\NetworkService\Application Data\searchqutb
c:\documents and settings\NetworkService\Application Data\searchqutb\dtx.ini
c:\documents and settings\NetworkService\Application Data\searchqutb\games\00d2dfc64c07a4f32824abac1d6f735b
c:\documents and settings\NetworkService\Application Data\searchqutb\games\3e4265e00cbc4a9cf22a105046a46d8a
c:\documents and settings\NetworkService\Application Data\searchqutb\games\44a5d79f5451d3036ba3986425e234c8
c:\documents and settings\NetworkService\Application Data\searchqutb\games\GameCategories.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\games\GameTypes.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\guid.dat
c:\documents and settings\NetworkService\Application Data\searchqutb\preferences.dat
c:\documents and settings\NetworkService\Application Data\searchqutb\stats.dat
c:\documents and settings\NetworkService\Application Data\searchqutb\uninstallIE.dat
c:\documents and settings\NetworkService\Application Data\searchqutb\weather\5391bea8b43342bae411e881fe20d88b
c:\documents and settings\NetworkService\Application Data\searchqutb\weather\8f2c97f47d4c7e32ecb517551661c1fe
c:\documents and settings\NetworkService\Application Data\searchqutb\weather\forecasts_cache.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\weather\observations_cache.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\weatherbutton_prefs.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\widgets_cache\84b70525cff6359fdeca553342c23e4c
c:\documents and settings\NetworkService\Application Data\searchqutb\widgets_cache\bf5b6317ae07da699882fc948f22eda4
c:\documents and settings\NetworkService\Application Data\searchqutb\widgets_cache\category_cache.xml
c:\documents and settings\NetworkService\Application Data\searchqutb\widgets_cache\widget_cache.xml
c:\documents and settings\NetworkService\Local Settings\Application Data\yji.exe
c:\documents and settings\Work\Start Menu\Programs\System Tool
c:\documents and settings\Work\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\documents and settings\Work\Start Menu\Programs\Windows Disk
c:\documents and settings\Work\Start Menu\Programs\Windows Disk\Uninstall Windows Disk.lnk
c:\documents and settings\Work\Start Menu\Programs\Windows Disk\Windows Disk.lnk
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\wpcap.dll
c:\windows\Tasks\At1.job
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_WMPNetworkSvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-01 00:15 . 2011-04-03 04:57 -------- d-----w- c:\documents and settings\Work\Application Data\Nebu
2011-04-01 00:15 . 2011-04-01 16:45 -------- d-----w- c:\documents and settings\Work\Application Data\Axkoyz
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\documents and settings\Work\Application Data\Malwarebytes
2011-03-31 20:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-31 20:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 03:56 . 2011-01-07 18:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-31 03:56 . 2011-01-07 18:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-31 03:56 . 2011-01-07 18:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-31 03:56 . 2011-01-07 18:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-31 03:52 . 2011-04-03 17:44 -------- d-----w- c:\program files\PC Tools Security
2011-03-31 03:52 . 2011-04-03 23:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-31 03:51 . 2011-04-03 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-03-07 20:32 . 2011-03-07 20:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-07 20:32 . 2011-03-07 20:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-06 15:54 . 2011-03-31 03:56 2125 ----a-w- c:\windows\UDB.zip
2008-05-07 23:34 . 2008-09-11 13:03 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.
Code: Select all
<pre>
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\program files\EeePC\ACPI\AsAcpiSvr .exe
c:\program files\EeePC\ACPI\AsEPCMon .exe
c:\program files\EeePC\ACPI\AsTray .exe
c:\program files\Elantech\ETDCtrl .exe
c:\program files\Elantech\ETDDect .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\real\realplayer\Update\realsched .exe
c:\program files\Windows Live\Messenger\msnmsgr     .exe
c:\program files\WordWeb\wweb32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
vavyb.exe [2011-3-31 82944]
.
c:\documents and settings\TONY\Start Menu\Programs\Startup\
iRotate.lnk - c:\program files\iRotate\iRotate.exe [2008-6-1 58104]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
viox.exe [2011-3-31 82944]
.
c:\documents and settings\Work\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-9-11 311296]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
quiv.exe [2011-3-31 82944]
.
[HKLM\~\startupfolder\C:^Documents and Settings^TONY^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\TONY\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^TONY^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\TONY\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GIZMO2]
2008-11-17 16:34 2229512 ----a-w- c:\program files\GIZMO2\GIZMO.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
c:\program files\Windows Live\Messenger\msnmsgr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-02-13 03:08 21898024 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
c:\program files\Spybot - Search & Destroy\TeaTimer.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
c:\program files\Winamp\winampa.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [29/09/2010 5:21 PM 18432]
S0 3078356788;3078356788;c:\windows\system32\drivers\3078356788.sys --> c:\windows\system32\drivers\3078356788.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [30/03/2011 11:56 PM 247760]
S2 gupdate1ca08f476ae4ae;Google Update Service (gupdate1ca08f476ae4ae);c:\program files\Google\Update\GoogleUpdate.exe [20/07/2009 12:39 AM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [16/10/2009 10:21 PM 17408]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\DRIVERS\RT2860.sys --> c:\windows\system32\DRIVERS\RT2860.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-20 04:39]
.
2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-20 04:39]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-01-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-01-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2010-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {531BF312-1783-41CA-9C4F-B7F769AD89B3} = 202.96.128.86,202.96.134.133
FF - ProfilePath - c:\documents and settings\Work\Application Data\Mozilla\Firefox\Profiles\i5art0as.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=402&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
Notify-NavLogon - (no file)
AddRemove-{2FD81148-5DA7-4A7B-ACA5-C99FE3CD9A3C} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{2FD81~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 19:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1360)
c:\windows\system32\WININET.dll
c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
c:\windows\system32\ieframe.dll
c:\program files\eee storage\xpclient.dll
c:\program files\eee storage\logicnp.eznamespaceextensions.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-04-03 19:28:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 23:28
.
Pre-Run: 19,212,853,248 bytes free
Post-Run: 19,783,196,672 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=C:\jolildr.mbr
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\jolildr.mbr = "Jolicloud"
.
- - End Of File - - 2BB11343B3BD6C0082234654676EA2F3
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 277 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware