Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Some type of Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Some type of Malware

Unread postby steveo4025 » June 22nd, 2011, 4:43 pm

Here is the log from combofix you requested. The re directions have been occurring for at least 6 months, we recently switched to using this computer as our main one. It was being used by our son who had a ton of things on it, most of which were useless to us and subsequently deleted.

ComboFix 11-06-22.02 - chris zurowski 06/22/2011 16:06:19.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.4 [GMT -4:00]
Running from: c:\documents and settings\chris zurowski\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}
c:\documents and settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest
c:\documents and settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar
c:\documents and settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\defaults\preferences\xulcache.js
c:\documents and settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\install.rdf
c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}
c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest
c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar
c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\defaults\preferences\xulcache.js
c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\install.rdf
c:\documents and settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}
c:\documents and settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest
c:\documents and settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar
c:\documents and settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\defaults\preferences\xulcache.js
c:\documents and settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\install.rdf
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\defaults\preferences\xulcache.js
c:\documents and settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\install.rdf
c:\documents and settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}
c:\documents and settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest
c:\documents and settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar
c:\documents and settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\defaults\preferences\xulcache.js
c:\documents and settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\install.rdf
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\system32\259459213
c:\windows\system32\259459213\frt0.rar
c:\windows\system32\259459213\frt0.rar.ver
c:\windows\system32\259459213\frt1.rar
c:\windows\system32\259459213\frt1.rar.ver
c:\windows\system32\259459213\frt10.rar
c:\windows\system32\259459213\frt10.rar.ver
c:\windows\system32\259459213\frt11.rar
c:\windows\system32\259459213\frt11.rar.ver
c:\windows\system32\259459213\frt12.rar
c:\windows\system32\259459213\frt12.rar.ver
c:\windows\system32\259459213\frt13.rar
c:\windows\system32\259459213\frt13.rar.ver
c:\windows\system32\259459213\frt14.rar
c:\windows\system32\259459213\frt14.rar.ver
c:\windows\system32\259459213\frt15.rar
c:\windows\system32\259459213\frt15.rar.ver
c:\windows\system32\259459213\frt2.rar
c:\windows\system32\259459213\frt2.rar.ver
c:\windows\system32\259459213\frt3.rar
c:\windows\system32\259459213\frt3.rar.ver
c:\windows\system32\259459213\frt4.rar
c:\windows\system32\259459213\frt4.rar.ver
c:\windows\system32\259459213\frt5.rar
c:\windows\system32\259459213\frt5.rar.ver
c:\windows\system32\259459213\frt6.rar
c:\windows\system32\259459213\frt6.rar.ver
c:\windows\system32\259459213\frt7.rar
c:\windows\system32\259459213\frt7.rar.ver
c:\windows\system32\259459213\frt8.rar
c:\windows\system32\259459213\frt8.rar.ver
c:\windows\system32\259459213\frt9.rar
c:\windows\system32\259459213\frt9.rar.ver
c:\windows\system32\585300597
c:\windows\system32\585300597\new.i0.kwd
c:\windows\system32\585300597\new.i1.kwd
c:\windows\system32\585300597\new.i2.kwd
c:\windows\system32\585300597\new.i3.kwd
c:\windows\system32\585300597\new.i4.kwd
c:\windows\system32\585300597\new.i5.kwd
c:\windows\system32\585300597\new.i6.kwd
c:\windows\system32\585300597\new.i7
c:\windows\system32\585300597\new.i7.kwd
c:\windows\system32\ssembl~1
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_USRINITVERIF
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-22 17:32 . 2011-06-22 17:32 -------- d-----w- c:\program files\ESET
2011-06-22 02:57 . 2011-06-22 02:57 -------- d-----w- C:\_OTM
2011-06-22 02:45 . 2011-06-22 02:45 -------- d-----w- c:\program files\ERUNT
2011-06-21 15:15 . 2011-06-21 15:15 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 15:15 . 2011-06-21 15:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 15:15 . 2011-06-21 15:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-18 14:53 . 2011-06-18 14:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-18 14:53 . 2011-06-18 14:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-18 14:53 . 2011-06-18 14:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-18 14:53 . 2011-06-18 14:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-18 14:53 . 2011-06-18 14:53 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-18 14:53 . 2011-06-18 14:53 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-18 14:53 . 2011-06-18 14:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-18 14:53 . 2011-06-18 14:53 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-14 03:12 . 2011-06-14 03:12 388096 ----a-r- c:\documents and settings\chris zurowski\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-14 03:11 . 2011-06-14 03:11 -------- d-----w- c:\program files\Trend Micro
2011-06-12 15:04 . 2011-06-12 15:04 -------- d-----w- c:\documents and settings\chris zurowski\Application Data\Malwarebytes
2011-06-12 15:01 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 15:01 . 2011-06-12 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 15:01 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-12 15:01 . 2011-06-12 15:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-11 17:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-06-11 17:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-11 17:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-06-11 17:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-06-11 17:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-11 17:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-06-11 17:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-06-11 17:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-06-11 17:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-06-11 17:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-11 17:13 . 2011-06-11 17:13 -------- d-----w- c:\program files\AVAST Software
2011-06-11 17:13 . 2011-06-11 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-07 20:04 . 2011-06-07 20:04 -------- d-----w- c:\documents and settings\chris zurowski\Local Settings\Application Data\Western Digital
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\program files\MSBuild
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\program files\Reference Assemblies
2011-06-07 05:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-07 05:49 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-07 05:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-06-07 05:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-06-07 05:49 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-06-07 05:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-07 05:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-07 05:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-06-07 05:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-06-06 21:00 . 2011-06-06 21:00 -------- d-----w- c:\documents and settings\chris zurowski\Local Settings\Application Data\Temp
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-05 16:44 . 2011-06-05 16:44 -------- d-----w- c:\documents and settings\aidin\Local Settings\Application Data\Mozilla Firefox
2011-06-05 16:21 . 2011-06-05 16:21 14744 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-06-05 16:21 . 2011-06-05 16:21 14744 ----a-w- c:\documents and settings\aidin\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-06-05 15:51 . 2011-06-05 15:51 -------- d-s---w- c:\documents and settings\mom and steve\UserData
2011-06-05 14:19 . 2011-06-05 14:19 -------- d-----w- c:\windows\ServicePackFiles
2011-06-05 13:04 . 2011-06-05 13:39 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-06-05 03:43 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-06-05 03:40 . 2011-06-05 03:40 -------- d-----w- c:\program files\MSXML 6.0
2011-06-05 03:36 . 2009-12-31 16:14 352640 ------w- c:\windows\system32\dllcache\srv.sys
2011-06-05 03:32 . 2010-02-24 12:31 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-06-05 03:21 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-06-05 03:21 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-06-05 02:10 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-06-05 02:04 . 2009-10-15 17:21 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-06-05 01:53 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-18 14:53 . 2011-06-18 14:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-05-17 15:38 203776 --sh--w- c:\windows\SYSTEM32\unrar.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [06/11/2011 1:14 PM 441176]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [06/11/2011 1:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [06/11/2011 1:14 PM 19544]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\SYSTEM32\DRIVERS\m4301A.sys [04/03/2011 1:43 PM 116192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [06/12/2011 11:01 AM 39984]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [02/13/2009 3:02 PM 11520]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\SYSTEM32\DRIVERS\ZD1201U.sys [03/11/2006 5:27 PM 38656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3477593384-2160461186-3016248450-1006.job
- c:\documents and settings\chris zurowski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 17:46]
.
.
------- Supplementary Scan -------
.
IE: &AIM Search
IE: E&xport to Microsoft Excel
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/sli ... ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/sli ... rab&query=
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 16:25
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-06-22 16:36:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-22 20:36
.
Pre-Run: 24,332,742,656 bytes free
Post-Run: 24,174,329,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 45B6F9C3602DCF47D44F0B1FAA9D74B7
steveo4025
Active Member
 
Posts: 13
Joined: June 16th, 2011, 6:22 pm
Advertisement
Register to Remove

Re: Some type of Malware

Unread postby melboy » June 22nd, 2011, 5:39 pm

Hi

How are we looking now - Still being redirected?

If so, do the redirects happen irrespective of the browser you are using?

Are you able to run the ESET scan at all now?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some type of Malware

Unread postby steveo4025 » June 22nd, 2011, 11:05 pm

Okay, here are the details you asked about. First of all, we rarely used IE for browsing. So rare, in fact, that we we running IE 6. I upgraded to IE 8 (because for 9 you need Vista or XP) and tried a few google searches, all of which came back okay. I think I tried about 5 or 6 searches. I then proceeded to run ESET ( 45 infected files) and here is what I found:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4ff4f08451b01348bb54f6b6ab0a86a4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-23 02:45:20
# local_time=2011-06-22 10:45:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 53456033 53456033 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=59800
# found=45
# cleaned=0
# scan_time=4276
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\aidin\Application Data\Mozilla\Firefox\Profiles\7mdlruxk.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xavltxta.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\mxkdfz77.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\mom and steve\Application Data\Mozilla\Firefox\Profiles\doxju2rb.default\extensions\{57c69cd5-e526-4be7-a7eb-6985d8b828db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1371\A0355089.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1371\A0355090.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1371\A0355091.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1371\A0355092.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1371\A0355093.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1372\A0355133.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1372\A0355134.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1372\A0355135.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1372\A0355136.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1372\A0355137.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355671.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355672.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355675.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355676.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355677.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355820.exe probably a variant of Win32/Agent.LNPVKMP trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355822.exe probably a variant of Win32/Agent.LNPVKMP trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355823.exe probably a variant of Win32/Agent.LNPVKMP trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1375\A0355864.dll Win32/Adware.WBug.A application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1378\A0356404.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1378\A0356405.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1378\A0356406.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1378\A0356407.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1378\A0356408.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1379\A0356569.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1379\A0356570.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1379\A0356571.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1379\A0356572.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1379\A0356573.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1395\A0360243.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1395\A0360244.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1395\A0360245.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1395\A0360246.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1395\A0360247.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
steveo4025
Active Member
 
Posts: 13
Joined: June 16th, 2011, 6:22 pm

Re: Some type of Malware

Unread postby steveo4025 » June 22nd, 2011, 11:06 pm

One more thing, we use Mozilla Firefox to browse the web. (I am sure you already knew that) This is where the redirects are still occurring.
steveo4025
Active Member
 
Posts: 13
Joined: June 16th, 2011, 6:22 pm

Re: Some type of Malware

Unread postby melboy » June 23rd, 2011, 6:10 am

Hi

All but one of the detections by ESET are accountable - They're either in combofixes quarantine or System Restore. These will be resolved in my final post to you. ;) The other is a false positive.

Let me know if either browser is being redirected after running this CFScript.


COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (Do Not include Code:)

    Code: Select all
    Firefox::
    FF - ProfilePath - c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: keyword.URL -
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some type of Malware

Unread postby steveo4025 » June 23rd, 2011, 12:47 pm

Firefox::
FF - ProfilePath - c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: keyword.URL -
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3477593384-2160461186-3016248450-1006.job
- c:\documents and settings\chris zurowski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 17:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &AIM Search
IE: E&xport to Microsoft Excel
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-23 11:15
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-06-23 11:20:03
Here is the new combofix log you needed; so far it seems that the searches are no longer being re-directed!! I hope that this was the the final time!!

ComboFix-quarantined-files.txt 2011-06-23 15:19
ComboFix2.txt 2011-06-23 14:52
ComboFix3.txt 2011-06-22 20:36
.
Pre-Run: 23,817,662,464 bytes free
Post-Run: 23,800,737,792 bytes free
.
- - End Of File - - 98FFDB949863F45BB3CF0FEE7121F9F6
steveo4025
Active Member
 
Posts: 13
Joined: June 16th, 2011, 6:22 pm

Re: Some type of Malware

Unread postby melboy » June 23rd, 2011, 12:52 pm

Hi

Is that the whole of combofix.txt - It looks incomplete?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some type of Malware

Unread postby steveo4025 » June 24th, 2011, 1:14 am

Hey Melboy, sorry about that; not sure what happened. here is the full log you wanted.

ComboFix 11-06-23.01 - chris zurowski 06/24/2011 0:02.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.24 [GMT -4:00]
Running from: c:\documents and settings\chris zurowski\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\chris zurowski\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-23 16:50 . 2011-06-23 16:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-23 00:51 . 2011-06-23 00:51 -------- d-sh--w- c:\documents and settings\chris zurowski\PrivacIE
2011-06-23 00:47 . 2011-06-23 00:47 -------- d-sh--w- c:\documents and settings\chris zurowski\IETldCache
2011-06-23 00:46 . 2011-06-23 00:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-06-23 00:06 . 2011-06-23 00:43 -------- dc-h--w- c:\windows\ie8
2011-06-22 17:32 . 2011-06-22 17:32 -------- d-----w- c:\program files\ESET
2011-06-22 02:57 . 2011-06-22 02:57 -------- d-----w- C:\_OTM
2011-06-22 02:45 . 2011-06-22 02:45 -------- d-----w- c:\program files\ERUNT
2011-06-21 15:15 . 2011-06-21 15:15 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-21 15:15 . 2011-06-21 15:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-21 15:15 . 2011-06-21 15:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-18 14:53 . 2011-06-18 14:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-18 14:53 . 2011-06-18 14:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-18 14:53 . 2011-06-18 14:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-18 14:53 . 2011-06-18 14:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-18 14:53 . 2011-06-18 14:53 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-18 14:53 . 2011-06-18 14:53 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-18 14:53 . 2011-06-18 14:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-18 14:53 . 2011-06-18 14:53 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-14 03:12 . 2011-06-14 03:12 388096 ----a-r- c:\documents and settings\chris zurowski\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-14 03:11 . 2011-06-14 03:11 -------- d-----w- c:\program files\Trend Micro
2011-06-12 15:04 . 2011-06-12 15:04 -------- d-----w- c:\documents and settings\chris zurowski\Application Data\Malwarebytes
2011-06-12 15:01 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-12 15:01 . 2011-06-12 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-12 15:01 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-12 15:01 . 2011-06-12 15:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-11 17:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-06-11 17:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-06-11 17:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-06-11 17:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-06-11 17:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-11 17:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-06-11 17:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-06-11 17:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-06-11 17:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-06-11 17:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-11 17:13 . 2011-06-11 17:13 -------- d-----w- c:\program files\AVAST Software
2011-06-11 17:13 . 2011-06-11 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-06-07 20:04 . 2011-06-07 20:04 -------- d-----w- c:\documents and settings\chris zurowski\Local Settings\Application Data\Western Digital
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\windows\system32\XPSViewer
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\program files\MSBuild
2011-06-07 05:50 . 2011-06-07 05:50 -------- d-----w- c:\program files\Reference Assemblies
2011-06-07 05:50 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-06-07 05:49 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-06-07 05:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-06-07 05:49 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-06-07 05:49 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-06-07 05:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-06-07 05:49 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-06-07 05:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-06-07 05:49 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2011-06-06 21:00 . 2011-06-06 21:00 -------- d-----w- c:\documents and settings\chris zurowski\Local Settings\Application Data\Temp
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-06-05 16:44 . 2011-06-05 16:44 -------- d-----w- c:\documents and settings\aidin\Local Settings\Application Data\Mozilla Firefox
2011-06-05 16:21 . 2011-06-05 16:21 14744 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-06-05 16:21 . 2011-06-05 16:21 14744 ----a-w- c:\documents and settings\aidin\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-06-05 15:51 . 2011-06-05 15:51 -------- d-s---w- c:\documents and settings\mom and steve\UserData
2011-06-05 14:19 . 2011-06-05 14:19 -------- d-----w- c:\windows\ServicePackFiles
2011-06-05 13:04 . 2011-06-05 13:39 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-06-05 03:43 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2011-06-05 03:40 . 2011-06-05 03:40 -------- d-----w- c:\program files\MSXML 6.0
2011-06-05 03:36 . 2009-12-31 16:14 352640 ------w- c:\windows\system32\dllcache\srv.sys
2011-06-05 03:32 . 2010-02-24 12:31 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2011-06-05 03:21 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-06-05 03:21 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2011-06-05 02:10 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-06-05 02:04 . 2009-10-15 17:21 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2011-06-05 01:53 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-18 14:53 . 2011-06-18 14:53 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-05-17 15:38 203776 --sh--w- c:\windows\SYSTEM32\unrar.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [06/11/2011 1:14 PM 441176]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [06/11/2011 1:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [06/11/2011 1:14 PM 19544]
R3 m4301a;Linksys Wireless-B USB Network Adapter v4.0 Driver;c:\windows\SYSTEM32\DRIVERS\m4301A.sys [04/03/2011 1:43 PM 116192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [06/12/2011 11:01 AM 39984]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [02/13/2009 3:02 PM 11520]
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);c:\windows\SYSTEM32\DRIVERS\ZD1201U.sys [03/11/2006 5:27 PM 38656]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3477593384-2160461186-3016248450-1006.job
- c:\documents and settings\chris zurowski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-25 17:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &AIM Search
IE: E&xport to Microsoft Excel
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\chris zurowski\Application Data\Mozilla\Firefox\Profiles\91n9x25e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-24 00:15
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-06-24 00:20:43
ComboFix-quarantined-files.txt 2011-06-24 04:20
ComboFix2.txt 2011-06-23 15:20
ComboFix3.txt 2011-06-23 14:52
ComboFix4.txt 2011-06-22 20:36
.
Pre-Run: 24,353,800,192 bytes free
Post-Run: 24,338,227,200 bytes free
.
- - End Of File - - E3835B9C12EE19508E6C112FAFA9F242
steveo4025
Active Member
 
Posts: 13
Joined: June 16th, 2011, 6:22 pm

Re: Some type of Malware

Unread postby melboy » June 24th, 2011, 7:29 am

Your log now appears to be clean. Congratulations!

This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below.


Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTM by OldTimer

You should still have this on your Desktop.

  • Double-click OTM.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


==========================

Windows XP Service Pack 3 is missing

You should take care of this as soon as possible, since your computer will be very vulnerable without it. It also contains many bug fixes and improvements. Support for Windows XP with Service Pack 2 (SP2) ended on July 13, 2010
Visit http://www.update.microsoft.com using Internet Explorer, and install all high priority updates. Service Pack 3 will be installed as a part of this procedure.
Note:
You may have to repeat the procedure several times before you get all the updates. Go to windows update, get all high priority updates, reboot your computer, and repeat until there are no updates left to install. Learn how to install Windows XP Service Pack 3

==========================


General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    Even if you do not use Internet Explorer as you Primary/Default browser it is important to keep it updated. Internet Explorer can be utilised by other programs and therefore must be kept updated to avoid exploitable vulnerabilities.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.
    You can now trial the full versions features within the program. Click the Protection Tab to see.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Some type of Malware

Unread postby Cypher » June 27th, 2011, 2:05 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware