Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please check my logs, I think I've cleaned it!

Started by rix1505 , Sep 01 2009 04:40 AM

  • Please log in to reply

#1
rix1505
Posted 01 September 2009 - 04:40 AM

rix1505

    New Member

  • Member
  • Pip
  • 2 posts
Hi

I had problems with a clients PC that had search redirect sending google search result links to porn sites and other random stuff, and also pop ups coming up and security alerts that were fake

I've run the latest Malwareytes, and think we've sorted it, please could you check the logs...

Here are the logs now...

ComboFix

ComboFix 09-08-31.03 - Administrator 01/09/2009 11:20.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.387 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: eTrust ITM *On-access scanning disabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2693488920-2141338909-3704221643-500
c:\windows\run.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmyxwmnrer
-------\Legacy_UACd.sys
-------\Service_kbiwkmyxwmnrer
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 09:22 . 2009-09-01 09:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-08-25 09:21 . 2009-08-25 09:21 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-25 09:21 . 2009-08-25 09:21 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-25 09:21 . 2009-08-25 09:21 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-25 09:21 . 2009-08-25 09:21 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-25 09:20 . 2009-08-25 09:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-25 09:18 . 2009-08-25 09:18 -------- d-----w- c:\windows\ie8updates
2009-08-25 09:17 . 2009-08-25 09:18 -------- dc-h--w- c:\windows\ie8
2009-08-25 09:16 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-25 09:16 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-25 09:11 . 2009-08-25 09:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2009-08-25 09:11 . 2009-08-26 08:14 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-25 09:11 . 2009-08-25 09:11 -------- d-----w- c:\windows\system32\GroupPolicy
2009-08-25 09:10 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-08-25 09:10 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-08-25 09:10 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-08-25 08:53 . 2009-08-25 08:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-25 08:30 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-25 08:30 . 2009-08-25 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 08:30 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 07:56 . 2009-08-25 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 19:39 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-19 19:39 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-19 19:39 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-18 13:24 . 2009-08-18 14:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 12:53 . 2009-08-18 12:53 -------- d-----w- c:\program files\NCH Software
2009-08-18 11:41 . 2009-08-18 11:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-08-18 10:42 . 2009-08-18 10:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logs
2009-08-18 10:37 . 2009-08-18 10:37 30208 ----a-w- c:\windows\system32\uacrem.dll
2009-08-15 20:54 . 2009-08-15 20:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 20:54 . 2009-08-15 20:54 -------- d-----w- c:\program files\MSBuild
2009-08-15 20:54 . 2009-08-15 20:54 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 20:53 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 20:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 20:53 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 20:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 20:53 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 20:53 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 20:53 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 20:53 . 2009-08-15 20:54 -------- d-----w- C:\6b908bf6f0422ebac4b215c9
2009-08-13 10:12 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-12 11:25 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 08:02 . 2009-02-17 12:37 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-08-25 16:02 . 2009-06-08 20:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-25 08:44 . 2009-02-21 00:55 -------- d-----w- c:\program files\Google
2009-08-25 08:05 . 2009-05-11 16:42 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-21 23:53 . 2009-02-17 10:15 -------- d-----w- c:\program files\Microsoft Picture It! PhotoPub
2009-08-16 11:58 . 2009-02-14 07:37 62176 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 07:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 00:46 . 2009-07-31 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-31 17:01 . 2009-05-20 09:48 -------- d-----w- c:\program files\Norton Security Scan
2009-07-31 17:01 . 2009-07-31 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-31 17:01 . 2009-07-31 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-17 19:01 . 2004-08-04 07:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 20:07 . 2009-07-11 20:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-07-11 20:03 . 2009-07-11 20:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\PriceGong
2009-07-03 17:09 . 2004-08-04 07:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 07:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 07:56 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 07:56 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 07:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 07:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 07:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2009-02-12 10:27 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 07:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 05:36 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-04 07:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2009-02-12 10:28 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 07:56 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-04 05:59 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 07:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 07:56 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-26 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-26 137752]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2004-02-02 495616]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-17 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Apache\\bin\\Apache.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoNmSrv.exe"=
"c:\\Program Files\\CA\\eTrustITM\\inoweb.exe"=
"c:\\Program Files\\CA\\SharedComponents\\ThirdParty\\Tomcat\\5.5\\bin\\tomcat5.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Alert Notification Server;Alert Notification Server;c:\program files\CA\SharedComponents\Alert\alert.exe [17/02/2009 01:33 214928]
R2 ApacheTomcatApplicationServer;Apache Tomcat Application Server;c:\program files\CA\SharedComponents\ThirdParty\Tomcat\5.5\bin\tomcat5.exe [20/08/2007 17:54 102400]
R2 InoNmSrv;eTrust ITM Server Service;c:\program files\CA\eTrustITM\InoNmSrv.exe [08/02/2008 18:58 278528]
R2 InoWeb;eTrust ITM Web Access Service;c:\program files\CA\eTrustITM\InoWeb.exe [08/02/2008 18:58 282624]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [12/02/2009 11:46 576024]
S2 0039231234829624mcinstcleanup;McAfee Application Installer Cleanup (0039231234829624);c:\docume~1\ADMINI~1\LOCALS~1\Temp\003923~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\003923~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 ApacheContentServer;Apache Content Server;c:\program files\CA\eTrustITM\Apache\bin\Apache.exe [20/08/2007 17:53 13824]
S2 gupdate1c993c0120677ec;Google Update Service (gupdate1c993c0120677ec);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 02:02 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 01:01]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 01:01]

2009-09-01 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-07 05:05]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-zzzHPSETUP - E:\Setup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2606978470-1387676230-347679832-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,b6,f6,6d,9d,80,ec,4c,8d,7d,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,b6,f6,6d,9d,80,ec,4c,8d,7d,7e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
c:\program files\RealVNC\VNC4\wm_hooks.dll

- - - - - - - > 'explorer.exe'(1736)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
c:\program files\RealVNC\VNC4\wm_hooks.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-01 11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-01 10:32

Pre-Run: 226,568,736,768 bytes free
Post-Run: 226,720,464,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

252 --- E O F --- 2009-08-26 22:52

RootRepeal Log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/01 11:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FD9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A28000 Size: 8192 File Visible: No Signed: -
Status: -

Name: oqeujo.sys
Image Path: C:\WINDOWS\system32\drivers\oqeujo.sys
Address: 0xAA720000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8DD1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\CA\eTrustITM\ArcTemp\arc0003.tmp
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Handle [Index: 952, Type: File]
Process: InoTask.exe (PID: 256) Address: 0x86cc5c08 Size: -

Hidden Services
-------------------
Service Name: kbiwkmyxwmnrer
Image Path: C:\WINDOWS\system32\drivers\kbiwkmftepappk.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACrgixboxltl.sys

==EOF==

Malwarebytes

Malwarebytes' Anti-Malware 1.40
Database version: 2724
Windows 5.1.2600 Service Pack 3

01/09/2009 11:00:15
mbam-log-2009-09-01 (11-00-15).txt

Scan type: Quick Scan
Objects scanned: 93609
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
C:\Program Files\SafetyCenter\protector.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SafetyCenter (Trojan.SafetyCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\SafetyCenter\protector.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmswxfmnxu.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmftepappk.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Program Files\SafetyCenter\main.ico (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\Program Files\SafetyCenter\sound.wav (Trojan.SafetyCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmdxuuhrqh.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmiltivklj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmtrdbbjkv.dat (Rootkit.TDSS) -> Delete on reboot.

Thanks

Rich...:)
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP