Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Update not working and Search Engine hijacked [2] [Solved]

Started by zlatko99 , Apr 21 2010 05:53 AM

  • This topic is locked This topic is locked

#1
zlatko99
Posted 21 April 2010 - 05:53 AM

zlatko99

    New Member

  • Member
  • Pip
  • 5 posts
I have the same symptoms on my Vista as the following solved thread describes:

http://www.geekstogo...ed-t273239.html

However, I didn't dare to follow the instructions in that thread on my own, taking into consideration that every environment is different.

I would be greatly thankful if someone can take me through the disinfection of my system. I am able to follow your instructions carefully and supply you with logs.

Thank you in advance,
Zlatko

Edited by zlatko99, 21 April 2010 - 05:55 AM.

  • 0

Advertisements

#2
Rorschach112
Posted 21 April 2010 - 06:01 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#3
zlatko99
Posted 21 April 2010 - 10:47 AM

zlatko99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Dear Ralphie,

First of all, thank you very much for offering me your help.

I'm very happy to announce that my system now looks clean after following your advice and doesn't show the malicious symptoms as previously. But, I'm aware that there might be corruptions or parts that should be cleaned up afterwards. Therefore, I will explain the procedure I have taken and paste the ComboFix.txt log.

I have downloaded and started ComboFix.exe from my desktop. After a couple of minutes, ComboFix showed a dialog box saying there is a presence of a rootkit activity on my system and should be rebooted. I did reboot and ComboFix started automatically before Vista. It completed all stages and reported deletion of several files. Then, Vista started normally.

I tried to search Google for "windowsupdate" and "windows update" and the searches passed successfully. Then, I ran Windows Update and completed with download and installation of updates successfully. Obviously, the previous symptoms didn't appear anymore :)

Now my system looks normal and clean. However, I'm pasting the ComboFix.txt to check if everything is ok. Also, I'm interested what sort of virus/worm/trojan my system was infected with.

Again, thank you for your precise advice.


ComboFix 10-04-20.04 - Zlatko 04/21/2010 17:47:17.1.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1251.389.1033.18.3327.2240 [GMT 2:00]
Running from: c:\users\Zlatko\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2550326204-3790776232-2029245963-1000
c:\$recycle.bin\S-1-5-21-2550326204-3790776232-2029245963-1001
c:\recycler\S-1-5-21-7868272681-4902878910-501906979-1225
c:\windows\system32\97dc0401.dat
c:\windows\system32\ad6d7648.dll
c:\windows\system32\F44DC6626D.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 16:00 . 2010-04-21 16:00 -------- d-----w- c:\users\Zlatko\AppData\Local\temp
2010-04-20 22:34 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-20 22:34 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-20 22:34 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-20 22:34 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-20 22:34 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-20 22:34 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-20 22:34 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-20 22:34 . 2010-04-20 22:34 -------- d-----w- c:\programdata\Alwil Software
2010-04-20 22:34 . 2010-04-20 22:34 -------- d-----w- c:\program files\Alwil Software
2010-04-20 17:11 . 2010-04-20 17:11 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-20 16:31 . 2008-03-02 01:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-04-20 16:31 . 2010-04-20 16:31 -------- d-----w- c:\program files\Trend Micro
2010-04-20 15:48 . 2010-04-20 15:48 388096 ----a-r- c:\users\Zlatko\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-20 15:48 . 2010-04-20 15:48 -------- d-----w- c:\program files\TrendMicro
2010-04-19 22:51 . 2010-04-19 22:51 -------- d-----w- c:\users\Zlatko\AppData\Roaming\Wireshark
2010-04-19 21:28 . 2010-04-19 21:28 -------- d-----w- c:\program files\WinPcap
2010-04-19 20:31 . 2010-04-19 20:31 -------- d-----w- c:\program files\Sophos
2010-04-19 19:56 . 2010-04-19 19:56 26624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-04-19 00:28 . 2010-04-19 00:28 -------- d-----w- C:\$AVG
2010-04-18 23:50 . 2010-04-18 23:50 -------- d-----w- c:\program files\AVG
2010-04-18 22:13 . 2010-04-18 23:02 -------- d-----w- c:\program files\Exterminate It!
2010-04-18 10:47 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-18 10:46 . 2010-04-18 20:41 -------- d-----w- c:\windows\system32\catroot2
2010-04-18 10:46 . 2010-04-18 10:51 -------- d-----w- c:\windows\system32\catroot2(750)
2010-04-17 00:28 . 2010-04-21 15:45 -------- d-----w- c:\windows\system32\wbem\repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 15:44 . 2010-01-06 16:45 52782 ----a-w- c:\programdata\nvModes.dat
2010-04-21 15:43 . 2008-10-12 00:28 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-21 15:43 . 2008-11-16 16:15 -------- d-----w- c:\users\Zlatko\AppData\Roaming\BitTorrent
2010-04-21 15:43 . 2008-11-16 16:15 -------- d-----w- c:\users\Zlatko\AppData\Roaming\DNA
2010-04-21 15:25 . 2009-01-07 16:34 -------- d-----w- c:\users\Zlatko\AppData\Roaming\VoozieMaker
2010-04-21 15:24 . 2008-11-16 16:15 -------- d-----w- c:\program files\DNA
2010-04-20 23:22 . 2008-10-13 22:27 -------- d-----w- c:\program files\LogMeIn
2010-04-20 16:31 . 2008-10-11 16:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 22:30 . 2008-10-11 20:49 -------- d-----w- c:\users\Zlatko\AppData\Roaming\Skype
2010-04-19 22:08 . 2008-10-11 21:11 -------- d-----w- c:\users\Zlatko\AppData\Roaming\skypePM
2010-04-19 21:28 . 2009-10-04 22:22 -------- d-----w- c:\program files\Wireshark
2010-04-18 20:36 . 2009-09-21 14:10 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-18 20:36 . 2008-10-11 21:30 -------- d-----w- c:\users\Zlatko\AppData\Roaming\Winamp
2010-04-18 20:36 . 2009-11-29 03:19 -------- d-----w- c:\users\Zlatko\AppData\Roaming\Luxology
2010-04-18 20:36 . 2008-10-11 21:42 -------- d-----w- c:\users\Zlatko\AppData\Roaming\GHISLER
2010-04-18 20:36 . 2010-02-18 20:45 -------- d-----w- c:\program files\Real
2010-04-18 20:36 . 2009-01-07 16:33 -------- d-----w- c:\programdata\Make A Voozie
2010-04-18 20:36 . 2008-11-30 16:14 -------- d-----w- c:\programdata\FLEXnet
2010-04-18 20:36 . 2008-10-11 21:30 -------- d-----w- c:\program files\Winamp
2010-04-18 20:36 . 2008-10-16 18:42 -------- d-----w- c:\program files\QuickTime
2010-04-18 20:36 . 2010-02-18 20:45 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-18 20:36 . 2008-10-11 20:58 -------- d-----w- c:\program files\Google
2010-04-18 20:36 . 2009-09-06 01:39 -------- d-----w- c:\program files\BitTorrent
2010-04-18 19:58 . 2008-10-11 20:49 -------- d-----w- c:\program files\Opera
2010-04-16 20:49 . 2010-04-08 17:06 112 ----a-w- c:\programdata\vBEtX6H8D.dat
2010-04-05 20:35 . 2009-09-15 21:06 -------- d-----w- c:\program files\Common Files\Real
2010-03-20 01:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-03-13 19:42 . 2008-10-18 20:46 64 ----a-w- c:\windows\msocreg32.dat
2010-03-07 12:49 . 2010-03-09 21:17 3862528 ----a-w- c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-02-28 17:11 . 2009-05-06 16:12 -------- d-----w- c:\users\Goran\AppData\Roaming\DNA
2010-02-28 15:51 . 2010-02-28 15:50 58000 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-28 15:51 . 2009-05-06 16:12 -------- d-----w- c:\users\Goran\AppData\Roaming\VoozieMaker
2010-02-28 15:49 . 2008-10-12 00:03 8224 ----a-w- c:\users\Goran\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-26 09:39 . 2008-10-11 18:44 58000 ----a-w- c:\users\Zlatko\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 08:16 . 2009-10-04 12:36 181632 ----a-w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-19 22:56 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-19 22:56 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-19 22:56 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-18 20:45 . 2010-02-18 20:45 325216 ----a-w- c:\programdata\Real\RealPlayer\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-02-18 20:45 . 2010-02-18 20:45 300616 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-02-18 20:45 . 2010-02-18 20:45 118784 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-02-18 20:45 . 2010-02-18 20:45 329312 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-01-25 12:00 . 2010-02-25 21:07 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-25 21:07 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-25 21:07 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-25 21:07 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-25 21:07 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 10:58 . 2010-03-09 21:17 462848 ----a-w- c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\extensions\[email protected]\plugins\ractrlkeyhook.dll
2010-01-25 08:21 . 2010-02-25 21:07 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-25 21:07 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-25 21:07 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-25 21:07 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-25 21:07 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-09 23:35 . 2008-04-09 23:35 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-10-11 171448]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"BitTorrent"="c:\program files\BitTorrent\bittorrent.exe" [2009-08-14 653104]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-09-24 6335008]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-12-18 307200]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"BigDogPath323VMSnap"="c:\windows\VMSnap23.exe" [2007-06-29 212992]
"BigDogPath323Domino"="c:\windows\Domino.exe" [2007-06-29 49152]
"CTHelper"="CTHELPER.EXE" [2008-03-20 23040]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552]
"Make A Voozie"="c:\programdata\Make A Voozie\VoozieMaker.exe" [2008-02-20 64000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-18 202256]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):8b,83,d1,24,ca,3a,ca,01

R0 OemBiosDevice;Royalty OEM BIOS Extension;c:\windows\system32\DRIVERS\royal.sys [2008-10-26 240128]
R2 atrace32;Async Trace DLL;c:\windows\system32\rundll32.exe atrace32.dll,oruw [x]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;i:\graphics\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-09 65536]
R2 TimerStop;TimerStop;c:\windows\system32\TimerStop.sys [2006-12-17 3584]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2008-03-20 98328]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2008-03-20 171032]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2008-03-20 171032]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2008-03-20 528920]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2008-03-20 528920]
R3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\System32\drivers\CTEAPSFX.SYS [2008-03-20 163352]
R3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.SYS [2008-03-20 163352]
R3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\System32\drivers\CTEDSPFX.SYS [2008-03-20 259096]
R3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.SYS [2008-03-20 259096]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\System32\drivers\CTEDSPIO.SYS [2008-03-20 134168]
R3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.SYS [2008-03-20 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\System32\drivers\CTEDSPSY.SYS [2008-03-20 309784]
R3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.SYS [2008-03-20 309784]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2008-03-20 99352]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2008-03-20 99352]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2008-03-20 1324056]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2008-03-20 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2008-03-20 72728]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2008-03-20 72728]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2008-03-20 534040]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2008-03-20 534040]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\261.tmp [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 Tomcat6;Apache Tomcat;i:\software development\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [2008-07-22 57344]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 ZIFZB;ZIFZB;c:\users\Zlatko\AppData\Local\Temp\ZIFZB.exe [x]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-04-19 26624]
S1 aswSP;aswSP; [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-03-16 13696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-12-18 95896]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
S3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2005-05-09 33792]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2008-03-20 98328]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
S3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys [2006-08-08 476672]
S3 ZSMC326;VIMICRO USB2.0 PC Camera(VC0323);c:\windows\system32\Drivers\usbvm323.sys [2007-01-04 260096]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\User_Feed_Synchronization-{42A20B92-5325-4094-9328-A3B5EFC253C5}.job
- c:\windows\system32\msfeedssync.exe [2010-01-24 04:56]

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{6D22FF44-A1A1-4572-97EE-223AF122B2A6}.job
- c:\windows\system32\msfeedssync.exe [2010-01-24 04:56]

2010-04-21 c:\windows\Tasks\User_Feed_Synchronization-{DBB97EE1-986F-4EA1-8839-A829C6A65498}.job
- c:\windows\system32\msfeedssync.exe [2010-01-24 04:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://nemo.optier.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {9D5461FC-3FBC-4180-8CB2-C4D806FB684B} - hxxps://ebank.stb.com.mk/ActiveX/ubisecuresignctl.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://nemo.optier.com/+CSCOL+/cscopf.cab
FF - ProfilePath - c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.logmein.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\users\Zlatko\AppData\Roaming\Mozilla\Firefox\Profiles\ieiyf5wk.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{891538CA-582E-3AE7-BC98-E4754662B833} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-CmUsbSound - cmcnfgu.cpl
AddRemove-Linplug SaxLab v1.0.2 - i:\audio\VSTPLU~1\LINPLU~1\SAXLAB~1\UNWISE.EXE
AddRemove-MigrateEasy - c:\program files\Acronis\MigrateEasy\MediaBuilder.exe
AddRemove-Princeton Digital 2016 Stereo Room v1.1 - i:\audio\VSTPLU~1\PRINCE~1\2016ST~1\2016ST~1\UNWISE.EXE
AddRemove-Steinberg Virtual Bassist v1.0.0.504 - i:\audio\VSTPLU~1\VIRTUA~2\UNWISE.EXE
AddRemove-TwinsenUninstallKey - a:\x_old\maxtor\games\Uninst.isu
AddRemove-Virtual Guitarist - i:\audio\VSTPLU~1\VIRTUA~1\UNINST~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 18:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\261.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"i:\software development\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"i:\software development\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CakewalkPlugIns\Ґ[1*юяяя9\]wхтwћB[w©п~w|э*Pю*]
"Description"="Cakewal"
"HelpFilePath"=""
"HelpFileTopic"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-04-21 18:04:00
ComboFix-quarantined-files.txt 2010-04-21 16:03

Pre-Run: 10,980,601,856 bytes free
Post-Run: 26,083,594,240 bytes free

- - End Of File - - 5B4CA027564A7982D68F671205058E20
  • 0

#4
Rorschach112
Posted 21 April 2010 - 12:50 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#5
zlatko99
Posted 22 April 2010 - 10:35 AM

zlatko99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here is the generated Malwarebytes' Anti-Malware's log:
(I will supply the Kaspersky's log in the next post, it takes too much time to scan the whole computer)


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4019

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/22/2010 1:32:56 AM
mbam-log-2010-04-22 (01-32-56).txt

Scan type: Quick scan
Objects scanned: 124187
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\atrace32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Program Files\DoubleD\GamingHarbor Toolbar (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\atrace32.dll (Trojan.Agent) -> Delete on reboot.
  • 0

#6
zlatko99
Posted 23 April 2010 - 02:19 AM

zlatko99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Finally, this is my Kaspersky's log, after running for over 20 hours:




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, April 23, 2010
Operating system: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 23:17:13
Records in database: 3963250
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
H:\
I:\
J:\
M:\
X:\

Scan statistics:
Objects scanned: 1296363
Threats found: 40
Infected objects found: 128
Suspicious objects found: 1
Scan duration: 20:16:25


File name / Threat / Threats count
A:\X_old\Documents and Settings\Zlatko1\Local Settings\Temporary Internet Files\Content.IE5\FVVO4KKY\vnc-4_1_2-x86_win32[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
A:\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe Infected: not-a-virus:AdWare.Win32.Gator.3102 1
A:\X_old\MAXTOR\eureka\dap7.exe Infected: not-a-virus:AdWare.Win32.Dap.c 1
A:\X_old\MAXTOR\goran\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
A:\X_old\MAXTOR\internet\ctmdsetup.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 1
A:\X_old\MAXTOR\internet\gozilla.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 1
A:\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe Infected: Trojan.Win32.Agent.dkmd 1
A:\X_old\MAXTOR\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
A:\X_old\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
A:\X_old\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.cy 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.f 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.q 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
A:\X_old\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
A:\X_old\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ai 1
A:\X_old\temp\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part01.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part01.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part02.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part02.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part03.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part03.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part04.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part04.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part05.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part05.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part06.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part06.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part07.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part07.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part08.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part08.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part09.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part09.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part10.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part10.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part11.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part11.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part12.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part12.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part13.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part13.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part14.rar Infected: Backdoor.Win32.EggDrop.ahe 1
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack\Adobe Photoshop CS4 Extended.part14.rar Infected: Backdoor.Win32.EggDrop.aim 1
D:\Downloads\BitTorrent\After Effects Plugins\Panopticum Water v1.03.rar Infected: Trojan-Dropper.Win32.Agent.urw 1
D:\Downloads\BitTorrent\After Effects Plugins\StageTools Moving Picture v5.06.rar Infected: Trojan.Win32.Genome.fgc 1
D:\Goran\temp\ratko\autorun.inf Infected: Trojan-GameThief.Win32.OnLineGames.tneh 1
D:\Goran\temp\ratko\itsduel.exe Infected: Trojan-GameThief.Win32.OnLineGames.tncg 1
I:\Dev\jboss-seam-2.2.0.GA\src\test\ftest\lib\selenium-server-standalone.jar Infected: not-a-virus:NetTool.Win32.ProxySwitcher.d 1
I:\Install\Audio Software\Audio VST plugins.rar Suspicious: Packed.Win32.PePatch.dk 1
I:\Install\Graphics\ZBrush v3.1 + Keygen\XF-ZBrush3-KG.exe Infected: Trojan.Win32.Genome.gbct 1
X:\BACKUP\a\X_old\Data\Other\eMule\Incoming\SQLyog 5.12 Beta 2 crack.rar Infected: Trojan-Dropper.Win32.Delf.vo 1
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\Local Settings\Temporary Internet Files\Content.IE5\FVVO4KKY\vnc-4_1_2-x86_win32[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe Infected: Trojan-Downloader.Win32.Zlob.mc 1
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe Infected: Trojan-Downloader.Win32.Zlob.ph 1
X:\BACKUP\a\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe Infected: not-a-virus:AdWare.Win32.Gator.3102 1
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.230 1
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.250 1
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 1
X:\BACKUP\a\X_old\MAXTOR\eureka\dap7.exe Infected: not-a-virus:AdWare.Win32.Dap.c 1
X:\BACKUP\a\X_old\MAXTOR\goran\ossvc40.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4
X:\BACKUP\a\X_old\MAXTOR\goran\ossvd40.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4
X:\BACKUP\a\X_old\MAXTOR\goran\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
X:\BACKUP\a\X_old\MAXTOR\internet\ctmdsetup.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 1
X:\BACKUP\a\X_old\MAXTOR\internet\gozilla.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 1
X:\BACKUP\a\X_old\MAXTOR\internet\mpfiend.zip Infected: not-a-virus:AdWare.Win32.Aureate.a 1
X:\BACKUP\a\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe Infected: Trojan.Win32.Agent.dkmd 1
X:\BACKUP\a\X_old\MAXTOR\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.601 1
X:\BACKUP\a\X_old\MAXTOR\Program Files\NH\ee20030706.exe Infected: not-a-virus:AdWare.Win32.NavExcel 4
X:\BACKUP\a\X_old\MAXTOR\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll Infected: not-a-virus:AdWare.Win32.Comet.c 1
X:\BACKUP\a\X_old\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
X:\BACKUP\a\X_old\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.al 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.cy 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.f 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.q 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
X:\BACKUP\a\X_old\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ai 1
X:\BACKUP\a\X_old\temp\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

Selected area has been scanned.
  • 0

#7
Rorschach112
Posted 26 April 2010 - 07:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes

:Services

:Reg

:Files
A:\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe
A:\X_old\MAXTOR\eureka\dap7.exe
A:\X_old\MAXTOR\internet\ctmdsetup.exe
A:\X_old\MAXTOR\internet\gozilla.exe
A:\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe
A:\X_old\Program Files\MSN Messenger\riched20.dll
D:\Downloads\BitTorrent\After Effects Plugins\Panopticum Water v1.03.rar
D:\Downloads\BitTorrent\After Effects Plugins\StageTools Moving Picture v5.06.rar
D:\Goran\temp\ratko\autorun.inf
D:\Goran\temp\ratko\itsduel.exe
I:\Install\Graphics\ZBrush v3.1 + Keygen\XF-ZBrush3-KG.exe
X:\BACKUP\a\X_old\Data\Other\eMule\Incoming\SQLyog 5.12 Beta 2 crack.rar
I:\Install\Audio Software\Audio VST plugins.rar
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe
X:\BACKUP\a\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip
X:\BACKUP\a\X_old\MAXTOR\eureka\dap7.exe
X:\BACKUP\a\X_old\MAXTOR\goran\ossvc40.exe
X:\BACKUP\a\X_old\MAXTOR\goran\ossvd40.exe
X:\BACKUP\a\X_old\MAXTOR\internet\ctmdsetup.exe
X:\BACKUP\a\X_old\MAXTOR\internet\gozilla.exe
X:\BACKUP\a\X_old\MAXTOR\internet\mpfiend.zip
X:\BACKUP\a\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe
X:\BACKUP\a\X_old\MAXTOR\Program Files\NH\ee20030706.exe
X:\BACKUP\a\X_old\MAXTOR\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll
X:\BACKUP\a\X_old\Program Files\mIRC\mirc.exe
X:\BACKUP\a\X_old\Program Files\MSN Messenger\riched20.dll
C:\Windows\System32\atrace32.dll 
A:\X_old\Program Files\MyWebSearch
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack
I:\Install\Audio Software\Audio VST plugins.rar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#8
zlatko99
Posted 29 April 2010 - 02:35 PM

zlatko99

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi,

this is my OTM log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
A:\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe moved successfully.
A:\X_old\MAXTOR\eureka\dap7.exe moved successfully.
A:\X_old\MAXTOR\internet\ctmdsetup.exe moved successfully.
A:\X_old\MAXTOR\internet\gozilla.exe moved successfully.
A:\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe moved successfully.
DllUnregisterServer procedure not found in A:\X_old\Program Files\MSN Messenger\riched20.dll
A:\X_old\Program Files\MSN Messenger\riched20.dll moved successfully.
D:\Downloads\BitTorrent\After Effects Plugins\Panopticum Water v1.03.rar moved successfully.
D:\Downloads\BitTorrent\After Effects Plugins\StageTools Moving Picture v5.06.rar moved successfully.
D:\Goran\temp\ratko\autorun.inf moved successfully.
D:\Goran\temp\ratko\itsduel.exe moved successfully.
I:\Install\Graphics\ZBrush v3.1 + Keygen\XF-ZBrush3-KG.exe moved successfully.
X:\BACKUP\a\X_old\Data\Other\eMule\Incoming\SQLyog 5.12 Beta 2 crack.rar moved successfully.
I:\Install\Audio Software\Audio VST plugins.rar moved successfully.
X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe moved successfully.
File/Folder X:\BACKUP\a\X_old\Documents and Settings\Zlatko1\My Documents\mediacodec-v4.403.exe not found.
X:\BACKUP\a\X_old\MAXTOR\DivX Codecs\DivXPro501GAINBundle.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip moved successfully.
File/Folder X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip not found.
File/Folder X:\BACKUP\a\X_old\MAXTOR\Documents and Settings\Zlatko1\Desktop\Desktop\serial-port-monitor.zip not found.
X:\BACKUP\a\X_old\MAXTOR\eureka\dap7.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\goran\ossvc40.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\goran\ossvd40.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\internet\ctmdsetup.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\internet\gozilla.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\internet\mpfiend.zip moved successfully.
X:\BACKUP\a\X_old\MAXTOR\Music\Install\50 pieces of VST plugins.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\Program Files\NH\ee20030706.exe moved successfully.
X:\BACKUP\a\X_old\MAXTOR\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll moved successfully.
X:\BACKUP\a\X_old\Program Files\mIRC\mirc.exe moved successfully.
DllUnregisterServer procedure not found in X:\BACKUP\a\X_old\Program Files\MSN Messenger\riched20.dll
X:\BACKUP\a\X_old\Program Files\MSN Messenger\riched20.dll moved successfully.
File/Folder C:\Windows\System32\atrace32.dll not found.
A:\X_old\Program Files\MyWebSearch\SrchAstt\1.bin folder moved successfully.
A:\X_old\Program Files\MyWebSearch\SrchAstt folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar\Settings folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar\History folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar\Game folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar\Cache folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar\1.bin folder moved successfully.
A:\X_old\Program Files\MyWebSearch\bar folder moved successfully.
A:\X_old\Program Files\MyWebSearch folder moved successfully.
D:\Downloads\BitTorrent\Adobe Photoshop CS4 Extended + Crack folder moved successfully.
File/Folder I:\Install\Audio Software\Audio VST plugins.rar not found.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Goran
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Zlatko
->Temp folder emptied: 105818550 bytes
->Temporary Internet Files folder emptied: 8491821 bytes
->Java cache emptied: 130732 bytes
->FireFox cache emptied: 50345774 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 6268 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 127145245 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 278.00 mb

OTM cannot create restorepoints on Vista OSs!

OTM by OldTimer - Version 3.1.11.0 log created on 04292010_222350

Files moved on Reboot...

Registry entries deleted on Reboot...



Thanks,
Zlatko
  • 0

#9
Rorschach112
Posted 29 April 2010 - 03:52 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.



  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#10
Rorschach112
Posted 01 May 2010 - 04:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP