Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Olmarik trojan [Solved]

Started by ingenioushax , May 10 2010 12:34 PM

  • This topic is locked This topic is locked

#1
ingenioushax
Posted 10 May 2010 - 12:34 PM

ingenioushax

    Member

  • Member
  • PipPip
  • 15 posts
I seem to have the above mentioned trojan, and can't locate it, Nod32 catches it, but is unable to quarantine or delete the file.

I have done the following procedures to find and remove the trojan, but to no avail:
eset online scan
Nod32 full scan
Outpost firewall pro system scan
SUPERantiSpyware scan ->(caught some trackers, no trojan)
MalwareBytes full system scan
SpywareDoctor -> (ran a full system scan, found some malware but not the trojan, went in and manually deleted registry files, used free version)
HijackThis -> (nothing suspicious in the log file)


If someone could please assist me in getting rid of this pesky thing, I would greatly appreciate it.

I should also mention I had to reload Nod32 because it quit being able to connect to the server for updates, which I believe is a common occurrence with some trojans/malware/spyware

Edited by ingenioushax, 10 May 2010 - 12:37 PM.

  • 0

Advertisements

#2
Rorschach112
Posted 10 May 2010 - 12:39 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
download and run this

http://download.norm...DSS_Cleaner.exe


post the log it gives
  • 0

#3
ingenioushax
Posted 10 May 2010 - 12:45 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Norman TDSS Cleaner
Version 1.9.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/04/27 07:10:07

Norman Scanner Engine Version: 6.04.08
Nvcbin.def Version: 6.04.00, Date: 2010/04/27 07:10:07, Variants: 55720

Scan started: 10/05/2010 11:42:43

Running pre-scan cleanup routine:
Operating System: Microsoft Windows Vista 6.0.6002 Service Pack 2
Logged on user: Mystery\Mysterious

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "c:\progra~1\agnitum\outpos~1\wl_hook.dll" -> ""

Running anti-TDSS module:

TDSS/TDL3 Rootkit Detected
Error writing to infected disk driver (330190)
Warning - Rootkit disinfection failed

TDSS scan complete. Will now scan for related malware

Scanning bootsectors...

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 47ms


Scanning running processes and process memory...

Number of processes/threads found: 5380
Number of processes/threads scanned: 5380
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 1m 49s


Scanning file system...

Scanning: prescan

Scanning: C:\Windows\system32\drivers\*

Scanning: postscan


Running post-scan cleanup routine:
Set TCP/IP autotuning to "normal" (or it was already "normal")

Number of files found: 418
Number of archives unpacked: 0
Number of files scanned: 418
Number of files not scanned: 0
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 16s
  • 0

#4
ingenioushax
Posted 10 May 2010 - 01:12 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
SOLVED::

eset has an Olmarik remove tool, can be found here:
http://download.eset...arikRemover.exe


Scan post of Norman TDSS cleaner after tool usage:
Norman TDSS Cleaner
Version 1.9.2
Copyright © 1990 - 2010, Norman ASA. Built 2010/04/27 07:10:07

Norman Scanner Engine Version: 6.04.08
Nvcbin.def Version: 6.04.00, Date: 2010/04/27 07:10:07, Variants: 55720

Scan started: 10/05/2010 11:59:28

Running pre-scan cleanup routine:
Operating System: Microsoft Windows Vista 6.0.6002 Service Pack 2
Logged on user: Mystery\Mysterious


Running anti-TDSS module:

No TDSS infection detected

TDSS scan complete. Will now scan for related malware

Scanning bootsectors...

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 62ms


Scanning running processes and process memory...

Number of processes/threads found: 4722
Number of processes/threads scanned: 4722
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 1m 1s


Scanning file system...

Scanning: prescan

Scanning: C:\Windows\system32\drivers\*

Scanning: postscan


Running post-scan cleanup routine:
Set TCP/IP autotuning to "normal" (or it was already "normal")

Number of files found: 418
Number of archives unpacked: 0
Number of files scanned: 418
Number of files not scanned: 0
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 15s

Edited by ingenioushax, 10 May 2010 - 01:13 PM.

  • 0

#5
Rorschach112
Posted 10 May 2010 - 04:00 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
don't have the log from eset ?
  • 0

#6
ingenioushax
Posted 11 May 2010 - 12:30 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Scan from Operating Memory (eset scan)::
Scan Log
Version of virus signature database: 5104 (20100511)
Date: 5/11/2010 Time: 11:28:34 AM
Scanned disks, folders and files: Operating memory
Number of scanned objects: 490
Number of threats found: 0
Time of completion: 11:28:58 AM Total scanning time: 24 sec (00:00:24)

Also, I no longer receive the threat alert pop-up window from eset.

Edited by ingenioushax, 11 May 2010 - 12:30 PM.

  • 0

#7
Rorschach112
Posted 11 May 2010 - 12:35 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
you want us to run any further scans or are you happy your PC is fixed ?
  • 0

#8
ingenioushax
Posted 11 May 2010 - 03:06 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Im pretty excited I got rid of the Win32/Olmarik trojan, but I would like to see if maybe some things are slipping past my Antivirus... I have also ran MalwareBytes and SUPERantiSpyware, both found nothing, aswell as Outpost Firewall, Nod full system scan/operating memory scan, and HijackThis, where nothing seems to be suspicious.

If you think there is something else I should use to scan, please let me know and I will do so. Just wanna make sure my laptop is in prime health... Nobody likes a sick puter.

Edited by ingenioushax, 11 May 2010 - 03:06 PM.

  • 0

#9
Rorschach112
Posted 11 May 2010 - 03:14 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
no problem

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#10
ingenioushax
Posted 11 May 2010 - 05:08 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, I ran ComboFix.exe, and it wrecked my windows... I can no longer get on firefox, control panel, or use anything that relies on registers basically... It tells me that whatever I am trying to use, it's registries are marked for deletion... Can't do a system restore because it says the same thing. (Currently booted into Ubuntu). Here is my log file. {note, it never asked me to load a Recovery Console}

ComboFix 10-05-10.05 - Mysterious 05/11/2010  15:30:53.1.2 - x86

Microsoft® Windows Vista(tm) Darker Edition 2009   6.0.6002.2.1252.1.1033.18.1526.687 [GMT -7:00]

Running from: c:\users\Mysterious\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Outpost Firewall Pro *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

SP: ESET NOD32 Antivirus 3.0 *disabled* (Updated) {E5E70D32-0101-4B98-A4D6-D1D15C3BB448}

SP: Outpost Firewall Pro *disabled* (Updated) {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\users\MYSTER~1\DOCUME~1\SYS

c:\windows\system32\6508795.dat

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job



.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.



-------\Service_iprip





(((((((((((((((((((((((((   Files Created from 2010-04-11 to 2010-05-11  )))))))))))))))))))))))))))))))

.



2099-12-31 22:02 . 2099-12-31 22:02	--------	d-----w-	c:\program files\7-Zip

2099-12-31 21:59 . 2099-12-31 21:59	--------	d-----w-	c:\program files\uTorrent

2099-12-31 21:59 . 2010-04-22 03:58	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\uTorrent

2099-12-31 21:59 . 2010-04-22 03:58	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\uTorrent

2010-05-11 22:37 . 2010-05-11 22:41	--------	d-----w-	c:\users\Mysterious\AppData\Local\temp

2010-05-11 22:37 . 2010-05-11 22:41	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\temp

2010-05-11 22:37 . 2010-05-11 22:37	--------	d-----w-	c:\users\Default\AppData\Local\temp

2010-05-11 22:23 . 2010-05-11 22:23	--------	d-----w-	c:\users\Mysterious\AppData\Local\Yahoo!

2010-05-11 22:23 . 2010-05-11 22:23	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Yahoo!

2010-05-11 00:30 . 2010-05-11 00:30	--------	d-----w-	c:\program files\Common Files\Kodak

2010-05-11 00:29 . 2010-05-11 00:29	--------	d-----w-	c:\users\Mysterious\AppData\Local\Eastman_Kodak_Company

2010-05-11 00:29 . 2010-05-11 00:29	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Eastman_Kodak_Company

2010-05-11 00:28 . 2010-05-11 00:28	--------	d-----w-	c:\users\Mysterious\AppData\Local\Kodak

2010-05-11 00:28 . 2010-05-11 00:28	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Kodak

2010-05-11 00:21 . 2010-05-11 00:36	--------	d-----w-	c:\program files\Kodak

2010-05-11 00:07 . 2008-01-21 02:21	89600	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL

2010-05-10 20:54 . 2010-05-10 20:54	--------	d-----w-	c:\users\Mysterious\AppData\Local\Microsoft Corporation

2010-05-10 20:54 . 2010-05-10 20:54	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Microsoft Corporation

2010-05-10 20:47 . 2010-05-11 00:24	--------	d-----w-	c:\users\Mysterious\AppData\Local\Eastman Kodak Company

2010-05-10 20:47 . 2010-05-11 00:24	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Eastman Kodak Company

2010-05-10 18:19 . 2010-04-29 22:39	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-10 18:19 . 2010-04-29 22:39	20952	----a-w-	c:\windows\system32\drivers\mbam.sys

2010-05-08 19:42 . 2010-05-08 19:57	--------	d-----w-	c:\users\Mysterious\AppData\Local\IceChat

2010-05-08 19:42 . 2010-05-08 19:57	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\IceChat

2010-05-08 19:42 . 2010-05-08 19:42	--------	d-----w-	c:\program files\IceChat7

2010-05-07 21:56 . 2008-12-25 00:24	703904	----a-w-	c:\windows\system32\drivers\SandBox.sys

2010-05-07 21:55 . 2008-12-17 18:04	295960	----a-w-	c:\windows\system32\drivers\afwcore.sys

2010-05-07 21:53 . 2008-06-20 16:42	28688	----a-w-	c:\windows\system32\drivers\afw.sys

2010-05-07 21:53 . 2010-05-11 18:34	--------	d-----w-	c:\windows\system32\Filt

2010-05-07 21:53 . 2010-05-07 21:53	--------	d-----w-	c:\program files\Agnitum

2010-05-07 21:52 . 2010-05-07 21:52	--------	d-----w-	c:\programdata\Agnitum

2010-05-07 21:52 . 2008-03-03 21:25	5702	---ha-w-	c:\windows\nod32restoretemdono.reg

2010-05-07 20:36 . 2010-05-07 21:40	--------	d-----w-	c:\programdata\BitDefender

2010-05-07 20:36 . 2010-05-07 20:37	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\BitDefender

2010-05-07 20:36 . 2010-05-07 20:37	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\BitDefender

2010-05-07 20:36 . 2010-05-07 20:36	--------	d-----w-	c:\program files\BitDefender

2010-05-07 20:35 . 2010-05-07 21:40	--------	d-----w-	c:\program files\Common Files\BitDefender

2010-05-07 20:24 . 2010-05-07 20:24	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\TrojanHunter

2010-05-07 20:24 . 2010-05-07 20:24	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\TrojanHunter

2010-05-07 18:57 . 2010-05-07 21:41	--------	d-----w-	c:\program files\TrojanHunter 5.3

2010-05-07 18:15 . 2010-05-07 18:15	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\Webroot

2010-05-07 18:15 . 2010-05-07 18:15	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\Webroot

2010-05-07 06:39 . 2010-05-07 06:39	--------	d-----w-	c:\users\Mysterious\AppData\Local\Plugins

2010-05-07 06:39 . 2010-05-07 06:39	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Plugins

2010-05-07 05:46 . 2010-05-10 04:03	--------	d-----w-	c:\users\Public\Public Files

2010-05-06 20:10 . 2010-05-06 20:10	--------	d-----w-	c:\programdata\Geek Squad

2010-05-01 04:16 . 2010-05-01 04:16	--------	d-----w-	c:\program files\AIM

2010-05-01 04:16 . 2010-05-01 04:16	--------	d-----w-	c:\program files\Common Files\Software Update Utility

2010-04-28 03:58 . 2010-04-28 03:58	--------	d-----w-	c:\users\Mysterious\.argouml

2010-04-28 03:58 . 2010-04-28 03:58	--------	d-----w-	c:\program files\ArgoUML

2010-04-19 19:19 . 2010-04-19 19:19	--------	d-----w-	c:\users\Mysterious\AppData\Local\Songbird2

2010-04-19 19:19 . 2010-04-19 19:19	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\Songbird2

2010-04-19 19:19 . 2010-04-19 19:19	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\Songbird2

2010-04-19 19:19 . 2010-04-19 19:19	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\Songbird2

2010-04-19 19:19 . 2009-12-23 11:03	15664	----a-w-	c:\windows\system32\drivers\GEARAspiWDM.sys

2010-04-19 19:19 . 2009-12-23 11:03	109360	----a-w-	c:\windows\system32\GEARAspi.dll

2010-04-19 19:19 . 2010-04-30 04:52	--------	d-----w-	c:\program files\Songbird

2010-04-15 05:45 . 2010-04-15 05:45	--------	d-----w-	c:\program files\Common Files\Java

2010-04-15 05:45 . 2010-04-15 05:44	411368	----a-w-	c:\windows\system32\deployJava1.dll

2010-04-15 05:44 . 2010-04-15 05:44	--------	d-----w-	c:\program files\Java

2010-04-13 19:50 . 2010-04-13 19:50	--------	d-----w-	c:\users\Mysterious\AppData\Local\SqliColCount

2010-04-13 19:50 . 2010-04-13 19:50	--------	d-----w-	c:\users\MYSTER~1\AppData\Local\SqliColCount



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-11 00:36 . 2010-03-05 22:14	--------	d-----w-	c:\programdata\Kodak

2010-05-11 00:30 . 2010-05-11 00:30	135168	----a-w-	c:\programdata\Kodak\EasyShareSetup\ess\netbrdg\brdg_r.exe

2010-05-11 00:30 . 2010-05-11 00:30	1187840	----a-w-	c:\programdata\Kodak\EasyShareSetup\$SETUP_320002_3d0500\EasyShrx.Dll

2010-05-11 00:30 . 2010-05-11 00:30	114688	----a-w-	c:\programdata\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.6.20.1.dll

2010-05-11 00:15 . 2010-05-11 00:15	1187840	----a-w-	c:\programdata\Kodak\EasyShareSetup\$SETUP_320002_2efbdc\EasyShrx.Dll

2010-05-11 00:14 . 2010-05-11 00:14	114688	----a-w-	c:\programdata\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.8.50.2.dll

2010-05-10 18:49 . 2009-04-11 13:18	19944	----a-w-	c:\windows\system32\drivers\atapi.sys

2010-05-10 18:19 . 2010-03-03 22:41	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware

2010-05-10 15:19 . 2010-03-21 22:59	--------	d-----w-	c:\program files\ESET

2010-05-10 15:05 . 2010-03-21 23:39	117760	----a-w-	c:\users\Mysterious\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-10 15:00 . 2010-03-21 23:38	--------	d-----w-	c:\program files\SUPERAntiSpyware

2010-05-09 01:34 . 2010-03-05 20:51	1	----a-w-	c:\users\Mysterious\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-05-01 04:16 . 2010-03-04 01:23	--------	d-----w-	c:\program files\Common Files\AOL

2010-04-22 04:22 . 2010-03-09 07:52	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\vlc

2010-04-22 04:22 . 2010-03-09 07:52	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\vlc

2010-04-13 19:30 . 2010-03-03 23:14	--------	d-----w-	c:\programdata\AutoHideIP

2010-04-08 19:34 . 2010-03-22 02:38	--------	d-----w-	c:\program files\Unlocker

2010-04-08 06:49 . 2010-04-08 06:49	720896	----a-w-	c:\windows\iun6002.exe

2010-04-08 06:30 . 2010-04-08 06:30	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\Uniblue

2010-04-08 06:30 . 2010-04-08 06:30	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\Uniblue

2010-04-08 03:30 . 2010-04-08 03:30	--------	d-----w-	c:\program files\Acunetix

2010-03-31 01:55 . 2010-03-31 01:55	--------	d-----w-	c:\program files\Paros

2010-03-29 18:12 . 2010-03-29 16:41	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\Wireshark

2010-03-29 18:12 . 2010-03-29 16:41	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\Wireshark

2010-03-29 16:26 . 2010-03-29 16:26	--------	d-----w-	c:\program files\Wireshark

2010-03-29 16:26 . 2010-03-05 17:04	--------	d-----w-	c:\program files\WinPcap

2010-03-26 06:45 . 2010-03-26 06:45	--------	d-----w-	c:\program files\Sun

2010-03-26 06:33 . 2010-03-23 06:04	165232	---ha-w-	c:\users\Mysterious\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll

2010-03-26 03:06 . 2010-03-26 03:06	99728	----a-w-	c:\windows\system32\drivers\VBoxNetAdp.sys

2010-03-26 03:06 . 2010-03-26 06:46	123856	----a-w-	c:\windows\system32\drivers\VBoxDrv.sys

2010-03-26 03:06 . 2010-03-26 06:46	41680	----a-w-	c:\windows\system32\drivers\VBoxUSBMon.sys

2010-03-26 03:06 . 2010-03-26 03:06	133648	----a-w-	c:\windows\system32\VBoxNetFltNotify.dll

2010-03-26 03:06 . 2010-03-26 03:06	110608	----a-w-	c:\windows\system32\drivers\VBoxNetFlt.sys

2010-03-23 06:01 . 2010-03-23 06:01	--------	d-----w-	c:\program files\Microsoft Virtual PC

2010-03-23 02:02 . 2010-03-23 00:57	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\Download Manager

2010-03-23 02:02 . 2010-03-23 00:57	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\Download Manager

2010-03-22 05:10 . 2010-03-08 15:51	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\ImgBurn

2010-03-22 05:10 . 2010-03-08 15:51	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\ImgBurn

2010-03-22 03:46 . 2010-03-22 03:46	77824	----a-w-	c:\users\Mysterious\AppData\Roaming\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-gdip-win32-3555.dll

2010-03-22 03:46 . 2010-03-22 03:46	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\XMind

2010-03-22 03:46 . 2010-03-22 03:46	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\XMind

2010-03-22 03:46 . 2010-03-22 03:46	348160	----a-w-	c:\users\Mysterious\AppData\Roaming\XMind\configuration-cathy\org.eclipse.osgi\bundles\178\1\.cp\swt-win32-3555.dll

2010-03-22 03:05 . 2010-03-22 03:02	--------	d-----w-	c:\programdata\Sophos

2010-03-22 03:02 . 2010-03-22 03:02	--------	d-----w-	c:\program files\Sophos

2010-03-22 03:01 . 2010-03-03 22:54	--------	d-----w-	c:\program files\Microsoft SQL Server

2010-03-21 23:43 . 2010-03-21 23:27	--------	d-----w-	c:\program files\Spybot - Search & Destroy

2010-03-21 23:43 . 2010-03-21 23:27	--------	d-----w-	c:\programdata\Spybot - Search & Destroy

2010-03-21 23:39 . 2010-03-21 23:39	52224	----a-w-	c:\users\Mysterious\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-21 23:38 . 2010-03-21 23:38	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com

2010-03-21 23:38 . 2010-03-21 23:38	--------	d-----w-	c:\users\Mysterious\AppData\Roaming\SUPERAntiSpyware.com

2010-03-21 23:38 . 2010-03-21 23:38	--------	d-----w-	c:\users\MYSTER~1\AppData\Roaming\SUPERAntiSpyware.com

2010-03-21 23:37 . 2010-03-21 23:37	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard

2010-03-21 22:39 . 2010-03-21 22:39	--------	d-----w-	c:\program files\TrendMicro

2010-03-21 20:43 . 2010-03-21 20:43	--------	d-----w-	c:\program files\Immunity Inc

2010-03-21 20:24 . 2010-03-21 20:24	253648	------w-	c:\windows\Setup1.exe

2010-03-21 20:24 . 2010-03-21 20:24	77016	----a-w-	c:\windows\ST6UNST.EXE

2010-03-09 23:09 . 2010-03-03 21:10	53992	----a-w-	c:\users\Mysterious\AppData\Local\GDIPFONTCACHEV1.DAT

2010-03-09 23:09 . 2010-03-03 21:10	53992	----a-w-	c:\users\MYSTER~1\AppData\Local\GDIPFONTCACHEV1.DAT

2010-03-08 01:13 . 2010-03-08 01:13	4096	----a-w-	c:\windows\system32\33416.sys

2010-03-04 19:56 . 2010-03-04 19:56	86016	----a-w-	c:\programdata\NOS\Adobe_Downloads\arh.exe

2010-03-04 01:21 . 2010-03-04 01:21	1691	----a-w-	c:\users\Mysterious\AppData\Roaming\.purple\certificates\x509\tls_peers\api.screenname.aol.com

2010-03-03 22:54 . 2010-03-03 22:54	112640	----a-w-	c:\programdata\Microsoft\VCExpress\9.0\1033\ResourceCache.dll

2010-03-03 22:53 . 2010-03-03 22:53	416	----a-w-	c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2010-03-03 21:14 . 2010-03-03 21:14	0	----a-w-	c:\windows\nsreg.dat

.



------- Sigcheck -------



[-] 2009-05-30 . 3E549C4703848F9F544BB5EBE2A5F4D9 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 150552]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-27 7432736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2008-12-26 1227080]

"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2008-12-26 432968]

"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)



[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 1 (0x1)



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 21:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):18,aa,f7,f7,a9,ba,c9,01



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2472071388-659949280-783705479-1000]

"EnableNotificationsRef"=dword:00000001



R2 TimerStop;TimerStop;c:\windows\system32\TimerStop.sys [x]

R3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [2008-12-25 34080]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]

R4 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2007-10-18 143360]

R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]

S1 afw;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [2008-06-20 28688]

S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]

S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2008-12-25 703904]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]

S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-03-26 123856]

S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-03-26 41680]

S2 33416;33416;c:\windows\System32\33416.sys [2010-03-08 4096]

S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [2008-12-26 1267016]

S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]

S2 MSSQL$SOPHOS;SQL Server (SOPHOS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2008-12-17 295960]

S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-03-04 4232704]

S3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [2008-01-21 9216]

S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-03-26 99728]

S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-03-26 110608]





[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

ipripsvc	REG_MULTI_SZ   	iprip

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = http=

FF - ProfilePath - c:\users\MYSTER~1\AppData\Roaming\Mozilla\Firefox\Profiles\2t6ftp25.default\

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnu.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\users\Mysterious\AppData\Local\Yahoo!\BrowserPlus\2.7.1\Plugins\npybrowserplus_2.7.1.dll



---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\users\Mysterious\Desktop\FireFox 2.0\greprefs\all.js - pref("ui.allow_platform_file_picker", true);

c:\users\Mysterious\Desktop\FireFox 2.0\greprefs\all.js - pref("network.cookie.p3plevel",			 1); // 0=low, 1=medium, 2=high, 3=custom

c:\users\Mysterious\Desktop\FireFox 2.0\greprefs\all.js - pref("network.enablePad",				   false); // Allow client to do proxy autodiscovery

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom",  "chrome://branding/content/searchconfig.properties");

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("signon.prefillForms",				 true);

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");

c:\users\Mysterious\Desktop\FireFox 2.0\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

.



**************************************************************************



catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-11 15:42

Windows 6.0.6002 Service Pack 2 NTFS



scanning hidden processes ...  



scanning hidden autostart entries ... 



scanning hidden files ...  



scan completed successfully

hidden files: 0



**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

--------------------- DLLs Loaded Under Running Processes ---------------------



- - - - - - - > 'Explorer.exe'(2116)

c:\program files\Microsoft Virtual PC\VPCShExH.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\psxss.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Agnitum\Outpost Firewall Pro\op_mon.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\windows\System32\tcpsvcs.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2010-05-11  15:47:00 - machine was rebooted

ComboFix-quarantined-files.txt  2010-05-11 22:46



Pre-Run: 69,501,267,968 bytes free

Post-Run: 69,078,032,384 bytes free



- - End Of File - - EA0E0F4D6604368B0D6A832E9600463B

Edited by ingenioushax, 11 May 2010 - 05:10 PM.

  • 0

Advertisements

#11
Rorschach112
Posted 11 May 2010 - 05:19 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you reboot the machine a few times, that message should go
  • 0

#12
ingenioushax
Posted 11 May 2010 - 05:22 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Alright, I will try and reboot a few times. I wil be back in just a few moments.
  • 0

#13
ingenioushax
Posted 11 May 2010 - 05:33 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok, :) everything works fine now. :) :) :)... so anything in the logfile you see thats bad?

EDIT:: Or any other steps I should follow to ensure the bads are out and goods are in?

Edited by ingenioushax, 11 May 2010 - 06:45 PM.

  • 0

#14
Rorschach112
Posted 12 May 2010 - 05:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
one more scan

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • c:\windows\System32\shsvcs.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#15
ingenioushax
Posted 12 May 2010 - 02:21 PM

ingenioushax

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
VirSCAN.org Scanned Report :
Scanned time : 2010/05/12 13:19:02 (PDT)
Scanner results: Scanners did not find malware!
File Name : shsvcs.dll
File Size : 247296 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 3e549c4703848f9f544bb5ebe2a5f4d9
SHA1 : 47b75776ea55cf5acf1c04f6fdbb20182c410269
Online report : http://virscan.org/r...2947c6af01.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.63 -
AhnLab V3 2010.05.13.00 2010.05.13 2010-05-13 1.11 -
AntiVir 8.2.1.242 7.10.7.96 2010-05-12 0.25 -
Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
Arcavir 2009 201005121519 2010-05-12 0.06 -
Authentium 5.1.1 201005121532 2010-05-12 1.62 -
AVAST! 4.7.4 100512-1 2010-05-12 0.02 -
AVG 8.5.793 271.1.1/2869 2010-05-12 0.25 -
BitDefender 7.81008.5874512 7.31633 2010-05-13 3.72 -
ClamAV 0.95.3 10996 2010-05-13 0.06 -
Comodo 3.13.579 4828 2010-05-12 0.97 -
CP Secure 1.3.0.5 2010.05.13 2010-05-13 0.08 -
Dr.Web 5.0.2.3300 2010.05.13 2010-05-13 7.10 -
F-Prot 4.4.4.56 20100512 2010-05-12 1.56 -
F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.14 -
Fortinet 4.0.14 11.931 2010-05-12 0.14 -
GData 21.140/21.48 20100512 2010-05-12 7.13 -
ViRobot 20100512 2010.05.12 2010-05-12 0.41 -
Ikarus T3.1.01.84 2010.05.12.75846 2010-05-12 6.37 -
JiangMin 13.0.900 2010.05.11 2010-05-11 1.21 -
Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.64 -
McAfee 5400.1158 5980 2010-05-12 0.02 -
Microsoft 1.5703 2010.05.12 2010-05-12 6.92 -
Norman 6.04.12 6.04.00 2010-05-12 6.01 -
Panda 9.05.01 2010.05.12 2010-05-12 1.97 -
Trend Micro 9.120-1004 7.162.16 2010-05-12 0.03 -
Quick Heal 10.00 2010.05.12 2010-05-12 1.68 -
Rising 20.0 22.47.02.04 2010-05-12 1.18 -
Sophos 3.07.1 4.53 2010-05-13 3.27 -
Sunbelt 3.9.2421.2 6294 2010-05-12 6.54 -
Symantec 1.3.0.24 20100512.005 2010-05-12 0.07 -
nProtect 20100512.01 8245011 2010-05-12 8.01 -
The Hacker 6.5.2.0 v00278 2010-05-09 0.38 -
VBA32 3.12.12.4 20100511.2022 2010-05-11 2.58 -
VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.47 -
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP