Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! I have Malware!

Started by Atropos , Mar 30 2011 12:10 PM

  • Please log in to reply

#1
Atropos
Posted 30 March 2011 - 12:10 PM

Atropos

    New Member

  • Member
  • Pip
  • 2 posts
Avast notified me of an infection about 5 hours ago, but seemed unable to quarantine the file or delete it.

Shortly afterwards my google results were highjacked.

I ran another avast scan with the same non-result, then installed and ran MBAM (couldn’t get it to update).

Now my results are no longer being hijacked – I simply can not connect to anything except google. Nothing else.

I have also tried to run System restore without success.

I have no idea of the source of the infection

Can anyone help? Thanks in advance



OTL Log below:

_______

OTL logfile created on: 30/03/2011 18:59:59 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Tanya\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 576.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.04 Gb Total Space | 1.82 Gb Free Space | 2.56% Space Free | Partition Type: NTFS
Drive D: | 72.00 Gb Total Space | 71.73 Gb Free Space | 99.63% Space Free | Partition Type: NTFS
Drive E: | 245.73 Mb Total Space | 191.98 Mb Free Space | 78.13% Space Free | Partition Type: FAT

Computer Name: SHARPE | User Name: Tanya | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/30 18:56:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya\Desktop\OTL.exe
PRC - [2011/03/21 10:03:12 | 000,069,632 | ---- | M] (Osiris Development) -- C:\Program Files\BatteryBar\BatteryBar.exe
PRC - [2011/02/23 15:04:20 | 003,451,496 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/02/23 15:04:19 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/02/07 18:06:30 | 003,600,184 | ---- | M] (Mozy, Inc.) -- C:\Program Files\MozyHome\mozystat.exe
PRC - [2009/06/16 08:58:08 | 000,389,120 | ---- | M] (FruitfulTime ®) -- C:\Program Files\FruitfulTime\FruitfulTime NoteKeeper\FruitfulTime NoteKeeper.exe
PRC - [2008/10/07 03:07:26 | 000,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/21 05:40:30 | 000,659,456 | ---- | M] (Samsung Electronics,.LTD) -- C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe


========== Modules (SafeList) ==========

MOD - [2011/03/30 18:56:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya\Desktop\OTL.exe
MOD - [2011/02/23 15:04:17 | 000,197,208 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
MOD - [2010/08/23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 13:00:00 | 001,384,479 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll
MOD - [2008/04/14 13:00:00 | 000,367,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dsound.dll
MOD - [2008/04/14 13:00:00 | 000,121,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvfw32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (EzEITService)
SRV - File not found [Auto | Stopped] -- -- (EITUACService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/02/23 15:04:19 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2008/05/13 17:44:00 | 000,077,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe -- (Samsung Update Plus)
SRV - [2008/04/14 13:00:00 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/14 13:00:00 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)


========== Driver Services (SafeList) ==========

DRV - [2011/02/23 14:56:55 | 000,371,544 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/02/23 14:56:45 | 000,301,528 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/02/23 14:55:49 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/02/23 14:55:47 | 000,102,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/02/23 14:55:10 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/02/23 14:54:57 | 000,030,680 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/02/23 14:54:55 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/11/07 10:04:00 | 000,291,328 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/10/08 07:35:10 | 001,334,432 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 21:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/27 00:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/15 04:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2007/09/05 12:04:34 | 000,079,408 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2005/10/27 05:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=SMSN&bmod=SMSN
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=SMSN&bmod=SMSN
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...=SMSN&bmod=SMSN
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwat...nkToFoodTracker
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: [email protected]:9.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {5384767E-00D9-40E9-B72F-9CC39D655D6F}:1.4.1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/29 13:04:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/29 13:04:40 | 000,000,000 | ---D | M]

[2010/09/06 19:41:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Extensions
[2010/09/06 19:41:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/30 06:39:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Firefox\Profiles\nvb02gxk.default\extensions
[2010/10/13 10:49:13 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Firefox\Profiles\nvb02gxk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/18 20:50:23 | 000,000,000 | ---D | M] (EPUBReader) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Firefox\Profiles\nvb02gxk.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
[2011/01/29 10:59:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Firefox\Profiles\nvb02gxk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}(2)
[2011/03/25 22:56:48 | 000,000,000 | ---D | M] (LiveJournal Addons) -- C:\Documents and Settings\Tanya\Application Data\Mozilla\Firefox\Profiles\nvb02gxk.default\extensions\[email protected]
[2011/03/30 06:39:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/07 14:30:02 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/10/30 12:38:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/30 12:37:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/10/30 12:37:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/23 01:29:54 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/23 01:29:54 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/23 01:29:54 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/23 01:29:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2008/04/14 13:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
O4 - Startup: C:\Documents and Settings\Tanya\Start Menu\Programs\Startup\BatteryBar.lnk = C:\Program Files\BatteryBar\BatteryBar.exe (Osiris Development)
O4 - Startup: C:\Documents and Settings\Tanya\Start Menu\Programs\Startup\FruitfulTime NoteKeeper.lnk = C:\Program Files\FruitfulTime\FruitfulTime NoteKeeper\FruitfulTime NoteKeeper.exe (FruitfulTime ®)
O4 - Startup: C:\Documents and Settings\Tanya\Start Menu\Programs\Startup\Movie Magic Screenwriter 6 (2).lnk = C:\Program Files\Write Brothers, Inc\Movie Magic Screenwriter 6\scwriter32.exe (Write Brothers, Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/02 02:55:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell - "" = AutoRun
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\configure\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\install\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell - "" = AutoRun
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell\AutoRun\command - "" = E:\install.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/30 18:59:36 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tanya\Desktop\OTL.exe
[2011/03/30 18:35:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/30 16:23:51 | 000,371,544 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/03/30 15:32:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya\Application Data\Malwarebytes
[2011/03/30 15:29:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/30 15:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/30 15:29:47 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/30 15:29:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/29 13:21:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/03/29 13:19:47 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/03/29 13:19:42 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/03/29 13:14:38 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/03/29 13:13:14 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/03/29 13:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/03/29 13:03:57 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/03/27 07:46:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya\My Documents\Screenwriter Documents
[2011/03/05 11:15:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Tanya\Recent
[2011/03/05 07:49:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/30 18:56:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya\Desktop\OTL.exe
[2011/03/30 18:54:30 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/30 18:43:21 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/30 18:42:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/30 16:23:51 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/03/30 15:29:55 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Tanya\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/03/30 15:29:55 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/30 14:27:42 | 000,006,184 | ---- | M] () -- C:\WINDOWS\mozy.flt
[2011/03/30 14:27:42 | 000,004,328 | ---- | M] () -- C:\WINDOWS\mozy.blk
[2011/03/29 12:59:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/28 13:24:11 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/27 07:48:08 | 000,531,930 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/27 07:48:08 | 000,093,656 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/27 07:47:35 | 000,001,592 | ---- | M] () -- C:\Documents and Settings\Tanya\Start Menu\Programs\Startup\BatteryBar.lnk
[2011/03/22 18:23:19 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\Tanya\.recently-used.xbel
[2011/03/16 11:05:00 | 000,001,578 | ---- | M] () -- C:\DealUIController
[2011/03/09 16:16:01 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/30 15:29:55 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Tanya\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/03/30 15:29:55 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/03/27 07:47:34 | 000,001,592 | ---- | C] () -- C:\Documents and Settings\Tanya\Start Menu\Programs\Startup\BatteryBar.lnk
[2011/03/22 18:23:19 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\Tanya\.recently-used.xbel
[2011/03/09 16:10:43 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/02/10 20:57:56 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Tanya\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/18 19:15:20 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/09/11 09:12:02 | 000,029,740 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/07 14:36:33 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/09/07 09:40:14 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Tanya_KBD.ini
[2010/09/06 21:33:08 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.811261211181235583101118113995
[2010/09/06 19:16:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/06/05 02:29:07 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/05/14 03:18:04 | 000,279,629 | ---- | C] () -- C:\WINDOWS\esubmit.exe
[2009/04/02 03:14:12 | 000,307,200 | ---- | C] () -- C:\WINDOWS\SetDisplayResolution.exe
[2009/04/02 03:07:34 | 000,000,002 | ---- | C] () -- C:\WINDOWS\HotFixList.ini
[2009/04/02 03:07:28 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2009/04/02 03:07:28 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2009/04/02 03:07:26 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2009/04/02 03:07:25 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2009/04/02 03:07:25 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2009/04/02 03:07:25 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2009/04/02 03:07:25 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2009/04/02 03:07:25 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2009/04/02 03:07:25 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2009/04/02 03:07:25 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2009/04/02 03:07:25 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2009/04/02 03:07:25 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2009/04/02 03:07:25 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2009/04/02 03:07:25 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2009/04/02 03:07:25 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2009/04/02 03:07:25 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2009/04/02 03:07:25 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2009/04/02 03:07:25 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2009/04/02 03:07:25 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2009/04/02 03:05:17 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/04/02 03:05:17 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/04/02 03:02:02 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/04/02 02:59:35 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\Marker.exe
[2009/04/02 02:59:34 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2009/04/02 02:57:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/02 02:53:19 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/04/02 01:35:06 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/04/02 01:34:33 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/04/02 01:34:32 | 000,531,930 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/02 01:34:32 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/04/02 01:34:30 | 000,093,656 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/02 01:34:30 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/04/02 01:34:30 | 000,004,486 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/04/02 01:34:29 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/04/02 01:34:29 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/04/02 01:34:28 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/04/02 01:34:28 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/04/02 01:34:24 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/04/02 01:34:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/04/01 18:47:55 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/01 18:46:52 | 000,155,568 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/02/27 01:49:12 | 006,139,774 | ---- | C] () -- C:\WINDOWS\imagine digital freedom.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 1177 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:FxmilxYiNEJLBgAag28D2CL1YpL9i
@Alternate Data Stream - 1129 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:sfuaOY9Yzs1DzU5FR0ZMDaHa6J
@Alternate Data Stream - 1107 bytes -> C:\Documents and Settings\Tanya\Cookies:B6L3MIAbinlpvuc18j3c
@Alternate Data Stream - 1045 bytes -> C:\Documents and Settings\Tanya\Cookies:l222SsNmq8Io2I364QWF

< End of report >
  • 0

Advertisements

#2
RKinner
Posted 01 April 2011 - 10:41 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 20 but there may be others.



We have seen some malware that will create its own network interface and when you remove it the malware network interface remains and nothing works. Right click on My Computer and select Manage then Device Manager. Find the Network Adapters in the right pane and click on the + in front to expand it. Right click on each sub-entry and Uninstall. (You may want to make a note of what adapters you have in case you need to download the drivers from your PC Maker's website. Normally you don't need to but with malware you never know.)

Reboot and it should reinstall all the good adapters.

If you have a third party firewall, turn it off.

We are also seeing some routers being compromised. Usually you can fix these by pressing and holding the RESET button for 30 seconds. (If your router talks directly to the ISP via DSL or Cable make sure you know how to configure it before resetting. If you use wireless and it is encrypted the encryption will go away after a reset and will have to be redone.)

Copy the text in the code box by highlighting and Ctrl + c 

:Services
EzEITService
EITUACService
AppMgmt

:OTL
SRV - File not found [Auto | Stopped] -- -- (EzEITService)
SRV - File not found [Auto | Stopped] -- -- (EITUACService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
[2010/10/30 12:38:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/30 12:37:39 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/10/30 12:37:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/23 01:29:54 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/23 01:29:54 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/07/23 01:29:54 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/07/23 01:29:54 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - Reg Error: Key error. File not found
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell - "" = AutoRun
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\configure\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{7593f051-b9e2-11df-a6c7-001377fc35ce}\Shell\install\command - "" = E:\SETUP.EXE
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell - "" = AutoRun
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{bcba528d-cbf6-11df-a6f6-0024d29367cc}\Shell\AutoRun\command - "" = E:\install.exe
[2010/09/06 21:33:08 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.811261211181235583101118113995
@Alternate Data Stream - 1177 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:FxmilxYiNEJLBgAag28D2CL1YpL9i
@Alternate Data Stream - 1129 bytes -> C:\Documents and Settings\All Users\Application Data\Microsoft:sfuaOY9Yzs1DzU5FR0ZMDaHa6J
@Alternate Data Stream - 1107 bytes -> C:\Documents and Settings\Tanya\Cookies:B6L3MIAbinlpvuc18j3c
@Alternate Data Stream - 1045 bytes -> C:\Documents and Settings\Tanya\Cookies:l222SsNmq8Io2I364QWF

:Files
c:\Program Files\Java
nslookup att.com /C
ipconfig /all /C
netsh interface ip show config /C
netsh winsock reset catalog /C
netsh int ip reset reset.log /C
  
:Commands
[RESETHOSTS]
[purity]
[EMPTYFLASH] 
[emptytemp]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Your version of Avast is out-dated. You need to update to Avast 6
http://www.avast.com...ivirus-download
and run a boot-time scan:

Once you have it installed and it has updated, right click on it and select Open Avast! User Interface then click on Scan Computer, then on
Boot-Time Scan then Schedule Now. Reboot and let it run a scan. It will take many hours (like overnight) and unfortunately you may need to check back with it once in a while to see if it needs an input from you. For best results repeat the scan until it comes up clean.

Ron
  • 0

#3
Atropos
Posted 01 April 2011 - 10:51 AM

Atropos

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thank you for your response - I really appreciate it.

With help from a colleague I managed to clear out this nasty little sucker just about an hour ago, so I'm good to go.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP