Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Olmarik.LT virus [Solved]

Started by geminidragon , May 15 2010 03:41 PM

  • This topic is locked This topic is locked

#16
geminidragon
Posted 16 May 2010 - 04:53 PM

geminidragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
ComboFix 10-05-16.01 - Debbie 17/05/2010 7:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1594 [GMT 9.5:30]
Running from: c:\documents and settings\Debbie\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\613b6df2-193b-6518-52fc-9c674553e0b1.exe
c:\windows\system32\Data
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\epfwtdir.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_MSI
-------\Service_Windows MSI


((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 20:58 . 2010-05-16 20:58 -------- d-----w- C:\_OTL
2010-05-15 11:30 . 2010-05-15 11:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2010-05-14 07:18 . 2010-05-14 07:41 -------- d-----w- c:\program files\Desksware
2010-05-13 09:45 . 2010-05-13 09:45 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-05-12 22:07 . 2010-05-13 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-05-12 21:49 . 2010-05-12 21:49 0 ----a-w- c:\windows\nsreg.dat
2010-05-12 21:48 . 2010-05-12 21:48 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\Mozilla
2010-05-10 07:20 . 2010-05-10 07:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-10 06:54 . 2008-08-25 23:56 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-05-10 06:53 . 2009-12-30 02:00 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2010-05-10 06:53 . 2009-12-30 02:00 7936 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2010-05-10 06:53 . 2009-12-30 02:00 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2010-05-10 06:53 . 2010-01-21 05:23 18048 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2010-05-10 06:53 . 2009-12-30 02:00 660480 ----a-w- c:\windows\system32\nmwcdcocls.dll
2010-05-10 06:53 . 2009-10-06 02:25 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2010-05-10 06:51 . 2010-05-10 06:51 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\IsolatedStorage
2010-05-07 07:49 . 2010-05-10 14:11 202232 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-07 07:48 . 2010-05-07 07:48 -------- d-----w- c:\program files\MSXML 6.0
2010-05-07 07:48 . 2010-05-10 06:59 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\Nokia
2010-05-07 07:48 . 2010-05-07 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-05-07 07:46 . 2010-05-07 07:47 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-05-07 07:46 . 2010-05-10 06:59 -------- d-----w- c:\windows\Globalization
2010-04-30 11:11 . 2010-04-30 11:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-04-30 04:22 . 2010-05-10 07:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-25 05:47 . 2008-04-14 00:12 30749 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\vbajet32.dll
2010-04-25 05:47 . 2008-04-14 00:12 151583 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjint40.dll
2010-04-25 05:47 . 2008-04-14 00:12 102400 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjro.dll
2010-04-25 05:47 . 2008-04-14 00:11 57344 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msadrh15.dll
2010-04-25 05:47 . 2008-04-14 00:11 536576 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msado15.dll
2010-04-25 05:47 . 2008-04-14 00:11 200704 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msadox.dll
2010-04-25 05:47 . 2008-04-14 00:11 380445 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Expsrv.dll
2010-04-25 05:47 . 2007-12-10 12:41 621344 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Mswstr10.dll
2010-04-25 05:47 . 2007-12-10 12:41 60192 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjter40.dll
2010-04-25 05:47 . 2007-12-10 12:41 248608 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjtes40.dll
2010-04-25 05:47 . 2007-12-10 12:41 355112 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjetoledb40.dll
2010-04-25 05:47 . 2007-12-10 12:41 1516568 ----a-w- c:\documents and settings\Debbie\Application Data\Creative\Media Database\JetFileBackup\Msjet40.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 21:37 . 2009-08-31 02:55 -------- d-----w- c:\documents and settings\Debbie\Application Data\Skype
2010-05-16 07:16 . 2008-10-25 06:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-16 03:03 . 2008-01-19 00:09 -------- d-----w- c:\program files\Google
2010-05-14 07:18 . 2008-01-05 07:39 75904 ----a-w- c:\documents and settings\Debbie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-12 12:31 . 2008-01-14 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-11 02:17 . 2008-01-19 23:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-11 02:17 . 2008-01-20 00:40 38 ----a-w- c:\windows\popcinfo.dat
2010-05-11 02:13 . 2009-11-09 09:21 22 ----a-w- c:\windows\popcinfot.dat
2010-05-10 06:59 . 2008-08-26 07:36 -------- d-----w- c:\program files\Nokia
2010-05-07 14:07 . 2008-01-18 01:45 -------- d-----w- c:\documents and settings\Debbie\Application Data\LimeWire
2010-05-07 07:48 . 2009-01-08 21:28 -------- d-----w- c:\program files\Common Files\Nokia
2010-05-07 07:42 . 2008-02-02 11:47 -------- d-----w- c:\documents and settings\Debbie\Application Data\Nokia
2010-04-16 22:29 . 2008-09-23 10:47 -------- d-----w- c:\program files\LimeWire
2010-04-11 02:49 . 2010-04-11 02:49 -------- d-----w- c:\program files\Mindscape
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-23 10:21 . 2009-01-23 10:21 18389344 ----a-w- c:\program files\TrojanHunterSetup.exe
2004-03-11 02:57 . 2008-12-05 01:54 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-01-18 22:20 . 2008-01-18 22:20 8 --sha-r- c:\windows\system32\8764F1B642.sys
2008-12-16 02:45 . 2008-01-18 22:20 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InternodeUsage"="c:\progra~1\INTERN~2\mum.exe" [2010-02-13 1363456]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-07 278528]
"Google Update"="c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-26 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-22 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"nwiz"="nwiz.exe" [2007-04-12 1626112]
"P17Helper"="P17.dll" [2007-12-27 65536]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"EPSON Stylus Photo RX510"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" [2003-09-12 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-06 1461080]
"NokiaMusic FastStart"="c:\program files\Nokia\Ovi Player\NokiaOviPlayer.exe" [2010-03-04 2192672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - g:\program files\FinePixViewerS\QuickDCF2.exe [2008-3-1 303104]
Exif Launcher.lnk - g:\program files\QuickDCF.exe [2008-2-25 200704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"g:\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"g:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\Files\\LIMEWIRE\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20/02/2008 10:11 AM 35168]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 10:08 AM 472280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/12/2009 9:55 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:04]

2010-05-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-19 08:22]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 12:24]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 12:24]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-412668190-725345543-1003Core.job
- c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 02:57]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-412668190-725345543-1003UA.job
- c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-26 02:57]

2010-05-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 04:37]

2010-05-16 c:\windows\Tasks\TrojanHunter LiveUpdate.job
- c:\program files\TrojanHunter 5.0\Tools\LiveUpdate\LiveUpdate.exe [2009-01-23 02:53]

2010-05-16 c:\windows\Tasks\User_Feed_Synchronization-{CF646738-E9A0-40E7-B11C-1A36E4201160}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/61.11/uploader2.cab
FF - ProfilePath - c:\documents and settings\Debbie\Application Data\Mozilla\Firefox\Profiles\l0tvw9re.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/|http://www.google.com.au/|http://www.myspace.com/
FF - plugin: c:\documents and settings\Debbie\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: f:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-PowerBar - (no file)
HKU-Default-Run-Nokia.PCSync - g:\nokia\Nokia PC Suite 6\Nokia PC Suite 6\PcSync2.exe
AddRemove-613b6df2-193b-6518-52fc-9c674553e0b1 - c:\windows\system32\613b6df2-193b-6518-52fc-9c674553e0b1.exe
AddRemove-Goodsol Solitaire 101_is1 - g:\mum's biz\Games\Goodsol Solitaire 101\unins000.exe
AddRemove-Pretty Good Solitaire - Additional Card Sets_is1 - g:\mum's biz\Games\Goodsol Solitaire 101\goodsol\unins000.exe
AddRemove-Yahtzee Texas Hold'em - g:\mum'sb~1\Games\YAHTZE~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 07:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...



HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?i?????????????????????????????????????????????????????????? ??|`??|????]??|?dF~????????hi????@?8?@?????hi??c"
  • 0

Advertisements

#17
RPMcMurphy
Posted 16 May 2010 - 04:58 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
geminidragon,

That's odd; it's still missing a few sections from the end. What is there looks much better though! Please run these for me now:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Posted Image Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:
  • MBAM log
  • Kaspersky log
  • How is the computer running now?

  • 0

#18
geminidragon
Posted 16 May 2010 - 11:31 PM

geminidragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/05/2010 8:50:03 AM
mbam-log-2010-05-17 (08-50-03).txt

Scan type: Quick scan
Objects scanned: 124428
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, May 16, 2010 22:49:01
Records in database: 4118148
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
J:\

Scan statistics:
Objects scanned: 195988
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 03:11:19


File name / Threat / Threats count
C:\Documents and Settings\Debbie\My Documents\TrojanHunter.exe Infected: Trojan.Win32.Siscos.re 1
E:\nickel back\Dance paradise - Nickel Back - Too bad.wma Infected: Trojan-Downloader.WMA.Wimad.y 1
G:\TrojanHunter.exe Infected: Trojan.Win32.Siscos.re 1

Selected area has been scanned.
  • 0

#19
RPMcMurphy
Posted 16 May 2010 - 11:42 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
geminidragon,

It looks like we are almost done! How is your computer running?

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Files
E:\nickel back\Dance paradise - Nickel Back - Too bad.wma

:Commands
[EmptyFlash]
[EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Please include the following in your next post:
  • OTL Fix log
  • How is the computer running now?

  • 0

#20
geminidragon
Posted 17 May 2010 - 12:20 AM

geminidragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi

at this point everything seems to be working :)

this is the last file of the OTLfix

I have tried IE again and the nasty little pop-ups that prompted me to run the first scan dont seem to be there anymore...YAY!

thanks for all your help... hopefully this is all good now.




All processes killed
========== FILES ==========
E:\nickel back\Dance paradise - Nickel Back - Too bad.wma moved successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: All Users

User: Debbie
->Flash cache emptied: 1297 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Incomplete

User: LocalService

User: NetworkService
->Flash cache emptied: 1726 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Debbie
->Temp folder emptied: 113846361 bytes
->Temporary Internet Files folder emptied: 16768168 bytes
->Java cache emptied: 128130 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Incomplete

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
  • 0

#21
RPMcMurphy
Posted 17 May 2010 - 08:03 AM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
geminidragon,

Good job! Now I have some important cleanup for you to take care of:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 20. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining logs or tools.
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Avoid using P2P programs! Refer back to my earlier post for more information.
  • Consider running in a limited user account. See this post for more information.
  • Please carefully review the information in our Preventing Malware and Safe Computing thread located HERE
Please post once more so I know you are all set and I can close this thread. Good luck and stay safe!
  • 0

#22
geminidragon
Posted 18 May 2010 - 04:56 AM

geminidragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, well I think you have solved the main part of my problem... I am still having problems with screens freezing and the CPU being ramped up to 100% usage on lightweight processes.. not really sure what that is about but will continue to investigate.

Many, many thanks - you have been most helpful, will certainly be back again if I need help solving a problem. :)

Excellent site, excellent service, excellent results! :)

geminidragon :)
  • 0

#23
RPMcMurphy
Posted 18 May 2010 - 08:30 AM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
You're welcome. If you continue to have issues, feel free to start a topic in our Windows Forum. Be sure to include a link back to this thread.
  • 0

#24
RPMcMurphy
Posted 19 May 2010 - 02:05 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP