Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malware removal help - W32.Blaster.Worm [Closed] [Solved]

Started by LArnett , Jan 12 2012 06:39 PM

This topic is locked

#16
Essexboy

Posted 20 January 2012 - 12:27 PM

GeekU Moderator

Retired Staff
69,964 posts

Manually reboot please and then run Malwarebytes

#17
LArnett

Posted 21 January 2012 - 04:19 PM

Member

Topic Starter
Member
41 posts

I manually restarted and a few of the programs that you had me run were not on the desktop anymore and the OTL.exe had a defalt window icon and won't work anymore. Restarted one more time to see if it would correct it's self but nothing. I also tried to delete the OTL.exe

Error Deleting File or Folder Cannot delete OTL: access is denied.
Make sure the disk is not full or write-protected and that the files is not currently in use.

Tried to copy a new OTL to the desktop from a flash drive and got the following

Error Copyying File or Folder Cannot copy OTL: Access is denied

Make sure the disk is not full or write-protected and that the file is not currently in use.

Running MBAM right now.

Edited by LArnett, 21 January 2012 - 04:37 PM.

#18
Essexboy

Posted 21 January 2012 - 05:00 PM

GeekU Moderator

Retired Staff
69,964 posts

Hmm this is unusual

Once malwarebytes has run could you re-run combofix

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

#19
LArnett

Posted 21 January 2012 - 08:22 PM

Member

Topic Starter
Member
41 posts

Ran Combofix again

ComboFix 12-01-16.02 - Ricky 01/21/2012 20:53:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.294 [GMT -5:00]
Running from: e:\computer repair progs\ComboFix\ComboFix.exe
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\Mary Kay\err.log
c:\documents and settings\Ricky\err.log
c:\program files\Mozilla Firefox\extensions\[email protected]
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\cookies.ini
c:\windows\cs_cache.ini
c:\windows\EventSystem.log
c:\windows\run.log
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\drivers\fad.sys
c:\windows\system32\mcrh.tmp
c:\windows\system32\msnav32.ax
c:\windows\system32\winpfz32.sys
c:\windows\system32\zxdnt3d.cfg
c:\windows\wr.txt
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))
.
.
2012-01-22 01:46 . 2012-01-22 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-22 01:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-09-11 735960]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-01-22 40776]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-09-11 96408]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-21 20:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3949259467:873831188.exe 816 bytes executable
c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]
"ImagePath"="\systemroot\3949259467:873831188.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\3949259467:873831188.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\Blubster\BGCheck.exe
.
**************************************************************************
.
Completion time: 2012-01-21 21:12:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-22 02:11
ComboFix2.txt 2012-01-17 00:51
.
Pre-Run: 8,830,205,952 bytes free
Post-Run: 8,810,123,264 bytes free
.
- - End Of File - - 88E51E8BBF66D58C64E21E95F790AF56

Trying Mbam again

Attached Files

ComboFix log.txt 7.71KB 95 downloads

Edited by LArnett, 21 January 2012 - 08:23 PM.

#20
Essexboy

Posted 22 January 2012 - 05:50 AM

GeekU Moderator

Retired Staff
69,964 posts

OK one rootkit is being particularly stubborn

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Rootkit::
c:\windows\3949259467
c:\windows\$NtUninstallKB20734$

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#21
LArnett

Posted 22 January 2012 - 10:10 PM

Member

Topic Starter
Member
41 posts

I finally got combofix to run with the script you sent me but there is an anti-virus program that keeps trying to start but has an error and never loads up. ESET NOD32 Anti-virus. I have looked for it under programs in the start menu to diable it or uninstall, no icon on the desktop, and not in the program list under the control panel. It keeps popping up everytime there is a restart and after about 5 min an error message pops up saying Error communicating with the kernal. I'm hoping that isn't interfering with combofix or any of the other malware removal programs I've been trying to run.

ComboFix log

ComboFix 12-01-16.02 - Ricky 01/22/2012 20:51:12.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.240 [GMT -5:00]
Running from: e:\computer repair progs\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\Ricky\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-22 04:22 . 2012-01-22 04:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-22 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\ERDNT\cache\iexplore.exe
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[-] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_00.45.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-22 06:11 . 2012-01-22 06:11 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat
+ 2012-01-22 06:11 . 2012-01-22 10:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012220120123\index.dat
+ 2005-11-29 17:34 . 2012-01-22 06:11 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-22 06:10 . 2012-01-22 06:10 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-11-29 17:34 . 2009-11-20 11:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-11-29 17:34 . 2012-01-22 10:29 114688 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/21/2012 5:33 PM 40776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-22 22:55
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3949259467:873831188.exe 816 bytes executable
c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]
"ImagePath"="\systemroot\3949259467:873831188.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\3949259467:873831188.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2012-01-22 23:00:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-23 04:00
ComboFix2.txt 2012-01-22 02:12
ComboFix3.txt 2012-01-17 00:51
.
Pre-Run: 8,579,760,128 bytes free
Post-Run: 8,693,202,944 bytes free
.
- - End Of File - - 84A82425BDAB7A4F265209426A3224CF

Attached Files

log.txt 13.27KB 131 downloads

#22
Essexboy

Posted 23 January 2012 - 12:47 PM

GeekU Moderator

Retired Staff
69,964 posts

I will have to use a stronger programme as that rootkit does not want to go

ESET has 3 drivers running - we can delete them later once the rootkit has gone and then get you an antivirus programme

This will be a two stage kill first combofix to delete the service key and then AVP to kill the remannts

Could you allow combofix to install the recovery console as that enhances its removal ability

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbea64eb]

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

Posted Image

On completion click the link to locate the zip file to upload and attach to your next post

Posted Image

Megaupload

#23
LArnett

Posted 24 January 2012 - 12:37 PM

Member

Topic Starter
Member
41 posts

here is the log for the ComboFix. I'm currently running the antivirus you gave me. Next post with be with the results from that.

ComboFix 12-01-23.02 - Ricky 01/23/2012 22:28:49.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.301 [GMT -5:00]
Running from: c:\documents and settings\Ricky\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ricky\Desktop\CFScript.txt
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB20734$
c:\windows\$NtUninstallKB20734$\2829397833
c:\windows\$NtUninstallKB20734$\3421136107\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB20734$\3421136107\L\odetmngk
c:\windows\$NtUninstallKB20734$\3421136107\loader.tlb
c:\windows\$NtUninstallKB20734$\3421136107\U\@00000001
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000c0
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cb
c:\windows\$NtUninstallKB20734$\3421136107\U\@000000cf
c:\windows\$NtUninstallKB20734$\3421136107\U\@80000000
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000c0
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cb
c:\windows\$NtUninstallKB20734$\3421136107\U\@800000cf
c:\windows\system32\c_42144.nls
.
Infected copy of c:\windows\system32\drivers\serial.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_cbea64eb
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2012-01-24 03:24 . 2004-08-04 10:00 64896 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-01-22 04:22 . 2012-01-22 04:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-21 22:33 . 2012-01-22 01:48 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\Ricky\Application Data\Malwarebytes
2012-01-21 22:30 . 2012-01-21 22:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-20 16:23 . 2012-01-20 16:23 -------- d-----w- C:\_OTL
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-22 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\ERDNT\cache\iexplore.exe
[7] 2010-04-16 . C4BA5E36FB57F547117305BF1E0FE454 . 634656 . . [7.00.6000.17055] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2010-04-16 . B24A4E23A2FEDB6976EB04D334AD82B2 . 634648 . . [7.00.6000.21256] . . c:\windows\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
[7] 2010-02-23 . B5116340B84824DDD0A641E36B126194 . 634648 . . [7.00.6000.17023] . . c:\windows\ie7updates\KB982381-IE7\iexplore.exe
[7] 2010-02-23 . C8DDA4028065D5CE39CBE7A156B72AB9 . 634648 . . [7.00.6000.21228] . . c:\windows\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
[7] 2009-12-18 . 53C291F3B01EECECBD7FD358EA3ACC94 . 634648 . . [7.00.6000.16981] . . c:\windows\ie7updates\KB980182-IE7\iexplore.exe
[7] 2009-12-18 . D19E56D5930C37CF211867DF450C372A . 634632 . . [7.00.6000.21183] . . c:\windows\$hf_mig$\KB978207-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 80675329E0FD54F016C4F8A83C616349 . 634632 . . [7.00.6000.21148] . . c:\windows\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[7] 2009-10-28 . 4F9B04D546C23A295F3F0AE015BE51DB . 634632 . . [7.00.6000.16945] . . c:\windows\ie7updates\KB978207-IE7\iexplore.exe
[7] 2009-08-27 . F232BA9F39BC0F722672C7E79E68EBEA . 634648 . . [7.00.6000.16915] . . c:\windows\ie7updates\KB976325-IE7\iexplore.exe
[7] 2009-08-27 . 332EC7562F3AA7364F2D4231C56DA986 . 634648 . . [7.00.6000.21115] . . c:\windows\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[7] 2009-06-29 . 3CFC56F73D494FC1AA2B6E981DF15ACD . 634632 . . [7.00.6000.16876] . . c:\windows\ie7updates\KB974455-IE7\iexplore.exe
[7] 2009-06-29 . 02E2754D3E566C11A4934825920C47DD . 634632 . . [7.00.6000.21073] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[7] 2009-04-25 . 092A7F2B49A19ECCE5369D3CB2276148 . 636088 . . [7.00.6000.16850] . . c:\windows\ie7updates\KB972260-IE7\iexplore.exe
[7] 2009-04-25 . C0503FD8D163652735C1EE900672A75C . 636088 . . [7.00.6000.21045] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . BCD8E48709BE4A79606F0B6E8E9A6162 . 636088 . . [7.00.6000.21020] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe
[7] 2009-02-28 . A251068640DDB69FD7805B57D89D7FF7 . 636072 . . [7.00.6000.16827] . . c:\windows\ie7updates\KB969897-IE7\iexplore.exe
[7] 2008-12-19 . 15E8A89499741D5CF59A9CF6463A4339 . 634024 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\iexplore.exe
[7] 2008-12-19 . 030D78FE84A086ED376EFCBD2D72C522 . 634024 . . [7.00.6000.16791] . . c:\windows\ie7updates\KB963027-IE7\iexplore.exe
[7] 2008-10-15 . 9D3DB9ADFABD2F0BC778EC03250A3ABB . 633632 . . [7.00.6000.16762] . . c:\windows\ie7updates\KB961260-IE7\iexplore.exe
[7] 2008-10-15 . 056C927CF7207857E8B34F7A8FFD9B9E . 633632 . . [7.00.6000.20935] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . E8305C30D35E85D6657ED3E9934CB302 . 635848 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\iexplore.exe
[7] 2008-08-23 . 1F03216084447F990AE797317D0A6E70 . 635848 . . [7.00.6000.16735] . . c:\windows\ie7updates\KB958215-IE7\iexplore.exe
[7] 2008-06-23 . 64E376A47763DAEABCDA14BD5B6EA286 . 625664 . . [7.00.6000.16705] . . c:\windows\ie7updates\KB956390-IE7\iexplore.exe
[7] 2008-06-23 . C52A9EF571E91535EB78DB4B8B95EA07 . 625664 . . [7.00.6000.20861] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 197B7E4030CFBD8D2979D375E1787AA2 . 625664 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe
[7] 2008-04-22 . 232B22817B90AE0AFF2D189E3E3735AC . 625664 . . [7.00.6000.16674] . . c:\windows\ie7updates\KB953838-IE7\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\iexplore.exe
[7] 2008-02-29 . 2D0E5592AB5A46C27DAF7CCAFF4F5B59 . 625664 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\iexplore.exe
[7] 2008-02-22 . 6E0888626E0CAC79F57149814E22DB4D . 625664 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\ie7updates\KB947864-IE7\iexplore.exe
[7] 2007-12-06 . 2703D940A62B731AA220529DD7331A78 . 625664 . . [7.00.6000.16608] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\iexplore.exe
[7] 2007-12-06 . 809D17D8FA0FDAEE07778CD821CAFFDE . 625664 . . [7.00.6000.20733] . . c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\iexplore.exe
[7] 2007-10-10 . E854D02E4231F704D9BE782A424E6D8B . 625152 . . [7.00.6000.16574] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
[7] 2007-10-10 . 632BDE0179847234433CA50945442ACB . 625664 . . [7.00.6000.20696] . . c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\iexplore.exe
[7] 2007-08-13 . DE49B348A18369B4626FBA1D49B07FB4 . 622080 . . [7.00.5730.13] . . c:\windows\ie7updates\KB942615-IE7\iexplore.exe
[7] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\ie7\iexplore.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_00.45.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 17:51 . 2005-05-04 19:45 78848 c:\windows\system32\msiexec.exe
+ 2012-01-22 06:11 . 2012-01-22 06:11 78924 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat
+ 2012-01-22 06:11 . 2012-01-22 10:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012012220120123\index.dat
+ 2005-11-29 17:34 . 2012-01-22 06:11 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-11-29 17:34 . 2012-01-22 10:29 114688 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/21/2012 5:33 PM 40776]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: DhcpNameServer = 192.168.1.1 74.128.17.114
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 22:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\Blubster\BGCheck.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-01-23 22:51:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-24 03:51
ComboFix2.txt 2012-01-23 04:00
ComboFix3.txt 2012-01-22 02:12
ComboFix4.txt 2012-01-17 00:51
.
Pre-Run: 8,133,894,144 bytes free
Post-Run: 8,202,715,136 bytes free
.
- - End Of File - - 4FAFB3860E0D8C83907018412A70E3A9

Attached Files

log.txt 14.47KB 106 downloads

#24
Essexboy

Posted 24 January 2012 - 02:19 PM

GeekU Moderator

Retired Staff
69,964 posts

Looks like the recovery console geed up Combofix and it appears to have got the bad boy this time

Let me know how it is running once the AVP run is complete

#25
LArnett

Posted 24 January 2012 - 05:52 PM

Member

Topic Starter
Member
41 posts

Will do, it's been running for about 3 hours and still has about 6 to go so I'll post results tomorrow. I really appreciate the help.

#26
Essexboy

Posted 25 January 2012 - 01:29 PM

GeekU Moderator

Retired Staff
69,964 posts

Do you want some AV recommendations ?

#27
LArnett

Posted 25 January 2012 - 06:47 PM

Member

Topic Starter
Member
41 posts

Absolutly. I would love a suggested AV. I've always used AVG and never had any problems on any of my computers but I don't tend to go to shady sites that infect my computers also. I don't download anything unless I check it out first.

Here's the log from the Kaspersky AV tool. Getting ready to start the Manual Disinfection now.

Status: Deleted (events: 163)
1/24/2012 3:29:53 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\1\3e060fc1-25602dcc High
1/24/2012 3:29:54 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\40\3b46a028-2d3eac31 High
1/24/2012 3:29:54 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\40\3b46a028-58cd54fa High
1/24/2012 3:37:27 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\6.0\48\3d58c9b0-6f98f95b High
1/24/2012 3:43:52 PM Deleted Trojan program Trojan-Dropper.Win32.FrauDrop.xyrw C:\Documents and Settings\Mary Kay\Local Settings\Temp\33F1.tmp High
1/24/2012 3:43:52 PM Deleted Trojan program Trojan-Dropper.Win32.FrauDrop.xyrw C:\Documents and Settings\Mary Kay\Local Settings\Temp\33F1.tmp//PE_Patch High
1/24/2012 4:43:24 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-113b2012 High
1/24/2012 4:43:25 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-13fb9e49 High
1/24/2012 4:43:24 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-2fd6b7cf High
1/24/2012 4:43:42 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-39925e05 High
1/24/2012 4:43:42 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-581d0d03 High
1/24/2012 4:43:41 PM Deleted Trojan program Exploit.Java.CVE-2010-4452.a C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\44\1e8e536c-7c77499d High
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//Setup.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//Setup.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.b C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//Setup.exe Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm4.dll Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm25.dll Medium
1/24/2012 5:23:35 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//adm.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.x C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admdata.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admdloader.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admfdi.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//admprog.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//dmfiles.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm4.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm25.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//adm.exe Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admdloader.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm4.dll Medium
1/24/2012 5:23:53 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admfdi.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm25.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//admprog.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//adm.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//dmfiles.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.x C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admdata.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.3039 C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admdloader.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.j C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admfdi.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.a C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//admprog.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//dmfiles.cab Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.g C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//dmfiles.cab//AltnetUninstall.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmfiles.cab Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//pmfiles.cab//sysdetect.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//InstaFinderK_inst.exe//data0003 Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TopSearch.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor//data0034.res Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor//data0034.res//TopSearch.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//kazaa.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmfiles.cab Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BrilliantDigital.1007 C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//pmfiles.cab//sysdetect.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.404Search.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.404Search.h C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//InstaFinderK_inst.exe//# Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TopSearch.dll Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab//Points Manager.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.h C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//pmexe.cab//Points Manager.exe//Pex Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//Semantic Insight/SemanticInsight.exe Medium
1/24/2012 5:23:36 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//RXToolbar.exe//Semantic Insight/SemanticInsight.exe//UPX Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//InstaFinderK_inst.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.404Search.l C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//InstaFinderK_inst.exe//data0003 Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//TopSearch.dll Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD Medium
1/24/2012 5:23:37 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Shared Folder\kazaa323_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD//UPX Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.d C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor//data0034.res Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor//data0034.res//TopSearch.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.e C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD Medium
1/24/2012 5:23:54 PM Deleted adware not-a-virus:AdWare.Win32.BetterInternet.ba C:\Program Files\Kazaa\My Unshared Folder\kazaa300_en.exe//TBONInst.exe//PE_Patch.PFD//PE-Crypt.PFD//UPX Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe//Execryptor Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.Altnet.d C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//kazaa.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe//RXToolBar.dll Medium
1/24/2012 5:24:29 PM Deleted adware not-a-virus:AdWare.Win32.RXBar.f C:\Program Files\Kazaa\My Shared Folder\kazaa327_en.exe//RXToolbar.exe//sfcont.dll Medium
1/24/2012 5:42:50 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir High
1/24/2012 5:42:51 PM Deleted Trojan program Backdoor.Win32.ZAccess.aqn C:\Qoobox\Quarantine\C\WINDOWS\system32\c_42144.nl_.vir High
1/24/2012 5:51:02 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir High
1/24/2012 5:51:00 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\imapi.sys.vir High
1/24/2012 5:51:01 PM Deleted virus Virus.Win32.ZAccess.e C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir_ High
1/24/2012 5:52:00 PM Deleted Trojan program Backdoor.Win32.Papras.ahc C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0186792.dll High
1/24/2012 5:53:27 PM Deleted Trojan program Trojan.Win32.FakeAV.donv C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0190083.exe High
1/24/2012 6:48:00 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0195141.sys High
1/24/2012 6:48:00 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0196141.sys High
1/24/2012 6:47:33 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0195142.ini High
1/24/2012 6:48:01 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0196142.ini High
1/24/2012 6:48:37 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0197141.sys High
1/24/2012 6:48:20 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0197142.ini High
1/24/2012 6:48:26 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198141.sys High
1/24/2012 6:48:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198142.ini High
1/24/2012 6:49:41 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198148.sys High
1/24/2012 6:48:47 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198149.ini High
1/24/2012 6:49:42 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198154.sys High
1/24/2012 6:49:42 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0198155.ini High
1/24/2012 6:50:43 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199155.ini High
1/24/2012 6:51:23 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199154.sys High
1/24/2012 6:51:23 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199158.sys High
1/24/2012 6:51:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199159.ini High
1/24/2012 6:53:16 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199164.sys High
1/24/2012 6:53:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199165.ini High
1/24/2012 6:53:15 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199173.sys High
1/24/2012 6:53:21 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199174.ini High
1/24/2012 6:53:28 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199200.ini High
1/24/2012 6:53:45 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0199199.sys High
1/24/2012 6:53:34 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0200199.sys High
1/24/2012 6:53:32 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0200200.ini High
1/24/2012 6:53:54 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201199.sys High
1/24/2012 6:53:45 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201200.ini High
1/24/2012 6:54:02 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201209.sys High
1/24/2012 6:53:55 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201210.ini High
1/24/2012 6:54:11 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201220.sys High
1/24/2012 6:54:03 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201221.ini High
1/24/2012 6:54:11 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201233.ini High
1/24/2012 6:54:55 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201232.sys High
1/24/2012 6:54:56 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201243.sys High
1/24/2012 6:54:56 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201244.ini High
1/24/2012 6:55:15 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201264.sys High
1/24/2012 6:55:08 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201265.ini High
1/24/2012 6:55:17 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201277.sys High
1/24/2012 6:55:16 PM Deleted Trojan program Backdoor.Win32.ZAccess.ang C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201278.ini High
1/24/2012 6:55:42 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201287.sys High
1/24/2012 6:58:38 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201380.sys High
1/24/2012 6:58:37 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0202380.sys High
1/24/2012 6:58:35 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1603\A0202403.sys High
1/24/2012 7:00:44 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202411.sys High
1/24/2012 7:00:44 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202420.sys High
1/24/2012 7:00:44 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202421.ini High
1/24/2012 7:10:19 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202460.sys High
1/24/2012 7:09:36 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202461.ini High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202588.sys High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202664.sys High
1/24/2012 7:15:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202698.sys High
1/24/2012 7:19:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202699.ini High
1/24/2012 7:19:22 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203698.sys High
1/24/2012 7:19:23 PM Deleted Trojan program Backdoor.Win32.ZAccess.avy C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203699.ini High
1/24/2012 7:21:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1605\A0203742.sys High
1/24/2012 7:24:28 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1606\A0203822.sys High
1/24/2012 7:21:33 PM Deleted virus Virus.Win32.ZAccess.e C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1606\A0203999.sys High
1/24/2012 7:47:10 PM Deleted Trojan program Trojan.Win32.Diple.aljd C:\_OTL\MovedFiles\01202012_112305\C_Documents and Settings\All Users\Application Data\defender High
1/24/2012 7:47:13 PM Deleted Trojan program Trojan.Win32.Diple.aljd C:\_OTL\MovedFiles\01202012_112305\C_Documents and Settings\All Users\Application Data\defender.exe High
1/24/2012 7:47:10 PM Deleted Trojan program Backdoor.Win32.ZAccess.ob C:\_OTL\MovedFiles\01202012_112305\C_WINDOWS\3949259467:873831188.exe High
Status: Disinfected (events: 43)
1/24/2012 3:36:59 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.f C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-2cfe40d9.zip High
1/24/2012 3:36:59 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.f C:\Documents and Settings\Mary Kay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-2cfe40d9.zip/vlocal.class High
1/24/2012 4:08:05 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Internet Explorer\iexplore.exe High
1/24/2012 3:56:27 PM Disinfected Trojan program Trojan.Win32.Patched.mf c:\Program Files\Internet Explorer\iexplore.exe High
1/24/2012 4:28:44 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-213e47ff High
1/24/2012 4:28:44 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-213e47ff/vmain.class High
1/24/2012 4:28:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\12\3c8e0c-39247ecf High
1/24/2012 4:28:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\12\3c8e0c-39247ecf/yandex/xmlparser.class High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cp C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan.Java.Agent.al C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d/bpac/remark.class High
1/24/2012 4:28:49 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cp C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\15\11eb9a0f-6204c90d/yandex/xmlparser.class High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\20\3a4595d4-132191e3 High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.cs C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\20\3a4595d4-132191e3/yandex/xmlparser.class High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4 High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.ei C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4/google/mongo.class High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.js C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\33889816-25b5d7f1 High
1/24/2012 4:40:50 PM Disinfected Trojan program Trojan-Downloader.Java.Agent.js C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\33889816-25b5d7f1/mordor/saruman.class High
1/24/2012 4:40:58 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\22\1bb557d6-5a1f08a4/google/stomp.class High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20 High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan.Java.Agent.ak C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20/chrome/Unicode.class High
1/24/2012 4:41:10 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\26\25335b9a-16e9dd20/direct/bear.class High
1/24/2012 4:42:36 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-64650e80 High
1/24/2012 4:42:36 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-64650e80/vmain.class High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12 High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan.Java.Agent.ak C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12/chrome/Unicode.class High
1/24/2012 4:42:44 PM Disinfected Trojan program Trojan-Downloader.Java.OpenConnection.dd C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\36\35c67e64-68cc2e12/direct/bear.class High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450 High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450/________vload.class High
1/24/2012 4:47:13 PM Disinfected Trojan program Exploit.Java.Agent.bu C:\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-58a82450/vmain.class High
1/24/2012 5:35:30 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe High
1/24/2012 5:41:51 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Application Updater\ApplicationUpdater.exe.vir High
1/24/2012 5:41:51 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe.vir High
1/24/2012 5:41:49 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir High
1/24/2012 5:42:01 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\Program Files\Viewpoint\Common\ViewpointService.exe.vir High
1/24/2012 5:42:08 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\msiexec.exe.vir High
1/24/2012 5:42:53 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir High
1/24/2012 6:56:29 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201369.exe High
1/24/2012 6:56:22 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201370.exe High
1/24/2012 6:56:35 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201371.exe High
1/24/2012 6:56:37 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201372.exe High
1/24/2012 6:56:36 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1602\A0201373.exe High
1/24/2012 7:04:37 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202463.exe High
1/24/2012 7:09:36 PM Disinfected Trojan program Trojan.Win32.Patched.mf C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1604\A0202582.exe High
Status: Quarantined (events: 3)
1/24/2012 3:37:29 PM Quarantined virus HEUR:Exploit.Script.Generic C:\Documents and Settings\Mary Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\ka9birrs.default\Cache\15CCB01Ad01 High
1/24/2012 3:37:29 PM Quarantined virus HEUR:Exploit.Script.Generic C:\Documents and Settings\Mary Kay\Local Settings\Application Data\Mozilla\Firefox\Profiles\ka9birrs.default\Cache\15CCB01Ad01//data0000 High
1/24/2012 3:37:28 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Mary Kay\Local Settings\Temp\0.016089250759739326.exe High
Status: Detected (events: 2)
1/24/2012 3:37:42 PM Detected Trojan program Packed.Win32.TDSS.aa C:\Documents and Settings\Mary Kay\Local Settings\Temp\n.exn High
1/24/2012 3:40:30 PM Detected Trojan program Packed.Win32.TDSS.aa C:\Documents and Settings\Mary Kay\Local Settings\Temporary Internet Files\Content.IE5\J3PO94LM\load[1].php High

Attached Files

AVP log.txt 34.55KB 186 downloads

Edited by LArnett, 25 January 2012 - 06:49 PM.

#28
LArnett

Posted 25 January 2012 - 07:03 PM

Member

Topic Starter
Member
41 posts

Here's the AVPtool zip file

Attached Files

avptool_sysinfo.zip 18.31KB 92 downloads

#29
Essexboy

Posted 26 January 2012 - 12:31 PM

GeekU Moderator

Retired Staff
69,964 posts

OK just one more piece to kill. The reason I asked about the AV is there is no indication of one on your system

How is the computer running now

Re-run AVPTool
Select the Manual Disinfection tab and press Script execution

Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End

Posted Image

begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFile('C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\33F1.tmp');
 BC_DeleteFile('C:\DOCUME~1\MARYKA~1\LOCALS~1\Temp\33F1.tmp');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end..

Your system will reboot on completion, if it does not please do so yourself
On completion please run another analysis scan and attach the zip file

#30
LArnett

Posted 26 January 2012 - 05:01 PM

Member

Topic Starter
Member
41 posts

I was going to put AVG on their computer. If you have something better, by all means, please recommend it. I've been using a flash drive to go between their computer and mine.

Here's the zipfile from the AV scan after running the script and restarting.