Page 1 of 7 123 ... LastLast
Results 1 to 10 of 70
  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    63
    Points
    1

    Unhappy Malware Sirefef.GG, GL, FY, GK, GY and firewall turned off

    I run CA antivirus/antispyware, on 8/1 it found sirefef (many varieties). It just kept finding and quarantine. I ran MWB (1st log attached) and it ran for a week or so. Then sirefef GG started popping up. Computer slowed to a crawl and can't turn firewall back on. Had to run other scans in safe mode and post this on another computer.

    Firewall message: Due to unidentified problem windows cannot display windows firewall settings.

    Logs are attached, 2 logs for malwarebytes.

    Thanks for your help!
    Attached Files

  2. #2
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    Hi ntnab,

    I'm going to post your logs in the forum, it's a lot easier for us. Next I'll give you a few more scans to run for our expert, I'm more of a first responder and currently in training. I'm limited what I can do here. Lets get you started though.

    SuperAnti Log,

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 08/10/2012 at 11:14 PM

    Application Version : 5.5.1012

    Core Rules Database Version : 9044
    Trace Rules Database Version: 6856

    Scan type : Complete Scan
    Total Scan Time : 01:53:35

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 292
    Memory threats detected : 0
    Registry items scanned : 34893
    Registry threats detected : 0
    File items scanned : 80435
    File threats detected : 29

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\OKISEZ4L.txt [ /doubleclick.net ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\ZWM2TCSW.txt [ Cookie:system@ru4.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\TRJOSRU4.txt [ Cookie:system@ads.gamersmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\9IM4T5TU.txt [ Cookie:system@fastclick.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\NAR7ZXNW.txt [ Cookie:system@myroitracking.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\S9AMLATV.txt [ Cookie:system@media6degrees.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5VFMDWMN.txt [ Cookie:system@rotator.hadj1.adjuggler.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\UL5UWXT4.txt [ Cookie:system@revsci.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\7Z9M663L.txt [ Cookie:system@atdmt.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\CNG00DG3.txt [ Cookie:system@lucidmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\W0HQ82J5.txt [ Cookie:system@adnetwork.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\S4M618Q4.txt [ Cookie:system@ads.greenmediaink.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\8HUBWLGY.txt [ Cookie:system@rotator.hadj7.adjuggler.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\0HD1IX07.txt [ Cookie:system@histats.com/stats/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\01ZZLQMQ.txt [ Cookie:system@burstnet.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\U7SF04EW.txt [ Cookie:system@openx.overadmedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\5Q2ZUAVA.txt [ Cookie:system@casalemedia.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\PSXTJY00.txt [ Cookie:system@adserver.adtechus.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\KIDMBZ7F.txt [ Cookie:system@statcounter.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2QC99902.txt [ Cookie:system@s3.mediaadserver.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\2GDZFBU0.txt [ Cookie:system@xml.trafficengine.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\Y4KGI5J7.txt [ Cookie:system@clicksor.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\U7WK813O.txt [ Cookie:system@histats.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\P8Y7PQTX.txt [ Cookie:system@mm.chitika.net/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\LQ530J6T.txt [ Cookie:system@advertising.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\FVA9DWXU.txt [ Cookie:system@clickbooth.com/ ]
    C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\Cookies\GT3900B2.txt [ Cookie:system@findology.com/ ]

    Trojan.Agent/Gen-Cryptic
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3319\A0091185.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3319\A0091186.EXE

    Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:14:35 PM, on 8/10/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    G:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\casc.exe"
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
    O4 - HKLM\..\Run: [VetStart] "C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\vetmsg.exe" -r
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - https://www.libertytax.net/crystalre...ivexviewer.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/ps.../axscanner.cab
    O16 - DPF: {41289E02-198A-4034-8CF9-5A8739A80D0D} (ReportPromptInfoDlg Class) - https://www.libertytax.net/crystalre...eterdialog.cab
    O16 - DPF: {4B5C9C28-3806-47B5-89A9-93063323160F} (ReportExport Class) - https://www.libertytax.net/crystalre...ivexviewer.cab
    O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/...osticsxp2k.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O16 - DPF: {934CC260-C5AA-43C4-A657-7B70C5B3DAE1} (Crystal Report Web Report Source Control 9) - https://www.libertytax.net/crystalre...ivexviewer.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visi.../TLIEFlash.CAB
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://libertytax.webex.com/client/...ex/ieatgpc.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: powstak - C:\Documents and Settings\Tami\Local Settings\Application Data\powstak.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CAAMSvc - CA - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
    O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus Plus\isafe.exe
    O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Unknown owner - C:\Program Files\CA\eTrust Internet Security Suite\ccschedulersvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TM Engine (UmxEngine) - CA - C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe

    --
    End of file - 11064 bytes

    Malwarebytes log 8 / 2

    Malwarebytes Anti-Malware 1.62.0.1300
    Malwarebytes : Free anti-malware download

    Database version: v2012.08.02.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Tami :: DELL_4550 [administrator]

    8/2/2012 12:36:42 PM
    mbam-log-2012-08-02 (12-36-42).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 296238
    Time elapsed: 23 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 1
    C:\Documents and Settings\Tami\Application Data\inecs.dll (Trojan.Midhos) -> Delete on reboot.

    Registry Keys Detected: 2
    HKCU\SOFTWARE\Spruce (Adware.Spruce) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|inecs (Trojan.Midhos) -> Data: rundll32.exe "C:\Documents and Settings\Tami\Application Data\inecs.dll",CreateQuery -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Tami\Local Settings\Application Data\{12c703f5-fb09-c365-6670-fde1d8b36adf}\n. -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Cridex) -> Bad: (C:\DOCUME~1\Tami\LOCALS~1\Temp\{43322~1.EXE) Good: () -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Documents and Settings\Tami\Application Data\inecs.dll (Trojan.Midhos) -> Delete on reboot.
    C:\Documents and Settings\Tami\Local Settings\Temp\{43322211-0099-8887-6665-544333221110}.exe (Trojan.Cridex) -> Delete on reboot.
    C:\Documents and Settings\Tami\Local Settings\Temp\weaconrmxs.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Tami\Local Settings\Temp\{22211100-9988-7764-3322-110009998877}.exe (Trojan.Cridex) -> Quarantined and deleted successfully.
    C:\WINDOWS\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.

    (end)

    Malwarebytes log 8/10

    Malwarebytes Anti-Malware 1.62.0.1300
    Malwarebytes : Free anti-malware download

    Database version: v2012.08.09.08

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Tami :: DELL_4550 [administrator]

    8/10/2012 7:44:13 PM
    mbam-log-2012-08-10 (19-44-13).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 438116
    Time elapsed: 1 hour(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Tami\Local Settings\Application Data\{12c703f5-fb09-c365-6670-fde1d8b36adf}\n. -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RegistryWm (Trojan.Agent) -> Data: C:\Documents and Settings\Tami\Application Data\qtwm.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{12c703f5-fb09-c365-6670-fde1d8b36adf}\n.) Good: (wbemess.dll) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 5
    C:\Documents and Settings\Tami\Local Settings\Application Data\{12c703f5-fb09-c365-6670-fde1d8b36adf}\n (RootKit.0Access) -> Delete on reboot.
    C:\Documents and Settings\Tami\Local Settings\Application Data\{12c703f5-fb09-c365-6670-fde1d8b36adf}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3319\A0091187.exe (Trojan.Dropper.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\Installer\{12c703f5-fb09-c365-6670-fde1d8b36adf}\n (RootKit.0Access) -> Delete on reboot.
    C:\WINDOWS\Installer\{12c703f5-fb09-c365-6670-fde1d8b36adf}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

    (end)

    Joe
    Last edited by zep516; 08-11-2012 at 09:38 AM.

  3. #3
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    More scans that I mentioned to run,

    We need to see some information about what is happening in your machine. Please perform the following scan:
    • Download DDS by sUBs from one of the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
    • Notepad will open with the results.
    • Follow the instructions that pop up for posting the results.
    • Close the program window, and delete the program from your desktop.
    Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE

    NEXT

    Download Security Check by screen317 from http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.spywareinfoforum.org/
    Save it to your Desktop.
    Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NEXT
    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


    Joe

  4. #4
    Member
    Join Date
    Jun 2004
    Posts
    63
    Points
    1

    Default

    DDS log:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 10:39:12 on 2012-08-11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.746 [GMT -5:00]
    .
    AV: Total Defense Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dellnet.com
    uDefault_Page_URL = hxxp://www.dellnet.com
    uInternet Settings,ProxyOverride = hxxp://localhost;
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DVDSentry] c:\windows\system32\DSentry.exe
    mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
    mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [cctray] "c:\program files\ca\etrust internet security suite\casc.exe"
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
    mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
    mRun: [VetStart] "c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe" -r
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: c:\windows\system32\VetRedir.dll
    LSP: mswsock.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: ppctlcab - hxxp://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} - hxxp://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
    DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} - hxxps://www.libertytax.net/crystalreportviewers/activeXViewer/activexviewer.cab
    DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.my-etrust.com/includes/pscanner/axscanner.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {41289E02-198A-4034-8CF9-5A8739A80D0D} - hxxps://www.libertytax.net/crystalreportviewers/activeXViewer/reportparameterdialog.cab
    DPF: {4B5C9C28-3806-47B5-89A9-93063323160F} - hxxps://www.libertytax.net/crystalreportviewers/activeXViewer/activexviewer.cab
    DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {934CC260-C5AA-43C4-A657-7B70C5B3DAE1} - hxxps://www.libertytax.net/crystalreportviewers/activeXViewer/activexviewer.cab
    DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37797.4130787037
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://libertytax.webex.com/client/T25L/webex/ieatgpc.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - hxxp://www2.incredimail.com/contents/setup/downloader/imloader.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: powstak - c:\documents and settings\tami\local settings\application data\powstak.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-10-27 170064]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    S0 apfk;apfk;c:\windows\system32\drivers\kchlgcq.sys --> c:\windows\system32\drivers\kchlgcq.sys [?]
    S0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-9-6 123984]
    S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-10-26 83536]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    S2 CAAMSvc;CAAMSvc;c:\program files\ca\etrust internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-28 206152]
    S2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\ca anti-virus plus\isafe.exe [2010-7-2 222544]
    S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\etrust internet security suite\ccschedulersvc.exe [2009-7-30 207920]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
    S2 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [2003-4-3 34916]
    S2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
    S3 bDMusicb;bDMusicb;\??\c:\docume~1\tami\locals~1\temp\bdmusicb.sys --> c:\docume~1\tami\locals~1\temp\bDMusicb.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
    S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-9-6 331344]
    S3 NAT;WinProxy Firewall;c:\progra~1\ositis~1\winpro~1.0\NAT.sys [2003-4-8 430644]
    S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-8-9 50704]
    .
    =============== Created Last 30 ================
    .
    2012-08-11 02:18:14 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
    2012-08-11 02:16:03 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2012-08-11 01:57:38 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
    2012-08-11 01:56:57 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
    2012-08-10 23:02:02 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-08-10 23:02:02 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-08-10 19:08:52 102400 ----a-w- c:\windows\RegBootClean.exe
    2012-08-10 18:33:16 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2012-08-09 18:27:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys
    2012-08-09 18:27:23 281104 ----a-w- c:\windows\system32\wpcap.dll
    2012-08-09 18:27:23 100880 ----a-w- c:\windows\system32\Packet.dll
    2012-08-02 18:34:15 -------- d-----w- c:\program files\SpywareBlaster
    2012-08-02 17:10:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-02 17:10:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-07-31 19:13:28 -------- d-----w- c:\windows\system32\LogFiles
    2012-07-31 06:42:42 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d2d8d682-d9be-4603-8d41-4b71e15f10d1}\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
    2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
    2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
    2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
    2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
    2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
    2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
    2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
    2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
    2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
    2012-05-31 17:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
    2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
    .
    ============= FINISH: 10:40:37.45 ===============
    security ck
    Results of screen317's Security Check version 0.99.43
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Security Center service is not running! This report may not be accurate!
    Please wait while WMIC compiles updated MOF files.d
    i
    s
    p
    l
    a
    y
    N
    a
    m
    e
    ECHO is off.
    T
    o
    t
    a
    l
    ECHO is off.
    D
    e
    f
    e
    n
    s
    e
    ECHO is off.
    A
    n
    t
    i
    V
    i
    r
    u
    s
    ECHO is off.
    P
    l
    u
    s
    ECHO is off.
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    SUPERAntiSpyware
    Windows Defender
    Windows Defender Signatures
    Malwarebytes Anti-Malware version 1.62.0.1300
    Java(TM) 6 Update 26
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.0.12.36 Flash Player out of Date!
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (3.0.19) Firefox out of Date!
    Google Chrome 21.0.1180.60
    Google Chrome 21.0.1180.75
    Google Chrome VisualElementsManifest.xml..
    ````````Process Check: objlist.exe by Laurent````````
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 1%
    ````````````````````End of Log``````````````````````
    aswmbr
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-11 10:47:37
    -----------------------------
    10:47:37.921 OS Version: Windows 5.1.2600 Service Pack 3
    10:47:37.921 Number of processors: 1 586 0x207
    10:47:37.921 ComputerName: DELL_4550 UserName:
    10:47:38.421 Initialize success
    10:51:08.625 AVAST engine defs: 12081100
    10:51:27.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    10:51:27.218 Disk 0 Vendor: WDC_WD600BB-75CAA0 16.06V16 Size: 57220MB BusType: 3
    10:51:27.234 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    10:51:27.250 Disk 1 Vendor: IOMEGA_ZIP_250 42.S Size: 57220MB BusType: 2
    10:51:27.281 Disk 0 MBR read successfully
    10:51:27.296 Disk 0 MBR scan
    10:51:27.328 Disk 0 Windows XP default MBR code
    10:51:27.343 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
    10:51:27.375 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57176 MB offset 80325
    10:51:27.390 Disk 0 scanning sectors +117178110
    10:51:27.500 Disk 0 scanning C:\WINDOWS\system32\drivers
    10:51:43.656 Service scanning
    10:52:13.781 Modules scanning
    10:52:20.375 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
    10:52:21.453 Module: C:\WINDOWS\SYSTEM32\ntdll.dll **SUSPICIOUS**
    10:52:21.546 Disk 0 trace - called modules:
    10:52:21.687 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    10:52:21.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f64ab8]
    10:52:21.890 3 CLASSPNP.SYS[f74fffd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86f66b00]
    10:52:22.312 AVAST engine scan C:\WINDOWS
    10:52:48.875 AVAST engine scan C:\WINDOWS\system32
    10:56:16.328 AVAST engine scan C:\WINDOWS\system32\drivers
    10:56:39.171 AVAST engine scan C:\Documents and Settings\Administrator
    10:56:53.781 AVAST engine scan C:\Documents and Settings\All Users
    10:59:11.359 Scan finished successfully
    10:59:31.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    10:59:31.343 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

  5. #5
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    Thanks for the logs, can you try 1 more scan, then we should have everything we need for our expert'

    Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

      • Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in reply.


    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


    NOTE: It is not unusual for GMER to take glitch and not scan. Just tell me.

  6. #6
    Member
    Join Date
    Jun 2004
    Posts
    63
    Points
    1

    Default

    The gmer scan finally finished, it almost took 8 hours! I am still running these in safe mode and for the life of me i can't get to the button below scan that probably says save!!! I have tried every trick I know. If someone can clue me in on how to move the rest of the screen up so i can get to it I will post the log.

  7. #7
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    Shoot! That has to be an awful feeling after waiting all day, I trust you used every trick you know, I'm sorry we will wait for the expert now. Hopefully he is along shortly.

    Joe

  8. #8
    Member Spyware Fighter DonnaB's Avatar
    Join Date
    Apr 2009
    Location
    Illiana, Ill. USA
    Posts
    3,521
    Points
    563

    Default

    i can't get to the button below scan that probably says save!!! I have tried every trick I know.
    Hi ntnab,

    Please pardon the interruption. See if you can change the screen resolution. If you're not sure how to do that see link below:

    To change your screen resolution

    If you think you might be infected with malware or have recently cleansed your computer of malware without the help of an expert, please read and follow the instructions in How to Start Removing Viruses and Spyware from your Computer. This can alleviate time consumed in trouble shooting your current computer problems.

    If your problem is solved, here's how to say thanks!

    Very proud parent of a U.S. Navy "CB"



    "People may forget what you say,
    People may forget what you did,
    but People will never forget how you made them feel!"

  9. #9
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Location
    Pittsburgh, Pa
    Posts
    7,158
    Points
    1301

    Default

    Hey DonnaB

    I know you! Thanks for your help and advice...

    Joe

  10. #10
    Member
    Join Date
    Jun 2004
    Posts
    63
    Points
    1

    Default

    I am in safe mode, so it won't let me change the resolution

Page 1 of 7 123 ... LastLast