TechSpot

Need help with malware

By kenji
Jul 7, 2010
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Many people do not understand about 'blocked sites'. You need to know that every day, thousands of scans are sent out by bad sites, looking for unprotected systems. This is normal internet traffic. If the antivirus program or firewall blocks the scans from these sites, it's a GOOD thing.
    On the other hand, if your security is blocking something already on the system that is trying to access theses site on the internet, then it would mean that malware is already on the system.

    The IPs you left:
    IP 213.163.89.107 is a site in the Netherlands known for browser hijacks.
    IP 78.47.248.116 is a site in Germany. If it's being blocked, then you should be glad.

    Reformatting/reinstalling doesn't change this if it's incoming.

    There are some suspicious files so I would like you:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    =====================================

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave the 2 logs in your next reply.
     
  2. kenji

    kenji TS Rookie Topic Starter

  3. kenji

    kenji TS Rookie Topic Starter

    Any update Bobbye?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\jwubcpjy.sys
    Folder::
    Registry::
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    DirLook::
    C:\ALLDATAW
    
    FileLook::
    c:\program files\Common Files\ALLDATA Shared
    c:\docume~1\GARYZH~1\LOCALS~1\Temp\RGI3.tmp
    
    Driver::
    upyioiv
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
       ipsec.*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please paste the Combofix report in the reply. Okay to attach SystemLook.
     
  5. kenji

    kenji TS Rookie Topic Starter

  6. kenji

    kenji TS Rookie Topic Starter

    There seems to be a lot more random ip pop up for the past couple day.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please review the installations in Add/remove Programs in the Control Panel. You have numerous entries for 1998, 2000, 2001, 2002, 2003, 2004 on to current dates. If there are some you no longer use, please uninstall them. When finished, rescan with Combofix ans please paste the log in your next reply.

    Are you having any problems getting an internet connection?
     
  8. kenji

    kenji TS Rookie Topic Starter

    There's no problem with my internet connection. Here's the log thx.

    ComboFix 10-07-14.02 - Gary Zhao 07/14/2010 22:33:26.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.669 [GMT -7:00]
    Running from: c:\documents and settings\Gary Zhao\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
    .

    2010-07-15 02:50 . 2010-07-15 05:10 -------- d-----w- c:\windows\SxsCaPendDel
    2010-07-07 08:35 . 2010-07-07 08:35 -------- d-----w- c:\windows\Sun
    2010-07-07 08:35 . 2010-07-07 08:35 503808 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\msvcp71.dll
    2010-07-07 08:35 . 2010-07-07 08:35 499712 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\jmc.dll
    2010-07-07 08:35 . 2010-07-07 08:35 348160 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\msvcr71.dll
    2010-07-07 08:35 . 2010-07-07 08:35 61440 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-411eda22-n\decora-sse.dll
    2010-07-07 08:35 . 2010-07-07 08:35 12800 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-411eda22-n\decora-d3d.dll
    2010-07-07 08:34 . 2010-07-07 08:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Malwarebytes
    2010-07-06 08:03 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-06 08:03 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-04 11:54 . 2010-07-04 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
    2010-07-04 10:59 . 2010-07-04 10:59 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\ESET
    2010-07-04 10:34 . 2010-07-07 21:07 -------- d-----w- c:\program files\ESET
    2010-07-04 10:34 . 2010-07-04 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
    2010-07-04 10:33 . 2010-07-07 21:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-04 10:16 . 2010-07-04 10:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-07-03 04:23 . 2010-07-03 04:23 -------- d-----w- c:\program files\Rainbow Technologies
    2010-07-03 04:22 . 2010-07-03 04:22 -------- d-----w- c:\program files\SafeNet Sentinel
    2010-07-03 04:22 . 2010-07-03 04:22 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
    2010-07-03 04:14 . 2010-07-04 10:15 -------- d-----w- c:\windows\system32\QuickTime
    2010-07-03 04:14 . 2010-07-04 10:15 -------- d-----w- c:\program files\QuickTime
    2010-07-03 04:14 . 2010-07-03 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
    2010-06-28 08:08 . 2010-06-28 08:08 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\AdobeUM
    2010-06-28 02:06 . 2001-08-17 21:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-06-28 02:06 . 2001-08-17 21:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-06-28 00:34 . 2004-07-14 19:54 676864 ----a-w- c:\windows\system32\drivers\hardlock.sys
    2010-06-28 00:34 . 2010-06-28 00:34 6656 ----a-w- c:\windows\system32\haspvdd.dll
    2010-06-28 00:34 . 2010-06-28 00:34 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
    2010-06-28 00:34 . 2010-06-28 00:34 383 ----a-w- c:\windows\system32\haspdos.sys
    2010-06-28 00:33 . 2006-01-26 22:12 327680 ----a-w- c:\windows\system32\haspms32.dll
    2010-06-28 00:33 . 2003-04-18 23:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
    2010-06-28 00:33 . 2010-07-15 05:04 -------- d-----w- C:\ALLDATAW
    2010-06-28 00:25 . 2010-06-28 00:25 -------- d-----w- c:\program files\Common Files\Real
    2010-06-28 00:25 . 2010-06-28 00:25 -------- d-----w- c:\windows\system32\Adobe
    2010-06-27 20:09 . 2010-06-27 20:09 -------- d-sh--w- c:\documents and settings\Gary Zhao\IECompatCache
    2010-06-27 18:58 . 2006-12-14 17:00 110592 ----a-w- c:\documents and settings\Gary Zhao\Application Data\U3\temp\cleanup.exe
    2010-06-27 18:58 . 2007-02-13 00:46 3096576 ---ha-w- c:\documents and settings\Gary Zhao\Application Data\U3\temp\Launchpad Removal.exe
    2010-06-27 18:57 . 2010-07-05 06:59 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\U3
    2010-06-27 18:17 . 2010-06-27 18:17 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
    2010-06-27 18:14 . 2010-06-27 18:14 -------- d-----w- c:\documents and settings\Administrator\IETldCache
    2010-06-25 03:47 . 2010-06-25 03:47 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\Adobe
    2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\windows\system32\XPSViewer
    2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\program files\MSBuild
    2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\program files\Reference Assemblies
    2010-06-19 10:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2010-06-19 10:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2010-06-19 10:03 . 2010-06-19 10:04 -------- d-----w- C:\b2d7ebc878410ac7dc5819
    2010-06-19 10:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2010-06-19 10:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2010-06-19 10:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2010-06-19 10:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2010-06-19 10:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2010-06-19 10:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2010-06-19 10:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2010-06-19 10:01 . 2010-06-19 10:01 -------- d-----w- c:\program files\MSXML 6.0
    2010-06-17 10:02 . 2010-06-17 10:02 -------- d-----w- c:\windows\ServicePackFiles
    2010-06-17 10:01 . 2010-06-17 10:01 -------- d-----w- c:\program files\MSXML 4.0
    2010-06-17 03:46 . 2010-06-17 03:58 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-06-17 03:44 . 2006-03-21 03:23 23040 ------w- c:\windows\kb913800.exe
    2010-06-16 10:55 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2010-06-16 10:55 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2010-06-16 10:55 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
    2010-06-16 10:50 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-06-16 10:50 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-06-16 10:49 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
    2010-06-16 10:48 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-16 10:38 . 2010-06-16 10:38 -------- d-----w- c:\windows\system32\LogFiles
    2010-06-16 10:34 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
    2010-06-16 10:30 . 2009-10-12 13:54 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
    2010-06-16 10:30 . 2009-10-12 13:54 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
    2010-06-16 10:29 . 2009-10-15 17:21 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2010-06-16 10:20 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2010-06-16 10:15 . 2009-11-27 16:37 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
    2010-06-16 10:15 . 2009-11-27 16:37 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
    2010-06-16 10:15 . 2009-11-27 16:37 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
    2010-06-16 10:15 . 2009-11-27 16:37 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
    2010-06-16 10:15 . 2009-11-27 16:37 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
    2010-06-16 10:15 . 2010-02-12 04:47 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
    2010-06-16 10:15 . 2008-08-14 09:51 138368 -c----w- c:\windows\system32\dllcache\afd.sys
    2010-06-16 10:15 . 2008-06-20 17:41 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
    2010-06-16 10:15 . 2008-06-20 10:45 360320 -c----w- c:\windows\system32\dllcache\tcpip.sys
    2010-06-16 10:14 . 2010-01-29 15:08 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
    2010-06-16 10:14 . 2010-01-29 15:08 1315840 -c----w- c:\windows\system32\dllcache\msoe.dll
    2010-06-16 10:12 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
    2010-06-16 10:12 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2010-06-16 10:10 . 2008-10-23 13:01 283648 -c----w- c:\windows\system32\dllcache\gdi32.dll
    2010-06-16 10:03 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2010-06-16 08:09 . 2010-06-16 08:09 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
    2010-06-16 08:09 . 2010-06-17 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-06-16 07:36 . 2010-06-16 07:36 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-06-16 07:36 . 2010-06-17 03:41 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-06-16 07:35 . 2010-06-28 00:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\DAEMON Tools Lite
    2010-06-16 07:35 . 2010-06-16 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-06-16 07:19 . 2010-06-16 07:19 -------- d-----w- c:\program files\Combined Community Codec Pack
    2010-06-16 07:06 . 2010-06-16 07:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-06-16 07:00 . 2010-06-16 07:00 -------- d-----w- c:\program files\Haali
    2010-06-16 07:00 . 2010-06-16 07:20 -------- d-----w- c:\program files\CoreCodec
    2010-06-16 06:50 . 2010-06-16 06:50 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Media Player Classic
    2010-06-16 06:47 . 2010-07-02 04:17 -------- d-----w- C:\Media
    2010-06-16 06:45 . 2010-07-06 08:24 -------- d-----w- c:\program files\QvodPlayer
    2010-06-16 06:45 . 2010-06-16 07:12 -------- d-----w- c:\program files\MPC HomeCinema
    2010-06-16 06:18 . 2010-06-16 06:18 -------- d-----w- c:\program files\uTorrent
    2010-06-16 06:17 . 2010-07-15 05:30 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\uTorrent
    2010-06-16 06:05 . 2010-07-15 05:18 -------- d-----w- c:\program files\Steam
    2010-06-16 05:56 . 2010-06-16 05:56 0 ----a-w- c:\windows\nsreg.dat
    2010-06-16 05:56 . 2010-06-16 05:56 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\Mozilla
    2010-06-16 05:51 . 2010-06-16 05:51 -------- d-sh--w- c:\documents and settings\Gary Zhao\PrivacIE
    2010-06-16 05:47 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
    2010-06-16 05:45 . 2010-06-16 05:45 -------- d-sh--w- c:\documents and settings\Gary Zhao\IETldCache
    2010-06-16 05:44 . 2010-06-17 10:05 -------- d-----w- c:\windows\ie8updates
    2010-06-16 05:42 . 2010-06-16 05:43 -------- dc-h--w- c:\windows\ie8
    2010-06-16 05:38 . 2009-07-17 18:55 58880 -c----w- c:\windows\system32\dllcache\atl.dll
    2010-06-16 05:32 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2010-06-16 05:32 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2010-06-16 05:32 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2010-06-16 05:32 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2010-06-16 05:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2010-06-16 05:32 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2010-06-16 05:32 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2010-06-16 05:31 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
    2010-06-16 05:31 . 2008-02-26 11:59 294912 -c----w- c:\windows\system32\dllcache\msctf.dll
    2010-06-16 05:24 . 2006-03-15 12:00 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-15 03:02 . 2006-08-10 09:41 -------- d-----w- c:\program files\Sony
    2010-07-15 03:02 . 2006-08-10 08:53 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-15 02:56 . 2006-08-10 09:16 -------- d-----w- c:\program files\Windows Media Connect
    2010-07-15 02:51 . 2006-08-10 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
    2010-07-15 02:43 . 2006-08-10 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
    2010-07-07 08:35 . 2006-08-10 09:13 -------- d-----w- c:\program files\Common Files\Java
    2010-07-07 08:34 . 2006-08-10 09:13 -------- d-----w- c:\program files\Java
    2010-06-28 00:25 . 2006-08-10 09:50 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-27 18:19 . 2006-08-10 09:55 -------- d-----w- c:\program files\MobiTV
    2010-06-16 05:09 . 2010-06-15 14:24 132 ----a-w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\fusioncache.dat
    2010-06-15 14:24 . 2010-06-15 14:24 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-C140G.mrk
    2010-06-15 07:49 . 2006-08-10 09:38 -------- d-----w- c:\program files\Common Files\Sony Shared
    2010-06-15 07:46 . 2010-06-15 14:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Intuit
    2010-06-15 07:46 . 2010-06-15 14:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
    2010-06-15 07:41 . 2010-06-15 14:24 13888 ----a-w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-15 07:31 . 2010-06-15 14:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Sony Corporation
    2010-06-15 07:31 . 2010-06-15 14:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sony Corporation
    2010-06-15 07:31 . 2006-08-10 09:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation
    2010-05-06 10:41 . 2006-08-10 07:32 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:56 . 2006-08-10 07:32 1850880 ----a-w- c:\windows\system32\win32k.sys
    2010-04-20 05:51 . 2006-08-10 07:32 285696 ----a-w- c:\windows\system32\atmfd.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-07_06.12.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-15 05:32 . 2010-07-15 05:32 16384 c:\windows\Temp\Perflib_Perfdata_2b0.dat
    + 2010-07-07 08:34 . 2010-07-07 08:34 153376 c:\windows\system32\javaws.exe
    + 2010-07-07 08:34 . 2010-07-07 08:34 145184 c:\windows\system32\javaw.exe
    + 2010-07-07 08:34 . 2010-07-07 08:34 145184 c:\windows\system32\java.exe
    + 2010-07-07 08:35 . 2010-07-07 08:35 180224 c:\windows\Installer\80535.msi
    + 2010-07-07 08:34 . 2010-07-07 08:34 576000 c:\windows\Installer\80530.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\steam\steam.exe" [2010-06-16 1238352]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-16 322352]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
    "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
    "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
    "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
    "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
    "c:\\Program Files\\Steam\\steamapps\\garyzhao\\counter-strike\\hl.exe"=

    R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/6/2010 1:03 AM 304464]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/6/2010 1:03 AM 20952]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/10/2006 12:33 AM 226304]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/16/2010 12:36 AM 691696]
     
  9. kenji

    kenji TS Rookie Topic Starter

    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Gary Zhao\Application Data\Mozilla\Firefox\Profiles\434nyf9t.default\
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-14 22:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\docume~1\GARYZH~1\LOCALS~1\Temp\RGI4.tmp 7075 bytes

    scan completed successfully
    hidden files: 1

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854C2EC5]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7622fc3
    \Driver\ACPI -> ACPI.sys @ 0xf7495cb8
    \Driver\atapi -> atapi.sys @ 0xf742f7b4
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
    ParseProcedure -> ntkrnlpa.exe @ 0x80581684
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
    ParseProcedure -> ntkrnlpa.exe @ 0x80581684
    NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf733cba0
    PacketIndicateHandler -> NDIS.sys @ 0xf7349b21
    SendHandler -> NDIS.sys @ 0xf732787b
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(884)
    c:\windows\system32\WININET.dll
    c:\windows\system32\VESWinlogon.dll

    - - - - - - - > 'lsass.exe'(944)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-07-14 22:46:19
    ComboFix-quarantined-files.txt 2010-07-15 05:46
    ComboFix2.txt 2010-07-07 20:56
    ComboFix3.txt 2010-07-07 06:15

    Pre-Run: 22,147,166,208 bytes free
    Post-Run: 22,119,608,320 bytes free

    - - End Of File - - 5010444E868D0B1EEC1001FE56B2A776
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ken, you have a directory named C:\ALLDATAW. I used script to look and see what files were in it. It appears to be automotive related, for the most part it's images but has other files and it was set up in 1998. Did you create this directory? Is this a work computer?

    One of the exe files is named ADiShopVehicleServer.exe and appears to be only available as a torrent download. Another entry is OnlinePromo.html which is a marketing tool. The contents must be very large due to the number of files.

    The contents of this folder alone would indicate a rich source of potential ad pop-ups.
     
  11. kenji

    kenji TS Rookie Topic Starter

    Yes i did created that directory, this program never caused me any problem before. I also delete as told but my pc doesn't seems to do any better. This is a personal computer, what should i do next?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I lost you! Please run the following:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.

    And then please clearly describe what problems remain.
     
  13. kenji

    kenji TS Rookie Topic Starter

    Thanks for the reply. I got an error using tdsskiller on command by saying valid command line parameters so I just run the exe. I don't know if that would make any difference if so, how do i get it to run? For my computer I realize that i couldn't go to certain site so i removed malwarebytes and I can get to those site fine now, so should i reinstall malwarebytes? Of course without malwarebytes there's no sign saying blocked ip or anything like that but the computer seems to run fine. But anyways here's the log. Thank you
    View attachment TDSSKiller.2.4.0.0_24.07.2010_00.37.51_log.txt
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You continue to have uTorrent running in the background. Please uninstall it or disable it.

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni

    Follow with another Eset scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Give description-specific-of remaining problems.
     
  15. kenji

    kenji TS Rookie Topic Starter

    My computer seems to be running without any issues after removing malwarebytes. So I guess I should stay away after from that program? Thanks Bobbye

    Bootkit:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`c01a2400
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...


    Eset online scanner:


    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ded4fe262198544890088449b76f1486
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-07-25 08:26:50
    # local_time=2010-07-25 01:26:50 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 2534243 2534243 0 0
    # compatibility_mode=8199 39157077 100 100 0 25702803 0 0
    # scanned=69623
    # found=0
    # cleaned=0
    # scan_time=3021
    # nod_component=V3 Build:0x30000000
     

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wasn't Malwarebytes what was blocking the foreign site? I don't know whether those sites were incoming scans from the internet or outgoing attempts from something in your system to contact those sites on the internet. It makes a big difference. If you are getting alerts for attempts to access you computer and they bother you, you should be able to stop the alerts from flashing but still let Mbam do it's job.

    If you don't have a firewall:
    I recommend either of these software firewalls.- both are free:
    You should have only one software firewall. You may also use a router. Most routers have a hardware firewall in them. You can use both hardware and software firewalls together, but use only one software firewall.

    If problems have been resolved:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if I can be of any more help.
     
  17. kenji

    kenji TS Rookie Topic Starter

    Thanks for all the help Bobbye.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Glad to help. Here are some tips for you:


    Please follow these simple steps to keep your computer clean and secure:


    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...