Solved Need help with malware

Status
Not open for further replies.
Many people do not understand about 'blocked sites'. You need to know that every day, thousands of scans are sent out by bad sites, looking for unprotected systems. This is normal internet traffic. If the antivirus program or firewall blocks the scans from these sites, it's a GOOD thing.
On the other hand, if your security is blocking something already on the system that is trying to access theses site on the internet, then it would mean that malware is already on the system.

The IPs you left:
IP 213.163.89.107 is a site in the Netherlands known for browser hijacks.
IP 78.47.248.116 is a site in Germany. If it's being blocked, then you should be glad.

Reformatting/reinstalling doesn't change this if it's incoming.

There are some suspicious files so I would like you:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
=====================================

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the 2 logs in your next reply.
 
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\windows\system32\drivers\jwubcpjy.sys
Folder::
Registry::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

DirLook::
C:\ALLDATAW

FileLook::
c:\program files\Common Files\ALLDATA Shared
c:\docume~1\GARYZH~1\LOCALS~1\Temp\RGI3.tmp

Driver::
upyioiv

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
     ipsec.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please paste the Combofix report in the reply. Okay to attach SystemLook.
 
Please review the installations in Add/remove Programs in the Control Panel. You have numerous entries for 1998, 2000, 2001, 2002, 2003, 2004 on to current dates. If there are some you no longer use, please uninstall them. When finished, rescan with Combofix ans please paste the log in your next reply.

Are you having any problems getting an internet connection?
 
There's no problem with my internet connection. Here's the log thx.

ComboFix 10-07-14.02 - Gary Zhao 07/14/2010 22:33:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.669 [GMT -7:00]
Running from: c:\documents and settings\Gary Zhao\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 02:50 . 2010-07-15 05:10 -------- d-----w- c:\windows\SxsCaPendDel
2010-07-07 08:35 . 2010-07-07 08:35 -------- d-----w- c:\windows\Sun
2010-07-07 08:35 . 2010-07-07 08:35 503808 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\msvcp71.dll
2010-07-07 08:35 . 2010-07-07 08:35 499712 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\jmc.dll
2010-07-07 08:35 . 2010-07-07 08:35 348160 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7a63fda9-n\msvcr71.dll
2010-07-07 08:35 . 2010-07-07 08:35 61440 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-411eda22-n\decora-sse.dll
2010-07-07 08:35 . 2010-07-07 08:35 12800 ----a-w- c:\documents and settings\Gary Zhao\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-411eda22-n\decora-d3d.dll
2010-07-07 08:34 . 2010-07-07 08:34 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Malwarebytes
2010-07-06 08:03 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 08:03 . 2010-07-06 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 08:03 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 11:54 . 2010-07-04 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-07-04 10:59 . 2010-07-04 10:59 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\ESET
2010-07-04 10:34 . 2010-07-07 21:07 -------- d-----w- c:\program files\ESET
2010-07-04 10:34 . 2010-07-04 10:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-07-04 10:33 . 2010-07-07 21:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 10:16 . 2010-07-04 10:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-03 04:23 . 2010-07-03 04:23 -------- d-----w- c:\program files\Rainbow Technologies
2010-07-03 04:22 . 2010-07-03 04:22 -------- d-----w- c:\program files\SafeNet Sentinel
2010-07-03 04:22 . 2010-07-03 04:22 -------- d-----w- c:\program files\Common Files\SafeNet Sentinel
2010-07-03 04:14 . 2010-07-04 10:15 -------- d-----w- c:\windows\system32\QuickTime
2010-07-03 04:14 . 2010-07-04 10:15 -------- d-----w- c:\program files\QuickTime
2010-07-03 04:14 . 2010-07-03 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-06-28 08:08 . 2010-06-28 08:08 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\AdobeUM
2010-06-28 02:06 . 2001-08-17 21:02 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-06-28 02:06 . 2001-08-17 21:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-06-28 00:34 . 2004-07-14 19:54 676864 ----a-w- c:\windows\system32\drivers\hardlock.sys
2010-06-28 00:34 . 2010-06-28 00:34 6656 ----a-w- c:\windows\system32\haspvdd.dll
2010-06-28 00:34 . 2010-06-28 00:34 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2010-06-28 00:34 . 2010-06-28 00:34 383 ----a-w- c:\windows\system32\haspdos.sys
2010-06-28 00:33 . 2006-01-26 22:12 327680 ----a-w- c:\windows\system32\haspms32.dll
2010-06-28 00:33 . 2003-04-18 23:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2010-06-28 00:33 . 2010-07-15 05:04 -------- d-----w- C:\ALLDATAW
2010-06-28 00:25 . 2010-06-28 00:25 -------- d-----w- c:\program files\Common Files\Real
2010-06-28 00:25 . 2010-06-28 00:25 -------- d-----w- c:\windows\system32\Adobe
2010-06-27 20:09 . 2010-06-27 20:09 -------- d-sh--w- c:\documents and settings\Gary Zhao\IECompatCache
2010-06-27 18:58 . 2006-12-14 17:00 110592 ----a-w- c:\documents and settings\Gary Zhao\Application Data\U3\temp\cleanup.exe
2010-06-27 18:58 . 2007-02-13 00:46 3096576 ---ha-w- c:\documents and settings\Gary Zhao\Application Data\U3\temp\Launchpad Removal.exe
2010-06-27 18:57 . 2010-07-05 06:59 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\U3
2010-06-27 18:17 . 2010-06-27 18:17 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-06-27 18:14 . 2010-06-27 18:14 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-06-25 03:47 . 2010-06-25 03:47 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\Adobe
2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\program files\MSBuild
2010-06-19 10:04 . 2010-06-19 10:04 -------- d-----w- c:\program files\Reference Assemblies
2010-06-19 10:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-19 10:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-06-19 10:03 . 2010-06-19 10:04 -------- d-----w- C:\b2d7ebc878410ac7dc5819
2010-06-19 10:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-06-19 10:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-06-19 10:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-06-19 10:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-06-19 10:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-06-19 10:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-06-19 10:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-06-19 10:01 . 2010-06-19 10:01 -------- d-----w- c:\program files\MSXML 6.0
2010-06-17 10:02 . 2010-06-17 10:02 -------- d-----w- c:\windows\ServicePackFiles
2010-06-17 10:01 . 2010-06-17 10:01 -------- d-----w- c:\program files\MSXML 4.0
2010-06-17 03:46 . 2010-06-17 03:58 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-06-17 03:44 . 2006-03-21 03:23 23040 ------w- c:\windows\kb913800.exe
2010-06-16 10:55 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-16 10:55 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-16 10:55 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-06-16 10:50 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-16 10:50 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-16 10:49 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-16 10:48 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-16 10:38 . 2010-06-16 10:38 -------- d-----w- c:\windows\system32\LogFiles
2010-06-16 10:34 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-06-16 10:30 . 2009-10-12 13:54 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-06-16 10:30 . 2009-10-12 13:54 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-06-16 10:29 . 2009-10-15 17:21 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-06-16 10:20 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-06-16 10:15 . 2009-11-27 16:37 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-16 10:15 . 2009-11-27 16:37 84992 -c----w- c:\windows\system32\dllcache\avifil32.dll
2010-06-16 10:15 . 2009-11-27 16:37 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-16 10:15 . 2009-11-27 16:37 28672 -c----w- c:\windows\system32\dllcache\msvidc32.dll
2010-06-16 10:15 . 2009-11-27 16:37 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-06-16 10:15 . 2010-02-12 04:47 100864 -c----w- c:\windows\system32\dllcache\6to4svc.dll
2010-06-16 10:15 . 2008-08-14 09:51 138368 -c----w- c:\windows\system32\dllcache\afd.sys
2010-06-16 10:15 . 2008-06-20 17:41 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2010-06-16 10:15 . 2008-06-20 10:45 360320 -c----w- c:\windows\system32\dllcache\tcpip.sys
2010-06-16 10:14 . 2010-01-29 15:08 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-06-16 10:14 . 2010-01-29 15:08 1315840 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-06-16 10:12 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-16 10:12 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-06-16 10:10 . 2008-10-23 13:01 283648 -c----w- c:\windows\system32\dllcache\gdi32.dll
2010-06-16 10:03 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-16 08:09 . 2010-06-16 08:09 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-06-16 08:09 . 2010-06-17 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-16 07:36 . 2010-06-16 07:36 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-16 07:36 . 2010-06-17 03:41 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-16 07:35 . 2010-06-28 00:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\DAEMON Tools Lite
2010-06-16 07:35 . 2010-06-16 07:36 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-06-16 07:19 . 2010-06-16 07:19 -------- d-----w- c:\program files\Combined Community Codec Pack
2010-06-16 07:06 . 2010-06-16 07:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-16 07:00 . 2010-06-16 07:00 -------- d-----w- c:\program files\Haali
2010-06-16 07:00 . 2010-06-16 07:20 -------- d-----w- c:\program files\CoreCodec
2010-06-16 06:50 . 2010-06-16 06:50 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Media Player Classic
2010-06-16 06:47 . 2010-07-02 04:17 -------- d-----w- C:\Media
2010-06-16 06:45 . 2010-07-06 08:24 -------- d-----w- c:\program files\QvodPlayer
2010-06-16 06:45 . 2010-06-16 07:12 -------- d-----w- c:\program files\MPC HomeCinema
2010-06-16 06:18 . 2010-06-16 06:18 -------- d-----w- c:\program files\uTorrent
2010-06-16 06:17 . 2010-07-15 05:30 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\uTorrent
2010-06-16 06:05 . 2010-07-15 05:18 -------- d-----w- c:\program files\Steam
2010-06-16 05:56 . 2010-06-16 05:56 0 ----a-w- c:\windows\nsreg.dat
2010-06-16 05:56 . 2010-06-16 05:56 -------- d-----w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\Mozilla
2010-06-16 05:51 . 2010-06-16 05:51 -------- d-sh--w- c:\documents and settings\Gary Zhao\PrivacIE
2010-06-16 05:47 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-16 05:45 . 2010-06-16 05:45 -------- d-sh--w- c:\documents and settings\Gary Zhao\IETldCache
2010-06-16 05:44 . 2010-06-17 10:05 -------- d-----w- c:\windows\ie8updates
2010-06-16 05:42 . 2010-06-16 05:43 -------- dc-h--w- c:\windows\ie8
2010-06-16 05:38 . 2009-07-17 18:55 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2010-06-16 05:32 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-16 05:32 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-16 05:32 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-16 05:32 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-16 05:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-16 05:32 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-16 05:32 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-16 05:31 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-16 05:31 . 2008-02-26 11:59 294912 -c----w- c:\windows\system32\dllcache\msctf.dll
2010-06-16 05:24 . 2006-03-15 12:00 59904 -c--a-w- c:\windows\system32\dllcache\imkrinst.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 03:02 . 2006-08-10 09:41 -------- d-----w- c:\program files\Sony
2010-07-15 03:02 . 2006-08-10 08:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-15 02:56 . 2006-08-10 09:16 -------- d-----w- c:\program files\Windows Media Connect
2010-07-15 02:51 . 2006-08-10 09:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-07-15 02:43 . 2006-08-10 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2010-07-07 08:35 . 2006-08-10 09:13 -------- d-----w- c:\program files\Common Files\Java
2010-07-07 08:34 . 2006-08-10 09:13 -------- d-----w- c:\program files\Java
2010-06-28 00:25 . 2006-08-10 09:50 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-27 18:19 . 2006-08-10 09:55 -------- d-----w- c:\program files\MobiTV
2010-06-16 05:09 . 2010-06-15 14:24 132 ----a-w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\fusioncache.dat
2010-06-15 14:24 . 2010-06-15 14:24 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-C140G.mrk
2010-06-15 07:49 . 2006-08-10 09:38 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-06-15 07:46 . 2010-06-15 14:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Intuit
2010-06-15 07:46 . 2010-06-15 14:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intuit
2010-06-15 07:41 . 2010-06-15 14:24 13888 ----a-w- c:\documents and settings\Gary Zhao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 07:31 . 2010-06-15 14:24 -------- d-----w- c:\documents and settings\Gary Zhao\Application Data\Sony Corporation
2010-06-15 07:31 . 2010-06-15 14:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sony Corporation
2010-06-15 07:31 . 2006-08-10 09:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation
2010-05-06 10:41 . 2006-08-10 07:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2006-08-10 07:32 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2006-08-10 07:32 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-07_06.12.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-15 05:32 . 2010-07-15 05:32 16384 c:\windows\Temp\Perflib_Perfdata_2b0.dat
+ 2010-07-07 08:34 . 2010-07-07 08:34 153376 c:\windows\system32\javaws.exe
+ 2010-07-07 08:34 . 2010-07-07 08:34 145184 c:\windows\system32\javaw.exe
+ 2010-07-07 08:34 . 2010-07-07 08:34 145184 c:\windows\system32\java.exe
+ 2010-07-07 08:35 . 2010-07-07 08:35 180224 c:\windows\Installer\80535.msi
+ 2010-07-07 08:34 . 2010-07-07 08:34 576000 c:\windows\Installer\80530.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-06-16 1238352]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-06-16 322352]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Steam\\steamapps\\garyzhao\\counter-strike\\hl.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/6/2010 1:03 AM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/6/2010 1:03 AM 20952]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/10/2006 12:33 AM 226304]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/16/2010 12:36 AM 691696]
 
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Gary Zhao\Application Data\Mozilla\Firefox\Profiles\434nyf9t.default\
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 22:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\GARYZH~1\LOCALS~1\Temp\RGI4.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x854C2EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7622fc3
\Driver\ACPI -> ACPI.sys @ 0xf7495cb8
\Driver\atapi -> atapi.sys @ 0xf742f7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf733cba0
PacketIndicateHandler -> NDIS.sys @ 0xf7349b21
SendHandler -> NDIS.sys @ 0xf732787b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-14 22:46:19
ComboFix-quarantined-files.txt 2010-07-15 05:46
ComboFix2.txt 2010-07-07 20:56
ComboFix3.txt 2010-07-07 06:15

Pre-Run: 22,147,166,208 bytes free
Post-Run: 22,119,608,320 bytes free

- - End Of File - - 5010444E868D0B1EEC1001FE56B2A776
 
Ken, you have a directory named C:\ALLDATAW. I used script to look and see what files were in it. It appears to be automotive related, for the most part it's images but has other files and it was set up in 1998. Did you create this directory? Is this a work computer?

One of the exe files is named ADiShopVehicleServer.exe and appears to be only available as a torrent download. Another entry is OnlinePromo.html which is a marketing tool. The contents must be very large due to the number of files.

The contents of this folder alone would indicate a rich source of potential ad pop-ups.
 
Yes i did created that directory, this program never caused me any problem before. I also delete as told but my pc doesn't seems to do any better. This is a personal computer, what should i do next?
 
Sorry- I lost you! Please run the following:

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
Code:
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • This will have the program write a detailed log
  • The screen will resemble this black screen:
2663_5.jpg

  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
  • You should get a screen like this:
TDSSKillerResults.jpg

  • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
  • Follow the prompts and attach the report to your next reply.

And then please clearly describe what problems remain.
 
Thanks for the reply. I got an error using tdsskiller on command by saying valid command line parameters so I just run the exe. I don't know if that would make any difference if so, how do I get it to run? For my computer I realize that I couldn't go to certain site so I removed malwarebytes and I can get to those site fine now, so should I reinstall malwarebytes? Of course without malwarebytes there's no sign saying blocked ip or anything like that but the computer seems to run fine. But anyways here's the log. Thank you
View attachment TDSSKiller.2.4.0.0_24.07.2010_00.37.51_log.txt
 
You continue to have uTorrent running in the background. Please uninstall it or disable it.

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni

Follow with another Eset scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Give description-specific-of remaining problems.
 
My computer seems to be running without any issues after removing malwarebytes. So I guess I should stay away after from that program? Thanks Bobbye

Bootkit:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`c01a2400
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


Eset online scanner:


# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ded4fe262198544890088449b76f1486
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-25 08:26:50
# local_time=2010-07-25 01:26:50 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2534243 2534243 0 0
# compatibility_mode=8199 39157077 100 100 0 25702803 0 0
# scanned=69623
# found=0
# cleaned=0
# scan_time=3021
# nod_component=V3 Build:0x30000000
 

Attachments

  • bootkit.txt
    493 bytes · Views: 1
  • log.txt
    711 bytes · Views: 2
Wasn't Malwarebytes what was blocking the foreign site? I don't know whether those sites were incoming scans from the internet or outgoing attempts from something in your system to contact those sites on the internet. It makes a big difference. If you are getting alerts for attempts to access you computer and they bother you, you should be able to stop the alerts from flashing but still let Mbam do it's job.

If you don't have a firewall:
I recommend either of these software firewalls.- both are free:
You should have only one software firewall. You may also use a router. Most routers have a hardware firewall in them. You can use both hardware and software firewalls together, but use only one software firewall.

If problems have been resolved:
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if I can be of any more help.
 
You're welcome. Glad to help. Here are some tips for you:


Please follow these simple steps to keep your computer clean and secure:


Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

Do regular Maintenance
  • Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
  • Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Have layered Security:
  • Antivirus Software(only one): Both of the following programs are free and known to be good:
    [o]Avira Free
    [o]Avast Home
  • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o] Zone Alarm
  • Antispyware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
 
Status
Not open for further replies.
Back