# Infected with Win32/Olmarik trojan



## Shiromagius (Jan 14, 2010)

I am infected with the Olmarik Trojan. Everytime I boot up, NOD32 does its normal startup scan and finds the Olmarik trojan in memory, but is unable to clean it. I have done a NOD32 full system scan and it found and deleted many parts and files associated with this trojan (as well as other viruses), but it is unable to fully get rid of it. It also finds a Kryptik.BSW Trojan at file location \\?\globalroot\systemroot\system32\H8SRTaxfdksiqll.dll and manages to delete that, but it also keeps coming back. I have done a full system scan with Spyware Doctor and it always finds one or two tracking cookies and a registry entry (HKEY_LOCAL_MACHINE\SOFTWARE\AntiMalware) flagged as RougueAntiSpyware.AntiMalware2009. I have cleaned it on numerous occassions, but it keeps coming back. Everytime I reboot, NOD32 finds the same trojan but is unable to clean it, and Spyware Doctor finds the same stuff and "cleans" it over and over, but they keep coming back. While working on trying to resolve this issue, windows are constantly going out of focus, but no other window is taking the focus. I have to continue to select the window in order to work in that window. Also, sometimes when browsing the net and I click on a link (a google result for instance), it diverts me to random other sites that I do not want to go to. I quickly hit ESC when I see I am being diverted and use the back button to go to where I want to be. Sometimes this takes a few tries to not get diverted.

Any help would be much appreciated.

Thanks.

Here is my HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:05 PM, on 1/13/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1186675143\ee\AOLSoftware.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186675143\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 7056 bytes


----------



## Shiromagius (Jan 14, 2010)

bump

UPDATE: Installed Malwarebytes' Anti-Malware, but was unable to get it to actually run. It took several minutes to install, hanging up at the very end of the install (100%). Finally it finished, but everytime I try to run the program (either in normal mode or safe mode), the process loads, but I get no visual of the program and then the process just goes away after some time. Dont know if something is preventing it from running and/or killing the process or what. I have also noticed that the process iexplore.exe is always running, regardless of whether or not I have an Internet Explorer browser open or not. I have killed the process, but it keeps coming back on its own. Ran NOD SysInspector and it found that iexplore.exe, firefox.exe, winlogon.exe, and 6 of the 7 svchost.exe processes running are all linked to \\?\globalroot\systemroot\system32\H8SRTaxfdksiqll.dll

Please help!

Here is the latest HJT scan results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:48 PM, on 1/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1186675143\ee\AOLSoftware.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1186675143\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 7359 bytes


----------



## Shiromagius (Jan 14, 2010)

Bump


----------



## Shiromagius (Jan 14, 2010)

Bump again. I know you guys are busy, but it's been almost a week now


----------



## Shiromagius (Jan 14, 2010)

bump again. Going to bump every 48 hours until i get a response.


----------



## Shiromagius (Jan 14, 2010)

UPDATE:
So today when I started my computer, Spyware Doctor failed to load. Checking the event viewer, it appears that the Aux service timed out while trying to load. I tried starting the service manually, and got the same results (timeout). Fails to start even in safe mode. I have also noticed that a reg file is being created in my Docs & Settings\username\Local Settings\Temp\ folder. The reg file is called test (which is a red flag for me) and it contains a lot of things to do with iexplorer. The comments at the top say that its to make it the default browser (which it is automatically doing, even when I tell firefox to be my default), but who knows what its ACTUALLY doing. I renamed the regfile, and on next reboot, another regfile with the old name appeared. Still cannot get mbam to run, have tried changing the name, extension (to .bat), and both, and all times, the process runs, but nothing happens and then after a couple minutes the process goes away.

I am in need of some desperate help here, please, can anyone help me?!


----------



## Shiromagius (Jan 14, 2010)

Bump


----------



## NeonFx (Oct 22, 2008)

Hello there  Welcome to the TSG Forums. 
My name is *NeonFx*. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:


The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Additional Scans check the following:

Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Please paste the contents of the following codebox into the *Custom Scans* box at the bottom


```
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
nvatabus.sys
si3112.sys
viadsk.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
```

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.

Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

*Step 2*

Download *RootRepeal* from one of the following locations and save it to your desktop:
*Link 1*
*Link 2*
*Link 3*​

Double click







to start the program
Click on the *Report* tab at the bottom of the program window
Click the







button
In the *Select Scan* dialog, check:


[*]*Drivers*
[*]*Files*
[*]*Processes*
[*]*SSDT*
[*]*Stealth Objects*
[*]*Hidden Services*
[*]*Shadow SSDT*

Click the *OK* button
In the next dialog, select *all drives* showing
Click *OK* to start the scan _Note: The scan can take some time. *DO NOT* run any other programs while the scan is running_​
When the scan is complete, click the







button and save the report to your Desktop as *RootRepeal.txt*
Go to *File*, then *Exit* to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. *If the report is very long*, it will not be complete if you post it, so please *attach* it to your reply instead.


----------



## Shiromagius (Jan 14, 2010)

Hey NeonFX, 
Thanks for helping me out with this fiasco. I tried downloading OTS, but I got a thing from google toolbar saying DNS error - cannot find server. I tried downloading on a different computer and it worked just fine, but then copying the file over the network failed, saying Access Denied and to make sure it wasnt in use (which is wasnt). I have also seen this google toolbar dns thing appear before when trying to go to amazon, which i am pretty sure is always up and running.

Do you have an alternative link to download OTS from? I was able to successfully download rootrepeal but havent run it yet.

Thanks,
Shiro


----------



## NeonFx (Oct 22, 2008)

The infection is probably interfering. Please get if from HERE instead.


----------



## Shiromagius (Jan 14, 2010)

Grabbing OTS from that other site worked  I forgot to close all of my background programs before running OTS (like my anti-virus etc), but I did not have any open windows when I ran the scan. I can re-scan if you need me to.

Here are my results:


----------



## NeonFx (Oct 22, 2008)

Alright. Let's deal with that big guy before moving on.

Open *RootRepeal*, click the *Drivers* tab and select *Scan*. Right click and select *Wipe File* on:

*H8SRTmeyqxwbpxd.sys*

Click the *Files* tab and select *Scan*. Right click and select *Wipe File* on any file that begins with the following:

*H8SRT*

Do the same for the Hidden Services tab.

*Reboot your machine*

Then let's run RootRepeal again:


Double click







to start the program
Click on the *Report* tab at the bottom of the program window
Click the







button
In the *Select Scan* dialog, check:

[*]*Drivers*
[*]*Files*
[*]*Processes*
[*]*SSDT*
[*]*Stealth Objects*
[*]*Hidden Services*
[*]*Shadow SSDT*

Click the *OK* button
In the next dialog, select *all drives* showing
Click *OK* to start the scan_Note: The scan can take some time. *DO NOT* run any other programs while the scan is running_​
When the scan is complete, click the







button and save the report to your Desktop as *RootRepeal.txt*
Go to *File*, then *Exit* to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. *If the report is very long*, it will not be complete if you post it, so please *attach* it to your reply instead.


----------



## Shiromagius (Jan 14, 2010)

Upon the reboot as you requested, i noticed that my spyware doctor services started again (yay) and my antivirus did not find that infected file it always finds (because it was deleted, double yay). As I was wiping the all of the files etc, they all would disappear from the list. All except the hidden service. I wiped that one, said it was wiped successfully, but did not go off the list. When i re-scanned with root repeal, that service was in the log file.

Here are results:

```
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:        2010/01/26 09:20
Program Version:        Version 1.3.5.0
Windows Version:        Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE352000    Size: 98304    File Visible: No    Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BAD000    Size: 8192    File Visible: No    Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7CC7000    Size: 2560    File Visible: No    Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE0A6000    Size: 49152    File Visible: No    Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\bookmarks.bak
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 019    Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x868838a0

#: 031    Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86a66370

#: 122    Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x86882cb0

#: 128    Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x868830d0

#: 253    Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x868836d0

#: 254    Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x868834f0

#: 257    Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86882ee0

#: 258    Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86883310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x86c7ca78]
Process: System    Address: 0x86881930    Size: 1000

Hidden Services
-------------------
Service Name: H8SRTd.sys
Image Path: C:\WINDOWS\system32\drivers\H8SRTmeyqxwbpxd.sys

==EOF==
```


----------



## NeonFx (Oct 22, 2008)

Good  You should be able to do the following now:

*NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.*

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


*Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. *Note*: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : *Disabling Security Programs*
Double click on ComboFix.exe & follow the prompts.

*Note:* Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

*Notes:*

1.* Do not mouse-click Combofix's window while it is running. That may cause it to stall.*
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of *ALL* CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea. 
4. *CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.*


----------



## Shiromagius (Jan 14, 2010)

Here is the ComboFix Log: I disabled my antivirus/spyware protection as requested, but when ComboFix restarted my machine, my antivirus enabled itself on reboot.


```
ComboFix 10-01-26.02 - Jade 01/26/2010  16:10:43.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.527 [GMT -8:00]
Running from: c:\documents and settings\Jade\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\cd-rom.bmp
c:\windows\system32\Cache\db user privileges.bmp
c:\windows\system32\Cache\microsoft access.bmp
c:\windows\system32\Cache\peoples 1.bmp
c:\windows\system32\Cache\search find.bmp
c:\windows\system32\Cache\shop basket.bmp
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\H8SRTmeyqxwbpxd.sys
c:\windows\system32\H8SRTaxfdksiqll.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTkyymftginl.dat
c:\windows\system32\H8SRTnrbqerxlvm.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTulkdgomlwh.dll
c:\windows\system32\H8SRTxfuxoinscp.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Service_H8SRTd.sys


(((((((((((((((((((((((((   Files Created from 2009-12-27 to 2010-01-27  )))))))))))))))))))))))))))))))
.

2010-01-22 19:01 . 2010-01-22 19:01    61440    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ab99376-n\decora-sse.dll
2010-01-22 19:01 . 2010-01-22 19:01    503808    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\msvcp71.dll
2010-01-22 19:01 . 2010-01-22 19:01    499712    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\jmc.dll
2010-01-22 19:01 . 2010-01-22 19:01    348160    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\msvcr71.dll
2010-01-22 19:01 . 2010-01-22 19:01    12800    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ab99376-n\decora-d3d.dll
2010-01-22 17:07 . 2010-01-26 17:04    1020    ----a-w-    c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll
2010-01-14 20:34 . 2010-01-08 00:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 20:34 . 2010-01-23 01:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-01-14 20:34 . 2010-01-14 20:34    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 20:34 . 2010-01-08 00:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-14 20:06 . 2010-01-14 20:06    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-01-14 17:44 . 2010-01-14 17:44    --------    d-sh--w-    c:\documents and settings\Administrator\PrivacIE
2010-01-14 17:22 . 2001-08-17 21:28    224802    ----a-w-    c:\windows\system32\dllcache\usr1807a.sys
2010-01-14 17:21 . 2001-08-18 06:36    106584    ----a-w-    c:\windows\system32\dllcache\spdports.dll
2010-01-14 17:20 . 2001-08-17 20:50    41216    ----a-w-    c:\windows\system32\dllcache\s3mt3d.sys
2010-01-14 17:19 . 2002-08-29 06:59    169984    ----a-w-    c:\windows\system32\dllcache\pcx500.sys
2010-01-14 17:18 . 2004-08-04 07:09    49024    ----a-w-    c:\windows\system32\dllcache\mstape.sys
2010-01-14 17:17 . 2004-08-04 06:41    606684    ----a-w-    c:\windows\system32\dllcache\ltmdmnt.sys
2010-01-14 17:16 . 2001-08-18 06:36    372824    ----a-w-    c:\windows\system32\dllcache\iconf32.dll
2010-01-14 17:15 . 2002-08-29 10:00    6144    ----a-w-    c:\windows\system32\dllcache\ftlx041e.dll
2010-01-14 17:14 . 2001-08-18 06:36    6729    ----a-w-    c:\windows\system32\dllcache\disrvci.dll
2010-01-14 17:13 . 2001-08-17 20:13    27164    ----a-w-    c:\windows\system32\dllcache\ce3n5.sys
2010-01-14 17:12 . 2001-08-18 06:36    102400    ----a-w-    c:\windows\system32\dllcache\binlsvc.dll
2010-01-14 17:11 . 2001-08-17 22:56    66048    ----a-w-    c:\windows\system32\dllcache\s3legacy.dll
2010-01-14 01:42 . 2010-01-14 01:42    --------    d-----w-    c:\program files\Trend Micro
2010-01-13 22:31 . 2010-01-13 22:31    --------    d-sh--w-    c:\documents and settings\Jade\IECompatCache
2010-01-13 21:32 . 2010-01-13 21:32    --------    d-----w-    c:\documents and settings\Jade\Application Data\PC Tools
2010-01-13 21:32 . 2010-01-13 21:32    --------    d-----w-    c:\documents and settings\All Users\Application Data\PC Tools
2010-01-13 18:17 . 2010-01-13 18:17    159600    ----a-w-    c:\windows\system32\drivers\pctgntdi.sys
2010-01-13 18:17 . 2008-12-10 19:36    64392    ----a-w-    c:\windows\system32\drivers\pctplsg.sys
2010-01-13 18:17 . 2010-01-13 18:17    206256    ----a-w-    c:\windows\system32\drivers\PCTCore.sys
2010-01-13 17:01 . 2010-01-13 18:14    --------    d-----w-    c:\program files\Common Files\PC Tools
2010-01-13 04:47 . 2010-01-13 22:28    --------    d-----w-    c:\program files\Spyware Doctor
2010-01-13 04:35 . 2010-01-27 00:21    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-01-13 04:24 . 2010-01-13 04:24    --------    d-----w-    c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-01-13 02:34 . 2010-01-13 02:34    --------    d-sh--w-    c:\documents and settings\Administrator\IETldCache
2010-01-13 02:33 . 2004-04-10 00:19    40080    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 01:53 . 2010-01-13 01:53    --------    d-sh--w-    c:\documents and settings\Jade\PrivacIE
2010-01-13 01:40 . 2010-01-13 01:40    --------    d-----w-    c:\documents and settings\Jade\Local Settings\Application Data\ESET
2010-01-13 00:58 . 2010-01-13 23:58    --------    d-----w-    c:\program files\ESET
2010-01-13 00:58 . 2010-01-13 00:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\ESET
2010-01-13 00:29 . 2010-01-13 00:29    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2010-01-05 23:39 . 2009-12-16 22:42    43008    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-01-05 23:38 . 2009-12-16 22:42    340480    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-01-05 23:38 . 2009-12-16 22:42    872960    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-01-05 23:38 . 2009-12-16 22:41    346624    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-29 18:20 . 2009-12-29 18:20    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2009-12-29 18:20 . 2009-12-29 18:20    --------    d-----w-    c:\windows\system32\LogFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 22:05 . 2004-04-15 19:39    1901    ----a-w-    c:\windows\panose.bin
2010-01-14 18:57 . 2010-01-14 18:57    --------    d-----w-    c:\program files\Common Files\Java
2010-01-14 18:57 . 2010-01-14 18:57    61440    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\decora-sse.dll
2010-01-14 18:57 . 2010-01-14 18:57    503808    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\msvcp71.dll
2010-01-14 18:57 . 2010-01-14 18:57    499712    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\jmc.dll
2010-01-14 18:57 . 2010-01-14 18:57    348160    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\msvcr71.dll
2010-01-14 18:57 . 2010-01-14 18:57    12800    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\decora-d3d.dll
2010-01-14 18:57 . 2010-01-14 18:57    315392    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl.dll
2010-01-14 18:57 . 2010-01-14 18:57    20480    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl_awt.dll
2010-01-14 18:57 . 2010-01-14 18:57    114688    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl_cg.dll
2010-01-14 18:57 . 2010-01-14 18:57    20480    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-1fc0baf1-n\gluegen-rt.dll
2010-01-14 18:56 . 2010-01-14 18:57    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-01-14 18:56 . 2004-04-10 00:03    --------    d-----w-    c:\program files\Java
2010-01-13 18:17 . 2010-01-13 18:17    7396    ----a-w-    c:\windows\system32\drivers\pctcore.cat
2009-12-21 19:14 . 2004-02-07 01:05    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-11-21 16:36 . 2002-08-29 10:00    470528    ----a-w-    c:\windows\AppPatch\aclayers.dll
2004-05-18 21:12 . 2004-05-18 21:12    18251    -c--a-w-    c:\program files\setuplog.txt
2004-04-14 17:33 . 2004-04-14 17:33    5019280    -c--a-w-    c:\program files\zlsSetup_45_594_000.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-13 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-24 180269]
"HostManager"="c:\program files\Common Files\AOL\1186675143\ee\AOLSoftware.exe" [2006-09-26 50736]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-4-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-22 07:44    126976    ----a-w-    c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 07:48    155648    ----a-w-    c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1186675143\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7445:TCP"= 7445:TCP:*:Disabled:BitComet 7445 TCP
"7445:UDP"= 7445:UDP:*:Disabled:BitComet 7445 UDP

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/12/2010 8:32 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
FF - ProfilePath - c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news
FF - component: c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAbacheck.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-Malware Defense - c:\program files\Malware Defense\mdefense.exe
MSConfigStartUp-twunk_32x - c:\docume~1\Jade\LOCALS~1\Temp\twunk_32x.exe
AddRemove-Bar Code Pro® 3.53 - c:\windows\unvise.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 16:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF6C66C5-6F12-D03C-CBD6A967D3458FDE}\{1BFBC393-D5EA-0E65-643DBB56CFD38894}\{E801FD1E-2051-63AF-31DD653F6F47DAA3}*]
"S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50,
   9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-26  16:27:30 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-27 00:27

Pre-Run: 10,793,689,088 bytes free
Post-Run: 10,782,973,952 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 987B34CF034930EB83B1B6C3372103EE
```


----------



## NeonFx (Oct 22, 2008)

Please do the following:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *Notepad* (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:


```
File::
c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF6C66C5-6F12-D03C-CBD6A967D3458FDE}\{1BFBC393-D5EA-0E65-643DBB56CFD38894}\{E801FD1E-2051-63AF-31DD653F6F47DAA3}*]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF6C66C5-6F12-D03C-CBD6A967D3458FDE}\{1BFBC393-D5EA-0E65-643DBB56CFD38894}\{E801FD1E-2051-63AF-31DD653F6F47DAA3}*]

KillAll::
```
_NOTE: Make sure WordWrap is *unchecked* in Notepad by clicking on the "Format" menu icon. _

Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.


----------



## Shiromagius (Jan 14, 2010)

Results:

```
ComboFix 10-01-26.02 - Jade 01/27/2010   9:30.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1022.630 [GMT -8:00]
Running from: c:\documents and settings\Jade\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jade\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\h8srtkrl32mainweq.dll

.
(((((((((((((((((((((((((   Files Created from 2009-12-27 to 2010-01-27  )))))))))))))))))))))))))))))))
.

2010-01-14 20:34 . 2010-01-08 00:07    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 20:34 . 2010-01-23 01:39    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-01-14 20:34 . 2010-01-14 20:34    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 20:34 . 2010-01-08 00:07    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-01-14 20:06 . 2010-01-14 20:06    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2010-01-14 18:57 . 2010-01-14 18:57    --------    d-----w-    c:\program files\Common Files\Java
2010-01-14 18:57 . 2010-01-14 18:56    411368    ----a-w-    c:\windows\system32\deploytk.dll
2010-01-14 17:44 . 2010-01-14 17:44    --------    d-sh--w-    c:\documents and settings\Administrator\PrivacIE
2010-01-14 17:22 . 2001-08-17 21:28    224802    ----a-w-    c:\windows\system32\dllcache\usr1807a.sys
2010-01-14 17:21 . 2001-08-18 06:36    106584    ----a-w-    c:\windows\system32\dllcache\spdports.dll
2010-01-14 17:20 . 2001-08-17 20:50    41216    ----a-w-    c:\windows\system32\dllcache\s3mt3d.sys
2010-01-14 17:19 . 2002-08-29 06:59    169984    ----a-w-    c:\windows\system32\dllcache\pcx500.sys
2010-01-14 17:18 . 2004-08-04 07:09    49024    ----a-w-    c:\windows\system32\dllcache\mstape.sys
2010-01-14 17:17 . 2004-08-04 06:41    606684    ----a-w-    c:\windows\system32\dllcache\ltmdmnt.sys
2010-01-14 17:16 . 2001-08-18 06:36    372824    ----a-w-    c:\windows\system32\dllcache\iconf32.dll
2010-01-14 17:15 . 2002-08-29 10:00    6144    ----a-w-    c:\windows\system32\dllcache\ftlx041e.dll
2010-01-14 17:14 . 2001-08-18 06:36    6729    ----a-w-    c:\windows\system32\dllcache\disrvci.dll
2010-01-14 17:13 . 2001-08-17 20:13    27164    ----a-w-    c:\windows\system32\dllcache\ce3n5.sys
2010-01-14 17:12 . 2001-08-18 06:36    102400    ----a-w-    c:\windows\system32\dllcache\binlsvc.dll
2010-01-14 17:11 . 2001-08-17 22:56    66048    ----a-w-    c:\windows\system32\dllcache\s3legacy.dll
2010-01-14 01:42 . 2010-01-14 01:42    --------    d-----w-    c:\program files\Trend Micro
2010-01-13 22:31 . 2010-01-13 22:31    --------    d-sh--w-    c:\documents and settings\Jade\IECompatCache
2010-01-13 21:32 . 2010-01-13 21:32    --------    d-----w-    c:\documents and settings\Jade\Application Data\PC Tools
2010-01-13 21:32 . 2010-01-13 21:32    --------    d-----w-    c:\documents and settings\All Users\Application Data\PC Tools
2010-01-13 18:17 . 2010-01-13 18:17    159600    ----a-w-    c:\windows\system32\drivers\pctgntdi.sys
2010-01-13 18:17 . 2008-12-10 19:36    64392    ----a-w-    c:\windows\system32\drivers\pctplsg.sys
2010-01-13 18:17 . 2010-01-13 18:17    206256    ----a-w-    c:\windows\system32\drivers\PCTCore.sys
2010-01-13 17:01 . 2010-01-13 18:14    --------    d-----w-    c:\program files\Common Files\PC Tools
2010-01-13 04:47 . 2010-01-13 22:28    --------    d-----w-    c:\program files\Spyware Doctor
2010-01-13 04:35 . 2010-01-27 17:40    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-01-13 04:24 . 2010-01-13 04:24    --------    d-----w-    c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2010-01-13 02:34 . 2010-01-13 02:34    --------    d-sh--w-    c:\documents and settings\Administrator\IETldCache
2010-01-13 02:33 . 2004-04-10 00:19    40080    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-13 01:53 . 2010-01-13 01:53    --------    d-sh--w-    c:\documents and settings\Jade\PrivacIE
2010-01-13 01:40 . 2010-01-13 01:40    --------    d-----w-    c:\documents and settings\Jade\Local Settings\Application Data\ESET
2010-01-13 00:58 . 2010-01-13 23:58    --------    d-----w-    c:\program files\ESET
2010-01-13 00:58 . 2010-01-13 00:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\ESET
2010-01-13 00:29 . 2010-01-13 00:29    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2009-12-29 18:20 . 2009-12-29 18:20    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2009-12-29 18:20 . 2009-12-29 18:20    --------    d-----w-    c:\windows\system32\LogFiles

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 22:05 . 2004-04-15 19:39    1901    ----a-w-    c:\windows\panose.bin
2010-01-22 19:01 . 2010-01-22 19:01    61440    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ab99376-n\decora-sse.dll
2010-01-22 19:01 . 2010-01-22 19:01    503808    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\msvcp71.dll
2010-01-22 19:01 . 2010-01-22 19:01    499712    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\jmc.dll
2010-01-22 19:01 . 2010-01-22 19:01    348160    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20e86b40-n\msvcr71.dll
2010-01-22 19:01 . 2010-01-22 19:01    12800    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ab99376-n\decora-d3d.dll
2010-01-14 18:57 . 2010-01-14 18:57    61440    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\decora-sse.dll
2010-01-14 18:57 . 2010-01-14 18:57    503808    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\msvcp71.dll
2010-01-14 18:57 . 2010-01-14 18:57    499712    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\jmc.dll
2010-01-14 18:57 . 2010-01-14 18:57    348160    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\msvcr71.dll
2010-01-14 18:57 . 2010-01-14 18:57    12800    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-5b3e34e4-n\decora-d3d.dll
2010-01-14 18:57 . 2010-01-14 18:57    315392    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl.dll
2010-01-14 18:57 . 2010-01-14 18:57    20480    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl_awt.dll
2010-01-14 18:57 . 2010-01-14 18:57    114688    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5718376a-n\jogl_cg.dll
2010-01-14 18:57 . 2010-01-14 18:57    20480    ----a-w-    c:\documents and settings\Jade\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-1fc0baf1-n\gluegen-rt.dll
2010-01-14 18:56 . 2004-04-10 00:03    --------    d-----w-    c:\program files\Java
2010-01-13 18:17 . 2010-01-13 18:17    7396    ----a-w-    c:\windows\system32\drivers\pctcore.cat
2009-12-21 19:14 . 2004-02-07 01:05    916480    ------w-    c:\windows\system32\wininet.dll
2009-12-16 22:42 . 2010-01-05 23:38    872960    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 22:42 . 2010-01-05 23:39    43008    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 22:42 . 2010-01-05 23:38    340480    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 22:41 . 2010-01-05 23:38    346624    ----a-w-    c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-21 16:36 . 2002-08-29 10:00    470528    ----a-w-    c:\windows\AppPatch\aclayers.dll
2004-05-18 21:12 . 2004-05-18 21:12    18251    -c--a-w-    c:\program files\setuplog.txt
2004-04-14 17:33 . 2004-04-14 17:33    5019280    -c--a-w-    c:\program files\zlsSetup_45_594_000.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-13 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-24 180269]
"HostManager"="c:\program files\Common Files\AOL\1186675143\ee\AOLSoftware.exe" [2006-09-26 50736]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-29 2054360]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-4-14 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-22 07:44    126976    ----a-w-    c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 07:48    155648    ----a-w-    c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1186675143\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7445:TCP"= 7445:TCP:*:Disabled:BitComet 7445 TCP
"7445:UDP"= 7445:UDP:*:Disabled:BitComet 7445 UDP

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [9/29/2009 1:02 PM 108792]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [9/29/2009 1:05 PM 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/29/2009 1:03 PM 735960]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [1/12/2010 8:32 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
DPF: ppctlcab - hxxp://69.44.122.156/scanner/ppctlcab.cab
FF - ProfilePath - c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news
FF - component: c:\documents and settings\Jade\Application Data\Mozilla\Firefox\Profiles\f5qp1qzg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAbacheck.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 09:41
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-01-27  09:46:59 - machine was rebooted
ComboFix-quarantined-files.txt  2010-01-27 17:46
ComboFix2.txt  2010-01-27 00:27

Pre-Run: 10,790,539,264 bytes free
Post-Run: 10,754,232,320 bytes free

- - End Of File - - 7E51CB0BB199E69AB36B38D7071C4C44
```


----------



## NeonFx (Oct 22, 2008)

Alright. Let's continue:

*STEP 1*

Run OTS


Under the *Paste Fix Here* box on the right, paste in the contents of following code box


```
[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > (761 bytes and 20 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
YN -> Reset Hosts -> 
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\] > -> HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\] > -> HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{461CC20B-FB6E-4f16-8FE8-C29359DB100E}" [HKLM] -> [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {2FC9A21E-2069-4E47-8235-36318989DB13} [HKLM] -> http://69.44.122.156/scanner/axscanner.cab [PPSDKActiveXScanner.MainScreen]
YN -> ppctlcab [HKLM] -> http://69.44.122.156/scanner/ppctlcab.cab [Reg Error: Key error.]
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
YN -> DhcpNameServer -> 216.151.4.3 216.151.5.3
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
YN -> {520F0826-CE56-4025-B18D-B5A393821C18}\\DhcpNameServer -> 216.151.4.3 216.151.5.3   (Broadcom 440x 10/100 Integrated Controller)
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> Malware Defense hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Malware Defense\mdefense.exe
YN -> twunk_32x.exe hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\DOCUME~1\Jade\LOCALS~1\Temp\twunk_32x.exe
[Files/Folders - Modified Within 30 Days]
NY ->  61 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\Documents and Settings\Jade\Desktop\*.tmp files -> C:\Documents and Settings\Jade\Desktop\*.tmp
[Empty Temp Folders]
[ClearAllRestorePoints]
[Reboot]
```

Then click the *Run Fix* button at the top
Let the program run unhindered, reboot the PC when it is done
This will create a log in *C:\_OTS\MovedFiles\<date>_.log* where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally. 
If it seems to get stuck, give it some time. It's probably still working.

*STEP 2*








Run MalwareBytes AntiMalware


Update it by clicking on the update tab and then on the button. 
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Full Scan*", then click *Scan*. Scan all of your harddrives.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## Shiromagius (Jan 14, 2010)

OTS Results:

```
All Processes Killed
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-2798098520-2833710086-1059269111-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{461CC20B-FB6E-4f16-8FE8-C29359DB100E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{461CC20B-FB6E-4f16-8FE8-C29359DB100E}\ not found.
Starting removal of ActiveX control {2FC9A21E-2069-4E47-8235-36318989DB13}
C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.INF moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2FC9A21E-2069-4E47-8235-36318989DB13}\ deleted successfully.
Starting removal of ActiveX control ppctlcab
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ppctlcab\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ppctlcab\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer updated successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{520F0826-CE56-4025-B18D-B5A393821C18}\\DhcpNameServer updated successfully.
[Registry - Additional Scans - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Malware Defense hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File  not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\twunk_32x.exe hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ not found.
File  not found.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET12B2.tmp deleted successfully.
C:\WINDOWS\System32\SET12B3.tmp deleted successfully.
C:\WINDOWS\System32\SET12BA.tmp deleted successfully.
C:\WINDOWS\System32\SET12BB.tmp deleted successfully.
C:\WINDOWS\System32\SET372.tmp deleted successfully.
C:\WINDOWS\System32\SET375.tmp deleted successfully.
C:\WINDOWS\System32\SET3EE.tmp deleted successfully.
C:\WINDOWS\System32\SET3EF.tmp deleted successfully.
C:\WINDOWS\System32\SET3F4.tmp deleted successfully.
C:\WINDOWS\System32\SET3F5.tmp deleted successfully.
C:\WINDOWS\System32\SET3FC.tmp deleted successfully.
C:\WINDOWS\System32\SET3FF.tmp deleted successfully.
C:\WINDOWS\System32\SET401.tmp deleted successfully.
C:\WINDOWS\System32\SET402.tmp deleted successfully.
C:\WINDOWS\System32\SET403.tmp deleted successfully.
C:\WINDOWS\System32\SET404.tmp deleted successfully.
C:\WINDOWS\System32\SET407.tmp deleted successfully.
C:\WINDOWS\System32\SET408.tmp deleted successfully.
C:\WINDOWS\System32\SET409.tmp deleted successfully.
C:\WINDOWS\System32\SET40C.tmp deleted successfully.
C:\WINDOWS\System32\SET411.tmp deleted successfully.
C:\WINDOWS\System32\SET413.tmp deleted successfully.
C:\WINDOWS\System32\SET43D.tmp deleted successfully.
C:\WINDOWS\System32\SET443.tmp deleted successfully.
C:\WINDOWS\System32\SET446.tmp deleted successfully.
C:\WINDOWS\System32\SET447.tmp deleted successfully.
C:\WINDOWS\System32\SET448.tmp deleted successfully.
C:\WINDOWS\System32\SET44B.tmp deleted successfully.
C:\WINDOWS\System32\SET44C.tmp deleted successfully.
C:\WINDOWS\System32\SET44D.tmp deleted successfully.
C:\WINDOWS\System32\SET44E.tmp deleted successfully.
C:\WINDOWS\System32\SET44F.tmp deleted successfully.
C:\WINDOWS\System32\SET464.tmp deleted successfully.
C:\WINDOWS\System32\SET468.tmp deleted successfully.
C:\WINDOWS\System32\SET470.tmp deleted successfully.
C:\WINDOWS\System32\SET474.tmp deleted successfully.
C:\WINDOWS\System32\SET477.tmp deleted successfully.
C:\WINDOWS\System32\SET9E1.tmp deleted successfully.
C:\WINDOWS\System32\SET9E2.tmp deleted successfully.
C:\WINDOWS\System32\SET9E3.tmp deleted successfully.
C:\WINDOWS\System32\SET9E8.tmp deleted successfully.
C:\WINDOWS\System32\SET9F0.tmp deleted successfully.
C:\WINDOWS\System32\SET9F2.tmp deleted successfully.
C:\WINDOWS\System32\SETA1B.tmp deleted successfully.
C:\WINDOWS\System32\SETA24.tmp deleted successfully.
C:\WINDOWS\System32\SETA29.tmp deleted successfully.
C:\WINDOWS\System32\SETA2A.tmp deleted successfully.
C:\WINDOWS\System32\SETA2B.tmp deleted successfully.
C:\WINDOWS\System32\SETA2C.tmp deleted successfully.
C:\WINDOWS\System32\SETA43.tmp deleted successfully.
C:\WINDOWS\System32\SETA4E.tmp deleted successfully.
C:\WINDOWS\System32\SETA56.tmp deleted successfully.
C:\WINDOWS\System32\SETA5D.tmp deleted successfully.
C:\WINDOWS\System32\SETF0C.tmp deleted successfully.
C:\WINDOWS\System32\SETF0F.tmp deleted successfully.
C:\WINDOWS\System32\SETF17.tmp deleted successfully.
C:\WINDOWS\System32\SETF1C.tmp deleted successfully.
C:\WINDOWS\System32\SETF1E.tmp deleted successfully.
C:\WINDOWS\System32\SETF21.tmp deleted successfully.
C:\WINDOWS\System32\tfswapi.tmp deleted successfully.
C:\WINDOWS\002269_.tmp deleted successfully.
C:\Documents and Settings\Jade\Desktop\~WRL2921.tmp deleted successfully.
[Empty Temp Folders]
 
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
 
User: Jade
->Temp folder emptied: 374 bytes
->Temporary Internet Files folder emptied: 67074954 bytes
->Java cache emptied: 4913200 bytes
->FireFox cache emptied: 135759579 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Owner
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 198.00 mb
 
 
Restorepoints cleared and new OTS Restore Point set!
< End of fix log >
OTS by OldTimer - Version 3.1.19.5 fix logfile created on 01272010_155236

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
```
and the MBAM results:

```
Malwarebytes' Anti-Malware 1.44
Database version: 3648
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

1/27/2010 5:22:24 PM
mbam-log-2010-01-27 (17-22-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202350
Time elapsed: 1 hour(s), 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
```


----------



## NeonFx (Oct 22, 2008)

Excellent. Let's run an online scan to be absolutely sure you're clean.

*STEP 1*

The online scanner uses Java, so I will need you to download and install the latest version for that.

Please go here to download the installer:

http://java.com/en/download/index.jsp

Reboot your machine when that's done.

*STEP 2*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*

*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions.

*2.* To *optimize scanning time* and produce a more sensible report for review:


Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click *HERE* to see how to disable the most common antivirus programs.

*3.* Click *Run* at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.


Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


[*]Spyware, adware, dialers, and other riskware
[*]Archives
[*]E-mail databases

Click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View report...* at the bottom.
Click the *Save report...* button.









Change the *Files of type* dropdown box to *Text file (.txt)* and name the file *KasReport.txt* to save the file to your desktop so that you may post it in your next reply


----------



## Shiromagius (Jan 14, 2010)

Looks like one of my networked drives has an email worm in it. Good to know. Here is the log:

```
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
 Thursday, January 28, 2010
 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
 Kaspersky Online Scanner version: 7.0.26.13
 Last database update: Thursday, January 28, 2010 02:42:39
 Records in database: 3378848
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - My Computer:
    C:\
    D:\
    F:\
    M:\
    Z:\

Scan statistics:
    Objects scanned: 137513
    Threats found: 11
    Infected objects found: 14
    Suspicious objects found: 0
    Scan duration: 02:47:04


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0D35689D    Infected: Email-Worm.Win32.NetSky.aa    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1FEF0420    Infected: Email-Worm.Win32.NetSky.q    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20B35B49    Infected: Trojan-Clicker.HTML.IFrame.sz    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45437179    Infected: Trojan-Downloader.Java.OpenStream.w    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5D4C2D8C    Infected: Trojan-Downloader.Java.OpenStream.w    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62992210.dll    Infected: Trojan-Spy.Win32.Globar.d    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735A0A05.zip    Infected: Trojan.Java.ClassLoader.c    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735A0A05.zip    Infected: Exploit.Java.ByteVerify    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735A0A05.zip    Infected: Trojan.Java.ClassLoader.Dummy.a    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735A0A05.zip    Infected: Trojan-Downloader.Java.OpenConnection.v    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\786C2950.htm    Infected: Exploit.HTML.Mht    1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP0    Infected: Exploit.HTML.Mht    1
F:\Backup\Mackenzie email\archive.pst    Infected: Email-Worm.Win32.Bagle.eg    1
M:\PRODUCTS\Backup\Mackenzie email\archive.pst    Infected: Email-Worm.Win32.Bagle.eg    1

Selected area has been scanned.
```


----------



## NeonFx (Oct 22, 2008)

Yeah, you'll want to delete both those backup files because if you ever go through them in the future you risk infecting yourself. There isn't a good way to identify which email is infected so the whole archive needs to go.

Please delete these two files.

F:\Backup\Mackenzie email\*archive.pst*
M:\PRODUCTS\Backup\Mackenzie email\*archive.pst*

If you feel strongly about keeping those files it's fine. Just don't be going through them unless you actually need something from there and know where it is.

How's the computer running?


----------



## Shiromagius (Jan 14, 2010)

Yeah, I did a little research on the worm and it appears to come in the form of an attachment. Did a little browsing for the symptons on that drive and it looks like the worm hasnt delivered its payload yet, but I will do a full diagnostic later today. Computer is running pretty good, havent encountered any of the old symptons. NOD doesnt find and quarentine a virus upon startup anymore. 

Spyware Doctor found 89 "infections" on its last intelli-scan, alot of registry values from swearware. One has combofix_wow in it, so do you think that these were created by combofix? Can they be fixed by spyware doctor? Also want to do some windows updates after everything is good and clean. I have been holding off until the system was clean.


----------



## NeonFx (Oct 22, 2008)

Is there any way you could get me the log of the Spyware Doctor results? It should have saved them somewhere, maybe here: C:\Program Files\Spyware Doctor\Log?


They're probably false positives.


----------



## Shiromagius (Jan 14, 2010)

Spyware Doctor isnt the best of reporting logs in a friendly fashion, but I got something that will work. Attached are all the results of the latest intell-scan. If it doesnt load for whatever reason, let me know and Ill try something else; had to do some html editing to get this to work. File is a txt file, but you should be able to rename to html and have it load in a browser.


----------



## NeonFx (Oct 22, 2008)

Thank you that worked. They're all false positives belonging to the tools we used and are nothing to worry about.

Excellent. Let's cleanup.

*STEP 1*

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

*ComboFix /Uninstall*

Note: If you renamed ComboFix to something else (Combo-Fix or Gotcha for example) you might have to change the command accordingly: Combo-Fix /Uninstall

*STEP 2*

To clean up OldTimer's tools, along with a few others, do the following:


Run OTS.exe by double clicking on it
Click on the *"CleanUp"* button on the top.
You will be asked if you wish to reboot your system, select *"Yes"*

*STEP 3*

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the *Shift* key, and select *"Delete"* by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine  Make sure you update it before you run the scans in the future.

*All Clean*

Congratulations!,







, *your system is now clean*. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

*Microsoft Windows Update*
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to *(Start) > (All) Programs > Windows Update*
To update Office
Open up any Office program.
Go to *Help > Check for Updates*

*Download and Install a HOSTS File*
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

See how to get it HERE
(For Vista and 7 see HERE )

You can also use a tool to update your Hosts file. See HERE and HERE

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.

*Install WinPatrol*
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

*Other Software Updates*
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for *Java* and *Adobe* as these are subject to many security vulnerabilities.

*Setting up Automatic Updates*
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

*Read further information* HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Please mark this thread as Solved by clicking on the button at the top of this page. Let me know if you need anything else.


----------



## Shiromagius (Jan 14, 2010)

Thanks for all of your help NeonFx. I did the uninstalling of combofix, but forgot to disable my spyware / antivirus before hand and during the uninstallation process combofix pointed that out for me and gave me a chance to disable them before proceeding. I disabled them, clicked ok and it said that combofix was uninstalled successfully. However, just ran an intelli-scan with spyware doc and those same false positive entries are popping up. Can I let Spyware Doc take care of these now? Or did combofix screw up when trying to uninstall?


----------



## NeonFx (Oct 22, 2008)

Go ahead and let it take care of them.


----------



## Shiromagius (Jan 14, 2010)

Thanks again for all your help NeonFx. Marking this thread solved.


----------



## NeonFx (Oct 22, 2008)

You're welcome. Have a good one


----------

