Recommended for You:
Fix up your PC Fast

TuneUp Utilities 2012 takes out the trash: Get back long lost disk space and performance in a snap – Free Download!






You are not connected. Please login or register

SecuraGeek Forums » Malware/Threat Removal » BDS.small.iuj

Goto page : 1, 2, 3  Next

View previous topic View next topic Go down  Message [Page 1 of 3]

1 BDS.small.iuj on Thu Mar 18, 2010 10:53 pm

rinmueru


Member
Member
Need help please. I also have this virus in my explorer.exe. The funny thing is that when i activate my FREE AVIRA, my pc hangs whenever i open explorer.exe related windows. and vice-versa.
But i can still open programs like firefox, word, etc. even my avira is activated. all of this in normal mode.

Please help me Neutral

2 Re: BDS.small.iuj on Thu Mar 18, 2010 11:44 pm

DragonMaster Jay


Site Owner
Site Owner
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    explorer.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

3 Re: BDS.small.iuj on Fri Mar 19, 2010 12:11 am

rinmueru


Member
Member
here's the systemlook logs.. thanks for the help!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:08 on 19/03/2010 by MARIGZA (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\Documents and Settings\MARIGZA\My Documents\Downloads\explorer.exe --a--- 2923520 bytes [04:00 19/03/2010] [04:01 19/03/2010] 37440D09DEAE0B672A04DCCF7ABF06BE
C:\WINDOWS\explorer.exe --a--- 1075200 bytes [18:49 18/03/2010] [18:49 18/03/2010] 2DEACA71A7FD77205F59D48D76B2F565
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe --a--- 1033728 bytes [08:11 27/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

-=End Of File=-

Hurray

4 Re: BDS.small.iuj on Fri Mar 19, 2010 9:19 am

DragonMaster Jay


Site Owner
Site Owner
Download OTL.exe by OldTimer to your Desktop.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :files
    C:\windows\explorer.exe|C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe /replace

    :commands
    [emptytemp]
    [reboot]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

5 Re: BDS.small.iuj on Fri Mar 19, 2010 11:22 am

rinmueru


Member
Member
here's the OTL log Very Happy

All processes killed
========== FILES ==========
File C:\windows\explorer.exe successfully replaced with C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10966318 bytes

User: MARIGZA
->Temp folder emptied: 1201146164 bytes
->Temporary Internet Files folder emptied: 65885935 bytes
->Java cache emptied: 80306656 bytes
->FireFox cache emptied: 100220019 bytes
->Opera cache emptied: 46296314 bytes
->Flash cache emptied: 97715 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2241018 bytes
%systemroot%\System32 .tmp files removed: 4050057 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 357761925 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23947486 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,805.00 mb


OTL by OldTimer - Version 3.1.37.3 log created on 03192010_231145

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

6 Re: BDS.small.iuj on Fri Mar 19, 2010 12:48 pm

rinmueru


Member
Member
wow.. it seems that the virus is already gone. Very Happy

I reinstalled avira and scanned explorer.exe. Here's the log

Avira AntiVir Personal
Report file date: Saturday, March 20, 2010 00:41

Scanning for 1878152 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : MARIGZA
Computer name : MARIGZA

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 03:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 02:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 03:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 02:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 23:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 16:25:08
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 16:29:24
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 16:30:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:32:53
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 16:32:54
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 16:32:54
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 16:32:55
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 16:32:55
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 16:32:55
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 16:32:56
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 16:32:56
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 16:32:57
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 16:33:07
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 16:33:16
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 16:33:28
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 16:33:34
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 16:33:45
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 16:33:53
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 16:34:09
VBASE020.VDF : 7.10.5.139 2048 Bytes 3/18/2010 16:34:09
VBASE021.VDF : 7.10.5.140 2048 Bytes 3/18/2010 16:34:10
VBASE022.VDF : 7.10.5.141 2048 Bytes 3/18/2010 16:34:10
VBASE023.VDF : 7.10.5.142 2048 Bytes 3/18/2010 16:34:11
VBASE024.VDF : 7.10.5.143 2048 Bytes 3/18/2010 16:34:11
VBASE025.VDF : 7.10.5.144 2048 Bytes 3/18/2010 16:34:11
VBASE026.VDF : 7.10.5.145 2048 Bytes 3/18/2010 16:34:12
VBASE027.VDF : 7.10.5.146 2048 Bytes 3/18/2010 16:34:13
VBASE028.VDF : 7.10.5.147 2048 Bytes 3/18/2010 16:34:13
VBASE029.VDF : 7.10.5.148 2048 Bytes 3/18/2010 16:34:14
VBASE030.VDF : 7.10.5.149 2048 Bytes 3/18/2010 16:34:14
VBASE031.VDF : 7.10.5.154 38912 Bytes 3/19/2010 16:34:16
Engineversion : 8.2.1.196
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/19/2010 16:37:45
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/19/2010 16:37:41
AESCN.DLL : 8.1.5.0 127347 Bytes 3/19/2010 16:37:05
AESBX.DLL : 8.1.2.1 254323 Bytes 3/19/2010 16:38:00
AERDL.DLL : 8.1.4.3 541043 Bytes 3/19/2010 16:36:59
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 16:36:46
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/19/2010 16:36:22
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/19/2010 16:36:05
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/19/2010 16:34:37
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/19/2010 16:34:31
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/7/2009 23:38:26
AECORE.DLL : 8.1.12.3 188789 Bytes 3/19/2010 16:34:21
AEBB.DLL : 8.1.0.3 53618 Bytes 11/7/2009 23:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 00:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 07:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 3/19/2010 16:38:07
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 02:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 07:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 02:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 07:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 00:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 02:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 07:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 04:25:47

Configuration settings for the scan:
Jobname.............................: ShlExt
Configuration file..................: C:\DOCUME~1\MARIGZA\LOCALS~1\Temp\2716a779.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Saturday, March 20, 2010 00:41

Starting the file scan:

Begin scan in 'C:\WINDOWS\explorer.exe'


End of the scan: Saturday, March 20, 2010 00:41
Used time: 00:00 Minute(s)

The scan has been done completely.

0 Scanned directories
1 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes



Is my pc ok now? I'm still kinda worried because the virus might have infected my other files..

7 Re: BDS.small.iuj on Fri Mar 19, 2010 1:34 pm

DragonMaster Jay


Site Owner
Site Owner
Not ok yet. We need to make sure all the infection is gone.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

8 Re: BDS.small.iuj on Fri Mar 19, 2010 9:48 pm

rinmueru


Member
Member
oh ok then.. here's the combofix log..

ComboFix 10-03-19.06 - MARIGZA 03/20/2010 9:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.235 [GMT 8:00]
Running from: c:\documents and settings\MARIGZA\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
C:\restore
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\system32\SIntf16.dll
c:\windows\system32\system.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-19 16:19 . 2009-03-30 01:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-19 16:19 . 2009-02-13 03:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-19 16:19 . 2009-02-13 03:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-19 16:19 . 2010-03-19 16:19 -------- d-----w- c:\program files\Avira
2010-03-19 16:19 . 2010-03-19 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- C:\_OTL
2010-03-18 18:49 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2010-03-18 13:41 . 2009-07-28 07:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-12 01:48 . 2010-03-12 01:48 503808 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\msvcp71.dll
2010-03-12 01:48 . 2010-03-12 01:48 499712 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\jmc.dll
2010-03-12 01:48 . 2010-03-12 01:48 348160 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\msvcr71.dll
2010-03-12 01:48 . 2010-03-12 01:48 61440 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8e8348-n\decora-sse.dll
2010-03-12 01:48 . 2010-03-12 01:48 12800 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8e8348-n\decora-d3d.dll
2010-03-11 12:01 . 2010-03-11 12:01 -------- d-----w- c:\documents and settings\MARIGZA\Local Settings\Application Data\WMTools Downloaded Files
2010-03-10 04:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 11:15 . 2010-02-24 11:16 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-20 03:25 . 2006-01-06 07:52 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-20 03:25 . 2006-01-06 07:53 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-20 03:25 . 2006-01-06 07:53 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 01:26 . 2009-04-24 03:22 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\DNA
2010-03-20 01:18 . 2008-08-10 16:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-20 00:54 . 2009-04-24 03:22 -------- d-----w- c:\program files\DNA
2010-03-18 05:34 . 2010-02-09 12:56 50354 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\uninstall.exe
2010-03-18 05:34 . 2010-02-09 12:56 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\Facebook
2010-03-12 01:47 . 2008-08-17 08:44 -------- d-----w- c:\program files\Java
2010-03-10 05:00 . 2008-08-10 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 23:58 . 2008-08-17 08:46 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\LimeWire
2010-03-01 12:33 . 2008-08-10 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-02-25 12:19 . 2009-07-17 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-20 14:19 . 2009-01-03 15:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-15 13:32 . 2008-08-14 10:51 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\U3
2010-02-14 14:53 . 2010-02-14 04:29 96 ---ha-w- c:\windows\system32\HsInfo.dat
2010-02-14 13:10 . 2010-02-01 14:21 -------- d-----w- c:\program files\NCP6
2010-02-14 01:22 . 2010-02-08 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-08 08:22 . 2010-02-08 08:22 -------- d-----w- c:\program files\Pando Networks
2010-02-07 04:42 . 2010-02-07 04:34 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\ArcSoft
2010-02-07 04:38 . 2010-02-07 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-02-07 04:37 . 2008-08-07 12:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 04:34 . 2010-02-07 04:34 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-07 04:34 . 2010-02-07 04:34 -------- d-----w- c:\program files\ArcSoft
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\program files\Philips
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-23 08:39 . 2008-08-10 16:35 -------- d-----w- c:\program files\Google
2010-01-23 08:04 . 2009-12-14 04:39 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-21 07:54 . 2009-04-24 03:22 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\BitTorrent
2010-01-19 01:56 . 2009-07-17 11:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-08 15:20 . 2010-01-08 15:20 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-08 15:20 . 2010-01-08 15:20 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-06 04:08 . 2010-01-18 23:41 4726272 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 04:08 . 2010-01-18 23:41 103424 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-06 04:08 . 2010-01-18 23:41 57856 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 04:08 . 2010-01-18 23:41 545280 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 04:08 . 2010-01-18 23:41 4725760 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 04:08 . 2010-01-18 23:40 344064 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 04:08 . 2010-01-18 23:40 153600 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-05 10:00 . 2006-01-13 01:26 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-01-13 01:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-01-13 01:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 15:06 . 2006-01-13 01:49 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F4F10C1D-87C7-404A-B4B3-000000000000}"= "c:\progra~1\DAP\SBSearch.dll" [2008-08-10 32768]
"{DB9D7A78-A76C-4BF2-97C6-258925EE1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
2008-04-03 02:40 1523736 ----a-w- c:\program files\Reganam\tbRega.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DB9D7A78-A76C-4BF2-97C6-258925EE1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-08 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"NvMediaCenter"="NvMCTray.dll" [2005-11-11 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Philips GoGear VIBE Device Manager.lnk - c:\program files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2010-2-7 1611152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\WarcraftIII\\Warcraft III.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Garena\\Garena.exe"=
"d:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"d:\\Program Files\\AeriaGames\\GrandFantasia\\Launcher.exe"=
"d:\\Program Files\\AeriaGames\\GrandFantasia\\GrandFantasia.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58836:TCP"= 58836:TCP:Pando Media Booster
"58836:UDP"= 58836:UDP:Pando Media Booster

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/20/2010 12:19 AM 108289]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/15/2009 11:12 AM 717296]
S2 cyzwe;Boot Network;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 jiggqys;Boot Time;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 khvlat;Network Image;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 kpeoehigv;Driver Server;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\MARIGZA\LOCALS~1\Temp\LUZB30.tmp --> c:\docume~1\MARIGZA\LOCALS~1\Temp\LUZB30.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\d:\program files\ROHAN BOT\RohanBotPh1.0.4c\NtProcDrv.sys --> d:\program files\ROHAN BOT\RohanBotPh1.0.4c\NtProcDrv.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jiggqys
cyzwe
khvlat
kpeoehigv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\MARIGZA\Local Settings\Application Data\Yahoo!\BrowserPlus\2.5.1\Plugins\npybrowserplus_2.5.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
ActiveSetup-{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} - c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\msnmsngr.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSETUP.EXE
AddRemove-Grand Fantasia - d:\aeriagames\GrandFantasia\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 09:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\MARIGZA\LOCALS~1\Temp\LUZB30.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cyzwe]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jiggqys]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\khvlat]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kpeoehigv]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1715567821-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2c,33,44,b6,ff,26,63,a9,4f,1b,0e,6b,2d,31,9f,c4,fe,75,26,07,ec,33,21,
f3,28,d6,5e,54,72,5f,70,2d,3a,c0,f9,e6,3b,fa,9b,24,af,9d,2d,91,77,b8,ff,f8,\
"??"=hex:f1,1a,e6,19,68,b8,45,98,60,b3,e6,36,3e,2d,7a,b4
.
Completion time: 2010-03-20 09:42:43
ComboFix-quarantined-files.txt 2010-03-20 01:42

Pre-Run: 17,774,342,144 bytes free
Post-Run: 17,732,968,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 85D1B13880C116C02B1150FBEB2AF59A

9 Re: BDS.small.iuj on Fri Mar 19, 2010 9:58 pm

rinmueru


Member
Member
oh another thing.. im using a partitioned drive. i was just wondering if my drive D is also included in the scans?

10 Re: BDS.small.iuj on Fri Mar 19, 2010 11:01 pm

DragonMaster Jay


Site Owner
Site Owner
Might not be. Will scan that with MBAM later.

=============

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::
    Snapshot::
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnsc"=-

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nlsf"=-

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58836:TCP"=-
    "58836:UDP"=-

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cyzwe]

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jiggqys]

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\khvlat]

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kpeoehigv]

    File::
    c:\documents and settings\MARIGZA\Local Settings\Temp\LUZB30.tmp
    c:\windows\system32\msnsc.exe
    c:\windows\system32\XDva326.sys
    c:\windows\system32\XDva337.sys
    c:\windows\system32\XDva332.sys

    NetSvc::
    GarenaPEngine
    XDva326
    XDva337
    XDva332
    jiggqys
    cyzwe
    khvlat
    kpeoehigv

    Rootkit::

    ADS::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


===


  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:


    • c:\windows\system32\svchost.exe


  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


=====

Please make sure the ComboFix log and VirScan url is posted in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

11 Re: BDS.small.iuj on Sat Mar 20, 2010 12:35 am

rinmueru


Member
Member
thanks man Very Happy just want to make sure that all of my drives are free from malwares..

anyways, here's the combofix log

ComboFix 10-03-19.06 - MARIGZA 03/20/2010 12:04:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.305 [GMT 8:00]
Running from: c:\documents and settings\MARIGZA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MARIGZA\Desktop\CFscript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\documents and settings\MARIGZA\Local Settings\Temp\LUZB30.tmp"
"c:\windows\system32\msnsc.exe"
"c:\windows\system32\XDva326.sys"
"c:\windows\system32\XDva332.sys"
"c:\windows\system32\XDva337.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\msnsc.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-20 02:38 . 2010-03-20 02:38 25 ----a-w- c:\windows\popcinfot.dat
2010-03-20 02:21 . 2010-03-20 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-03-19 16:19 . 2009-03-30 01:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-19 16:19 . 2009-02-13 03:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-19 16:19 . 2009-02-13 03:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-19 16:19 . 2010-03-19 16:19 -------- d-----w- c:\program files\Avira
2010-03-19 16:19 . 2010-03-19 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-19 15:11 . 2010-03-19 15:11 -------- d-----w- C:\_OTL
2010-03-18 18:49 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2010-03-18 13:41 . 2010-03-20 02:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-12 01:48 . 2010-03-12 01:48 503808 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\msvcp71.dll
2010-03-12 01:48 . 2010-03-12 01:48 499712 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\jmc.dll
2010-03-12 01:48 . 2010-03-12 01:48 348160 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3891a76f-n\msvcr71.dll
2010-03-12 01:48 . 2010-03-12 01:48 61440 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8e8348-n\decora-sse.dll
2010-03-12 01:48 . 2010-03-12 01:48 12800 ----a-w- c:\documents and settings\MARIGZA\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2f8e8348-n\decora-d3d.dll
2010-03-11 12:01 . 2010-03-11 12:01 -------- d-----w- c:\documents and settings\MARIGZA\Local Settings\Application Data\WMTools Downloaded Files
2010-03-10 04:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 11:15 . 2010-02-24 11:16 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-02-20 03:25 . 2006-01-06 07:52 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-02-20 03:25 . 2006-01-06 07:53 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-02-20 03:25 . 2006-01-06 07:53 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 04:14 . 2009-04-24 03:22 -------- d-----w- c:\program files\DNA
2010-03-20 04:14 . 2009-04-24 03:22 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\DNA
2010-03-20 01:18 . 2008-08-10 16:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-18 05:34 . 2010-02-09 12:56 50354 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\uninstall.exe
2010-03-18 05:34 . 2010-02-09 12:56 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\Facebook
2010-03-12 01:47 . 2008-08-17 08:44 -------- d-----w- c:\program files\Java
2010-03-10 05:00 . 2008-08-10 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 23:58 . 2008-08-17 08:46 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\LimeWire
2010-03-01 12:33 . 2008-08-10 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-02-25 12:19 . 2009-07-17 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-20 14:19 . 2009-01-03 15:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-15 13:32 . 2008-08-14 10:51 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\U3
2010-02-14 14:53 . 2010-02-14 04:29 96 ---ha-w- c:\windows\system32\HsInfo.dat
2010-02-14 13:10 . 2010-02-01 14:21 -------- d-----w- c:\program files\NCP6
2010-02-14 01:22 . 2010-02-08 08:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-02-08 08:22 . 2010-02-08 08:22 -------- d-----w- c:\program files\Pando Networks
2010-02-07 04:42 . 2010-02-07 04:34 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\ArcSoft
2010-02-07 04:38 . 2010-02-07 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-02-07 04:37 . 2008-08-07 12:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-07 04:34 . 2010-02-07 04:34 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-07 04:34 . 2010-02-07 04:34 -------- d-----w- c:\program files\ArcSoft
2010-02-07 04:31 . 2010-02-07 04:31 -------- d-----w- c:\program files\Philips
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-23 08:39 . 2008-08-10 16:35 -------- d-----w- c:\program files\Google
2010-01-23 08:04 . 2009-12-14 04:39 -------- d-----w- c:\program files\Common Files\Akamai
2010-01-21 07:54 . 2009-04-24 03:22 -------- d-----w- c:\documents and settings\MARIGZA\Application Data\BitTorrent
2010-01-08 15:20 . 2010-01-08 15:20 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-08 15:20 . 2010-01-08 15:20 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-01-06 04:08 . 2010-01-18 23:41 4726272 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 04:08 . 2010-01-18 23:41 103424 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-06 04:08 . 2010-01-18 23:41 57856 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 04:08 . 2010-01-18 23:41 545280 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 04:08 . 2010-01-18 23:41 4725760 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 04:08 . 2010-01-18 23:40 344064 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 04:08 . 2010-01-18 23:40 153600 ----a-w- c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-01-05 10:00 . 2006-01-13 01:26 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-01-13 01:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-01-13 01:47 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 15:06 . 2006-01-13 01:49 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{F4F10C1D-87C7-404A-B4B3-000000000000}"= "c:\progra~1\DAP\SBSearch.dll" [2008-08-10 32768]
"{DB9D7A78-A76C-4BF2-97C6-258925EE1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{f4f10c1d-87c7-404a-b4b3-000000000000}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{95EFB171-F3DF-4BEC-9EF7-829A800203E6}]
[HKEY_CLASSES_ROOT\SearchHook.SrchHook]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]
2008-04-03 02:40 1523736 ----a-w- c:\program files\Reganam\tbRega.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{db9d7a78-a76c-4bf2-97c6-258925ee1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{DB9D7A78-A76C-4BF2-97C6-258925EE1542}"= "c:\program files\Reganam\tbRega.dll" [2008-04-03 1523736]

[HKEY_CLASSES_ROOT\clsid\{db9d7a78-a76c-4bf2-97c6-258925ee1542}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-02-08 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"NvMediaCenter"="NvMCTray.dll" [2005-11-11 86016]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Philips GoGear VIBE Device Manager.lnk - c:\program files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2010-2-7 1611152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\WarcraftIII\\Warcraft III.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Garena\\Garena.exe"=
"d:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"d:\\Program Files\\AeriaGames\\GrandFantasia\\Launcher.exe"=
"d:\\Program Files\\AeriaGames\\GrandFantasia\\GrandFantasia.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/15/2009 11:12 AM 717296]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2007 8:21 AM 33800]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/20/2010 12:19 AM 108289]
R2 ekrn;Eset Service;c:\program files\Eset\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 8:21 AM 468224]
S2 cyzwe;Boot Network;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 jiggqys;Boot Time;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 khvlat;Network Image;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S2 kpeoehigv;Driver Server;c:\windows\system32\svchost.exe -k netsvcs [1/13/2006 9:38 AM 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\d:\program files\ROHAN BOT\RohanBotPh1.0.4c\NtProcDrv.sys --> d:\program files\ROHAN BOT\RohanBotPh1.0.4c\NtProcDrv.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Mozilla\Firefox\Profiles\gur2u64u.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\MARIGZA\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\MARIGZA\Local Settings\Application Data\Yahoo!\BrowserPlus\2.5.1\Plugins\npybrowserplus_2.5.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 12:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x833DD1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87bafc3
\Driver\ACPI -> ACPI.sys @ 0xf8615cb8
\Driver\atapi -> 0x833dd1f8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
ParseProcedure -> ntoskrnl.exe @ 0x8057c2d5
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4d6d
ParseProcedure -> ntoskrnl.exe @ 0x8057c2d5
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf84b4ba0
PacketIndicateHandler -> NDIS.sys @ 0xf84c1b21
SendHandler -> NDIS.sys @ 0xf849f87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cyzwe]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\jiggqys]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\khvlat]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kpeoehigv]
"ServiceDll"="c:\windows\system32\ylxjyr.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1004336348-1715567821-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2c,33,44,b6,ff,26,63,a9,4f,1b,0e,6b,2d,31,9f,c4,fe,75,26,07,ec,33,21,
f3,28,d6,5e,54,72,5f,70,2d,3a,c0,f9,e6,3b,fa,9b,24,af,9d,2d,91,77,b8,ff,f8,\
"??"=hex:f1,1a,e6,19,68,b8,45,98,60,b3,e6,36,3e,2d,7a,b4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RunDLL32.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-03-20 12:20:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 04:20
ComboFix2.txt 2010-03-20 01:42

Pre-Run: 17,707,773,952 bytes free
Post-Run: 17,672,753,152 bytes free

- - End Of File - - E004361A10286B8AB35AD926719EBE11

12 Re: BDS.small.iuj on Sat Mar 20, 2010 12:37 am

rinmueru


Member
Member
and here's the Vir.SCAN.org log...

VirSCAN.org Scanned Report :
Scanned time : 2010/03/20 12:29:54 (CST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/0834b4c702796324a1273d9055309932.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100320063127 2010-03-20 4.72 -
AhnLab V3 2010.03.20.00 2010.03.20 2010-03-20 1.06 -
AntiVir 8.2.1.196 7.10.5.155 2010-03-19 0.43 -
Antiy 2.0.18 20100318.4019584 2010-03-18 0.12 -
Arcavir 2009 201003191407 2010-03-19 0.03 -
Authentium 5.1.1 201003191805 2010-03-19 1.32 -
AVAST! 4.7.4 100319-1 2010-03-19 0.00 -
AVG 8.5.720 271.1.1/2758 2010-03-20 0.23 -
BitDefender 7.81008.5474437 7.30851 2010-03-20 5.59 -
ClamAV 0.95.3 10600 2010-03-19 0.01 -
Comodo 3.13.579 4324 2010-03-20 1.14 -
CP Secure 1.3.0.5 2010.03.18 2010-03-18 0.04 -
Dr.Web 5.0.1.12222 2010.03.20 2010-03-20 6.09 -
F-Prot 4.4.4.56 20100319 2010-03-19 1.29 -
F-Secure 7.02.73807 2010.03.20.01 2010-03-20 0.12 -
Fortinet 4.0.14 11.600 2010-03-19 0.20 -
GData 19.10835/19.831 20100320 2010-03-20 6.82 -
ViRobot 20100319 2010.03.19 2010-03-19 0.45 -
Ikarus T3.1.01.80 2010.03.19.75438 2010-03-19 5.38 -
JiangMin 13.0.900 2010.03.19 2010-03-19 9.79 -
Kaspersky 5.5.10 2010.03.20 2010-03-20 0.08 -
KingSoft 2009.2.5.15 2010.3.19.18 2010-03-19 0.66 -
McAfee 5.3.00 5925 2010-03-19 3.77 -
Microsoft 1.5605 2010.03.20 2010-03-20 6.41 -
Norman 6.01.09 6.01.00 2010-02-10 4.01 -
Panda 9.05.01 2010.03.18 2010-03-18 2.19 -
Trend Micro 9.120-1004 6.936.08 2010-03-19 0.04 -
Quick Heal 10.00 2010.03.19 2010-03-19 1.44 -
Rising 20.0 22.39.04.05 2010-03-19 1.56 -
Sophos 3.05.4 4.51 2010-03-20 3.75 -
Sunbelt 3.9.2410.2 5983 2010-03-19 11.02 -
Symantec 1.3.0.24 20100311.002 2010-03-11 0.00 -
nProtect 20100318.01 7775972 2010-03-18 6.08 -
The Hacker 6.5.2.0 v00240 2010-03-19 0.74 -
VBA32 3.12.12.2 20100319.1007 2010-03-19 5.14 -
VirusBuster 4.5.11.10 10.122.4/2012244 2010-03-19 4.36 -

13 Re: BDS.small.iuj on Sat Mar 20, 2010 8:06 am

DragonMaster Jay


Site Owner
Site Owner
From the log:
Warning: possible MBR rootkit infection


You have a bad rootkit infection. Please work on this situation seriously, as this infection causes issues to your master boot record, and if not removed as soon as possible, the computer will cease to boot eventually.

Please download and save HelpAsst_mebroot_fix.exe
  • Double click to run the tool.
  • When complete, run mbr -f then reboot.
  • After reboot, provide the MBR log from the scan below:

    Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.
    • Double-click mbr.exe to start the program.
    • When done scanning, it will save a log on the Desktop called mbr.log.
    • Please post the contents of that log in your next reply.


..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner


Kaspersky E-Store Kaspersky Anti-Virus 2012: Click Here

Contribute/donate to our site

14 Re: BDS.small.iuj on Sat Mar 20, 2010 10:49 am

rinmueru


Member
Member
sir jay, the HelpAsst_mebroot_fix.exe seems to be a dead link

Not Found

The requested URL /downloads/beta/new/HelpAsst_mebroot_fix.exe was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.15 (CentOS) mod_ssl/2.2.15 0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 Server at noahdfear.net Port 80

i tried to google it, but all of the links i tried are all the same..

15 Re: BDS.small.iuj on Sat Mar 20, 2010 11:04 am

rinmueru


Member
Member
anyway, here's the stealth mbr rootkit detector log..

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Ad Bot

View previous topic View next topic Back to top  Message [Page 1 of 3]

Goto page : 1, 2, 3  Next

SecuraGeek Forums » Malware/Threat Removal » BDS.small.iuj

Permissions in this forum:
You cannot reply to topics in this forum