New threat found

[essexboy]

Hi lets have a look see.  Could you attach the three logs please

Hi there let me see what you have

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select Scan all users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
/md5start
explorer.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%PROGRAMFILES%\Mozilla Firefox\firefox.exe /md5
%PROGRAMFILES%\Internet Explorer\iexplore.exe /md5
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[Hermite15]

sounds like the OP is offline now...but thanks for popping in Essexboy, he'll be back

[omidpand]

To ensure you are virus-free you can do those steps:
1.clear your temp files:http://www.piriform.com/ccleaner
2.do a dr.web cure it scan:http://www.freedrweb.com/cureit/?lng=en
3.scan with mbam:http://www.malwarebytes.org/mbam.php
4.post a Hijack Hunter log in this topic:http://www.novirusthanks.org/products/hijack-hunter/
5.we will provide a cleaning script,you should run it with Threat Killer

Logos you just cause me:
Warning - while you were typing a new reply has been posted. You may wish to review your post.
Thanks red is nice

The hijack log is attached

[SafeSurf]

omidpand,

Essexboy is a Certified Malware Removal Expert.  Please follow his instructions at this point as he will be helping you with your problems.  See his post.  Thank you.

[omidpand]

@SafeSurf
Tnx

@Essexboy
I did what u said, and the 4 files are posted. the file OTL was huge so I had to divide it in 2 parts. I'm waiting 4 ur answer. Tnx

[omidpand]

The rest of files

[Pondus]

You may want to try Malwarebytes now, as i sendt the sample to them yesterday so it may be updated on it.....

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update so you have the latest database before you scan
click the remove selected button to quarantine anything found
post the scan log here

[essexboy]

Hi do you recognise these two folders ? The names are nearly right but not quite. If you do not I will have a look inside

C:\WINDOWS\XSxS
C:\WINDOWS\System32\wins

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2010/07/30 09:07:07 | 000,000,774 | ---- | M] () -- C:\Documents and Settings\FS\Start Menu\Programs\Startup\TotalAntiSpyware.lnk
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

.
THEN
.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:dir
C:\WINDOWS\XSxS
C:\WINDOWS\System32\wins

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[omidpand]

Code: [Select]

All processes killed
========== OTL ==========
C:\Documents and Settings\FS\Start Menu\Programs\Startup\TotalAntiSpyware.lnk moved successfully.
========== FILES ==========
[color=#A23BEC]< ipconfig /flushdns /c >[/color]
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\FS\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\FS\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: FS
->Temp folder emptied: 72598169 bytes
->Temporary Internet Files folder emptied: 10098210 bytes
->FireFox cache emptied: 48368478 bytes
->Flash cache emptied: 641 bytes
 
User: LocalService
->Temp folder emptied: 2052424 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 1985336 bytes
->Temporary Internet Files folder emptied: 33237 bytes
 
User: NN
->Temp folder emptied: 6788435 bytes
->Temporary Internet Files folder emptied: 29055413 bytes
->FireFox cache emptied: 52867552 bytes
->Flash cache emptied: 1095 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 72798921 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 285.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
 
User: FS
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
User: NN
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTL Restore Point (0)
 
OTL by OldTimer - Version 3.2.10.0 log created on 08312010_182632

Files\Folders moved on Reboot...
C:\Documents and Settings\FS\Local Settings\Temp\~DF8717.tmp moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\FS\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp2qetkm.default\XUL.mfl moved successfully.
File\Folder C:\WINDOWS\temp\ZLT0527c.TMP not found!

Registry entries deleted on Reboot...


[omidpand]

Hi,
This is the result of OTL Quick Scan for all user
Tnx

[omidpand]

And this is the Systemlook log:

Code: [Select]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:51 on 31/08/2010 by FS (Administrator - Elevation successful)

========== dir ==========

C:\WINDOWS\XSxS - Parameters: "(none)"

---Files---
None found.

---Folders---
Manifests d----- [14:53 07/08/2010]
Microsoft.VC80.ATL@8.0.50727.4053 d----- [14:53 07/08/2010]
Microsoft.VC80.CRT@8.0.50727.4053 d----- [14:53 07/08/2010]
Microsoft.VC80.MFC@8.0.50727.4053 d----- [14:53 07/08/2010]
Microsoft.VC80.MFCLOC@8.0.50727.4053 d----- [14:53 07/08/2010]
Microsoft.VC80.OpenMP@8.0.50727.4053 d----- [14:53 07/08/2010]
Nullsoft.NSIS.exehead@1.0.0.0 d----- [14:53 07/08/2010]
Yahoo Auto Updater@1.0.0.0 d----- [14:53 07/08/2010]

C:\WINDOWS\System32\wins - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

-=End Of File=-

[essexboy]

Nothing evident there - apart from two antiviru programmes Fprot and Avast.  Did you set the proxy setting on Firefox ?

 

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Pondus]

Nothing evident there - apart from two antiviru programmes Fprot and Avast.

removal tool for F-prot can be found here #12a and #12b  http://uninstallers.blogspot.com/

[omidpand]

Combofix result

[essexboy]

Hi the Flash player was infected - but not any more

What problems are you having now ?