GenericDropper!bqn

2 posters

WiredWX Hobby Weather Tools :: Archive :: Technical Support

GenericDropper!bqn15th January 2010, 9:03 am

Did attempt to remove this myself, but it has returned.

HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:01:21, on 15/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
c:\program files\cyberlink\powerdvd dx\pdvddxsrv .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\gemstrmw.exe
C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe
C:\program files\quicktime\qttask .exe
c:\program files\mcafee\managed virusscan\desktopui\xtray .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\program files\mcafee\managed virusscan\agent\startmyagttry .exe
c:\program files\common files\gemplus\certreg\certreg .exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
c:\program files\norton ghost\agent\vprotray .exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hqxa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\program files\java\jre6\bin\jusched .exe
c:\windows\system32\hqxa .exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier .exe
c:\documents and settings\chrisc\local settings\application data\google\update\googleupdate .exe
c:\program files\siber systems\ai roboform\robotaskbaricon .exe
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
C:\Documents and Settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\chrisc\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
\It-chris\c$\Documents and Settings\chrisc\Local Settings\Application Data\Autobahn\autobahn.exe
C:\Documents and Settings\chrisc\Desktop\minixp.exe
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\internet explorer\wmpscfgs.exe
C:\Program Files\Avaya\IP Office\Phone Manager\SPServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=0080815
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\4.0.266.0\npchrome_tab.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [8169Diag] C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe /hw
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [CertReg] C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hqxa] C:\WINDOWS\system32\hqxa.exe \u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: autobahn.lnk = Documents and Settings\chrisc\Local Settings\Application Data\Autobahn\autobahn.exe
O4 - Startup: Shortcut to minixp.lnk = C:\Documents and Settings\chrisc\Desktop\minixp.exe
O4 - Global Startup: PhoneManager.lnk = C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csd: C:\Program Files\Gemplus\eSigner\Plugin\Npcsig.dll
O12 - Plugin for .i4t: C:\Program Files\Gemplus\eSigner\Plugin\Npcsig.dll
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://*.mcafee.com (HKLM)
O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - Trusted Zone: http://www.siteadvisor.com (HKLM)
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.siteadvisor.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219141943705
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Brannan.local
O17 - HKLM\Software\..\Telephony: DomainName = Brannan.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Brannan.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Brannan.local
O18 - Protocol hijack: cf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E}
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amdosvce - Advanced Micro Devices, Inc. - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CardServer - Unknown owner - C:\Program.exe (file missing)
O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

--
End of file - 16424 bytes

Re: GenericDropper!bqn15th January 2010, 1:22 pm

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Re: GenericDropper!bqn16th January 2010, 7:13 pm

Hi again. Having trouble getting this to download. McAfee seems not to like it and blocks it form downloading. Any tips on disabling the Av software?

EDIT: Found the setting. Ill poist the Combo Fox log soon

Re: GenericDropper!bqn16th January 2010, 7:31 pm

ComboFix 10-01-16.01 - chrisc 16/01/2010 19:22:48.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1270 [GMT 0:00]
Running from: c:\documents and settings\chrisc\Desktop\ComboFix.exe
AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Extension Changer\extmain.exe
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\system32\0023.DLL
c:\windows\system32\ctfmon .exe
c:\windows\system32\install.exe
c:\windows\system32\mobsync .exe
c:\windows\system32\WORK.DAT

----- BITS: Possible infected sites -----

hxxp://updates.swarmcast.net
.
((((((((((((((((((((((((( Files Created from 2009-12-16 to 2010-01-16 )))))))))))))))))))))))))))))))
.

2010-01-16 19:23 . 2010-01-16 19:23 4 ----a-w- c:\program files\124664640.dat
2010-01-15 09:02 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\chrisc\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-15 09:01 . 2010-01-15 09:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-15 09:01 . 2010-01-15 09:01 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-15 09:00 . 2010-01-16 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-14 16:59 . 2010-01-14 16:59 4 ----a-w- c:\program files\29652718.dat
2010-01-14 16:59 . 2010-01-14 16:59 4 ----a-w- c:\program files\29652625.dat
2010-01-13 17:00 . 2010-01-13 17:00 4 ----a-w- c:\program files\12732656.dat
2010-01-13 17:00 . 2010-01-13 17:00 4 ----a-w- c:\program files\12732140.dat
2010-01-13 17:00 . 2010-01-13 17:00 4 ----a-w- c:\program files\12732109.dat
2010-01-13 17:00 . 2010-01-13 17:00 4 ----a-w- c:\program files\12732093.dat
2010-01-13 13:22 . 2010-01-13 13:22 4 ----a-w- c:\program files\885515.dat
2010-01-13 13:22 . 2010-01-13 13:22 4 ----a-w- c:\program files\885390.dat
2010-01-13 13:04 . 2010-01-13 13:04 4 ----a-w- c:\program files\16237812.dat
2010-01-13 11:37 . 2010-01-13 11:37 -------- d-----w- c:\program files\Trend Micro
2010-01-13 11:29 . 2010-01-13 11:29 -------- d-----w- c:\documents and settings\chrisc\Application Data\Malwarebytes
2010-01-13 11:29 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-13 11:29 . 2010-01-13 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-13 11:29 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 11:29 . 2010-01-13 13:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 11:18 . 2010-01-13 11:18 58880 ---h--w- c:\documents and settings\chrisc\jkv.exe
2010-01-13 11:18 . 2010-01-13 11:18 58880 ----a-w- c:\windows\system32\hqxa.exe
2010-01-13 08:38 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-18 12:32 . 2009-12-18 12:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-12-18 12:27 . 2009-12-18 12:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 19:25 . 2008-08-28 12:49 -------- d-----w- c:\program files\Extension Changer
2010-01-16 19:22 . 2008-10-31 12:08 -------- d-----w- c:\program files\QuickTime
2010-01-16 13:09 . 2008-09-03 09:55 -------- d-----w- c:\program files\LogMeIn
2010-01-15 09:05 . 2008-08-15 11:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-18 12:27 . 2008-08-15 11:41 -------- d-----w- c:\program files\Google
2009-12-15 14:29 . 2008-08-28 09:58 55304 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-12-15 14:29 . 2008-08-28 09:58 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-15 14:29 . 2008-08-28 09:58 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-12-15 14:29 . 2008-08-28 09:58 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-15 14:29 . 2008-08-28 09:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-21 15:51 . 2004-08-11 16:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-05 10:14 . 2009-11-05 10:14 10134 ----a-r- c:\documents and settings\chrisc\Application Data\Microsoft\Installer\{9AC45672-3A04-409A-A34E-82255CF8C921}\ARPPRODUCTICON.exe
2009-11-04 08:56 . 2009-11-04 08:56 152576 ----a-w- c:\documents and settings\chrisc\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:45 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 16:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 16:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

Code:

<pre>
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\LogMeIn\x86\logmeinsystray .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-15 68856]
"Google Update"="c:\documents and settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-06-12 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"hqxa"="c:\windows\system32\hqxa.exe \u" [X]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2009-12-18 472384]
"McAfee Managed Services Tray"="c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe" [2010-01-13 40448]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"gemstrmw"="c:\windows\system32\gemstrmw.exe" [2003-04-10 24576]
"CertReg"="c:\program files\Common Files\Gemplus\CertReg\certreg.exe" [2003-06-06 217088]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2009-08-03 2250088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\allisona\Start Menu\Programs\Startup\
Outlook 2003.lnk - c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2008-8-28 794624]

c:\documents and settings\chrisc\Start Menu\Programs\Startup\
Adobe Gamma.lnk - \\It-chris\c$\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
autobahn.lnk - \\It-chris\c$\Documents and Settings\chrisc\Local Settings\Application Data\Autobahn\autobahn.exe [2009-4-2 710360]
Shortcut to minixp.lnk - c:\documents and settings\chrisc\Desktop\minixp.exe [2009-2-5 80896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PhoneManager.lnk - c:\program files\Avaya\IP Office\Phone Manager\PhoneManager.exe [2009-5-14 9042432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 07:49 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1225\scripts\Logon\0\0]
"script"=logon-default.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1225\scripts\Logon\1\0]
"script"=logon-lakeview.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1225\scripts\Logon\2\0]
"script"=remove games.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1235\scripts\Logon\0\0]
"script"=logon-default.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1235\scripts\Logon\1\0]
"script"=logon-rejects.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1235\scripts\Logon\2\0]
"script"=logon-csi.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1235\scripts\Logon\3\0]
"script"=logon-lakeview.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1235\scripts\Logon\4\0]
"script"=remove games.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1266\scripts\Logon\0\0]
"script"=logon-default.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1266\scripts\Logon\1\0]
"script"=logon-rejects.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1266\scripts\Logon\2\0]
"script"=logon-csi.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1266\scripts\Logon\3\0]
"script"=logon-lakeview.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3005394423-3051011188-208237727-1266\scripts\Logon\4\0]
"script"=remove games.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"=

R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [28/08/2008 09:58 14144]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [15/08/2008 11:39 8960]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 14:31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [03/09/2008 09:55 47640]
R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [28/08/2008 09:56 282824]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [11/08/2004 16:00 5120]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [17/09/2008 08:18 6016]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20/12/2007 16:13 1562096]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/12/2009 12:27 135664]
S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [07/08/2009 08:54 222528]
S3 Amdosvce;Amdosvce; [x]
S3 CardServer;CardServer;c:\program files\Common Files\Gemplus\Token API\CardServer.dll [03/06/2003 15:51 249856]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [15/08/2008 11:39 11264]
S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [04/04/2008 08:02 87424]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [15/08/2008 11:39 16640]
S3 SiBulk;SiBulk;c:\windows\system32\drivers\SiBulk.sys [01/10/2008 12:39 16768]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [23/09/2008 09:26 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [23/09/2008 09:26 58368]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 12:27]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 12:27]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3005394423-3051011188-208237727-1235Core.job
- c:\documents and settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:27]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3005394423-3051011188-208237727-1235UA.job
- c:\documents and settings\chrisc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: http://about.htm/
Trusted Zone: http://Exclude.htm/
Trusted Zone: http://LanguageSelection.htm/
Trusted Zone: http://Message.htm/
Trusted Zone: http://MyAgttryCmd.htm/
Trusted Zone: http://MyAgttryNag.htm/
Trusted Zone: http://MyNotification.htm/
Trusted Zone: http://NOCLessUpdate.htm/
Trusted Zone: http://quarantine.htm/
Trusted Zone: http://ScanNow.htm/
Trusted Zone: http://strings.vbs/
Trusted Zone: http://Template.htm/
Trusted Zone: http://Update.htm/
Trusted Zone: http://VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
Trusted Zone: siteadvisor.com\www
.
- - - - ORPHANS REMOVED - - - -

AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-Soft-Central SC-PassUnleash - c:\program files\Soft-Central\SC-PassUnleash\Uninstall
AddRemove-Adobe Digital Editions - c:\documents and settings\chrisc\application data\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 19:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2010-01-16 19:26:45
ComboFix-quarantined-files.txt 2010-01-16 19:26

Pre-Run: 137,996,787,712 bytes free
Post-Run: 138,198,376,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 226AB743BEAA656B52296AA8C7F2F04F

Re: GenericDropper!bqn17th January 2010, 2:31 am

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Re: GenericDropper!bqn18th January 2010, 9:43 am

Done.

Log is below:

warebytes' Anti-Malware 1.44
Database version: 3588
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/01/2010 09:32:42
mbam-log-2010-01-18 (09-32-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 234518
Time elapsed: 41 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\program files\internet explorer\wmpscfgs.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP489\A0031094.sys (Malware.Trace) -> No action taken.
C:\Documents and Settings\chrisc\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> No action taken.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> No action taken.

Re: GenericDropper!bqn18th January 2010, 9:47 am

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Re: GenericDropper!bqn18th January 2010, 10:36 am

Done, here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=872fb976f19449438ebcdfc5fc2e6baf
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-18 10:33:47
# local_time=2010-01-18 10:33:47 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 429615 429615 0 0
# compatibility_mode=8192 67108863 100 0 3685 3685 0 0
# scanned=79610
# found=38
# cleaned=38
# scan_time=2171
C:\Documents and Settings\chrisc\jkv.exe a variant of Win32/Kryptik.BPZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\chrisc\Local Settings\Application Data\Google\Update\googleupdate.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe.delme235 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe.delme271 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\ATI Technologies\ATI.ACE\clistart.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe.delme241 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Gemplus\CertReg\certreg.exe.delme258 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\CyberLink\PowerDVD DX\pdvddxsrv.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\CyberLink\PowerDVD DX\pdvddxsrv.exe.delme247 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe.delme1674 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Java\jre6\bin\jusched.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Java\jre6\bin\jusched.exe.delme267 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\LogMeIn\x86\logmeinsystray.exe.delme194 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\McAfee\Managed VirusScan\Agent\startmyagttry .exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\McAfee\Managed VirusScan\Agent\startmyagttry.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\McAfee\Managed VirusScan\Agent\startmyagttry.exe.delme253 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\xtray.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\McAfee\Managed VirusScan\DesktopUI\xtray.exe.delme250 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Norton Ghost\Agent\vprotray.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Norton Ghost\Agent\vprotray.exe.delme264 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\QuickTime\qttask .exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\QuickTime\qttask .exe.delme261 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\QuickTime\qttask .exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\QuickTime\qttask.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Realtek\Diagnostics Utility\8169diag.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Realtek\Diagnostics Utility\8169diag.exe.delme244 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe.delme1676 a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\wmpscfgs.exe.vir a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gemstrmw.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hqxa .exe a variant of Win32/Kryptik.BPZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hqxa.exe a variant of Win32/TrojanDownloader.Unruy.AY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
${Memory} a variant of Win32/TrojanDownloader.Unruy.AY trojan (contained infected files) 00000000000000000000000000000000 C

Re: GenericDropper!bqn18th January 2010, 12:51 pm

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Re: GenericDropper!bqn18th January 2010, 2:18 pm

Here you are:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee Browser Protection Service
McAfee Virtual Technician
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
McAfee SiteAdvisor Enterprise Plus
Norton Ghost
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 17
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee Managed VirusScan VScan EngineServer.exe
McAfee Managed VirusScan Agent myAgtSvc.exe
mcafee managed virusscan desktopui xtray .exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Re: GenericDropper!bqn19th January 2010, 12:53 am

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Re: GenericDropper!bqn19th January 2010, 8:56 am

Thank you.

I am still getting some pop-ads appearing this morning. Though the trojans seem to have gone completely.

Re: GenericDropper!bqn19th January 2010, 9:18 am

Let's see a quick scan, please...just to make sure.

Please download Cheetah-Anti-Rogue, and save to your Desktop.

Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
Double-click on Cheetah-Anti-Rogue.cmd to start.
It will finish quickly and launch a log.
Post the contents of it in your next reply.

Re: GenericDropper!bqn19th January 2010, 10:11 am

Log:

Cheetah Anti-Rogue v1.1.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 19/01/2010 - Time: 10:09:02 - Arch.: x86 - Mode?

-- Known infection --

Extra message: Detection only.

EOF

Also note. I took the liberty of running SuperAntiSpyware after the popup appeared and pulled some malware (5 trojans) out of system volume and prefetch files. I have deleted my restore points also.

Hopefully that should be it.

Re: GenericDropper!bqn19th January 2010, 10:14 am

Ok. Post that log, if possible.

Re: GenericDropper!bqn

Page 1 of 2 • 1, 2

Permissions in this forum:

You cannot reply to topics in this forum

GenericDropper!bqn

descriptionGenericDropper!bqn15th January 2010, 9:03 am

descriptionRe: GenericDropper!bqn15th January 2010, 1:22 pm

descriptionRe: GenericDropper!bqn16th January 2010, 7:13 pm

descriptionRe: GenericDropper!bqn16th January 2010, 7:31 pm

descriptionRe: GenericDropper!bqn17th January 2010, 2:31 am

descriptionRe: GenericDropper!bqn18th January 2010, 9:43 am

descriptionRe: GenericDropper!bqn18th January 2010, 9:47 am

descriptionRe: GenericDropper!bqn18th January 2010, 10:36 am

descriptionRe: GenericDropper!bqn18th January 2010, 12:51 pm

descriptionRe: GenericDropper!bqn18th January 2010, 2:18 pm

descriptionRe: GenericDropper!bqn19th January 2010, 12:53 am

descriptionRe: GenericDropper!bqn19th January 2010, 8:56 am

descriptionRe: GenericDropper!bqn19th January 2010, 9:18 am

descriptionRe: GenericDropper!bqn19th January 2010, 10:11 am

descriptionRe: GenericDropper!bqn19th January 2010, 10:14 am

descriptionRe: GenericDropper!bqn