Olmarik Trojan Issue - Page 2

Crush · 10-15-2009

Princess,

Let's see what remains of that TDSS Rootkit.

Next, lets download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
Combofix -> Anti-malware Tools -> Downloads

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.

princess · 4 Weeks Ago

sorry for the late reply

here's the comb0fix log

ComboFix 09-10-18.04 - simz 10/19/2009 14:15.1.1 - NTFSx86
Running from: c:\documents and settings\simz\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1957994488-413027322-1177238915-1004
c:\windows\desktop
c:\windows\Palace.reg
c:\windows\system32\4042794781.dat
c:\windows\system32\rotscxlog.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_rotscxopxuscvm
-------\Service_rotscxopxuscvm

((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 09:54 . 2009-10-19 09:54 34688 ----a-w- c:\documents and settings\simz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-15 23:47 . 2009-10-15 23:47 -------- d-----w- c:\documents and settings\simz\Local Settings\Application Data\PCHealth
2009-10-14 19:22 . 2009-10-14 19:22 -------- d-----w- c:\documents and settings\simz\Application Data\Malwarebytes
2009-10-14 19:21 . 2009-09-10 10:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 19:21 . 2009-10-14 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-14 19:21 . 2009-09-10 10:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 19:21 . 2009-10-14 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 00:27 . 2009-10-14 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-14 00:27 . 2009-10-14 00:27 -------- d-----w- c:\program files\NOS
2009-10-13 22:52 . 2009-10-13 22:55 -------- d-----w- c:\documents and settings\simz\WinWAP Temporary Files
2009-10-12 13:09 . 2009-10-12 13:16 -------- d-----w- c:\documents and settings\simz\Local Settings\Application Data\Microsoft
2009-10-12 13:09 . 2009-10-13 22:52 -------- d-----w- c:\documents and settings\simz
2009-10-10 11:54 . 2009-10-10 11:54 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-10-07 01:23 . 2009-10-10 09:14 -------- d-----w- c:\program files\Common Files\Stardock
2009-10-07 01:23 . 2009-10-07 01:23 -------- d-----w- c:\program files\Stardock
2009-10-06 23:35 . 2009-10-06 23:35 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\program files\MSBuild
2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\program files\Reference Assemblies
2009-09-22 23:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintpr oc.dll
2009-09-22 23:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-22 23:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-22 23:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-22 23:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-22 23:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-22 23:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesv c.exe
2009-09-22 23:13 . 2009-09-22 23:13 -------- d-----w- c:\program files\MSXML 6.0
2009-09-22 14:43 . 2009-09-22 14:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-09-22 14:16 . 2009-09-22 14:16 -------- d-----w- c:\program files\ESET
2009-09-22 14:16 . 2009-09-22 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-22 04:36 . 2008-10-16 10:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-22 04:36 . 2008-10-16 10:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-21 06:13 . 2009-09-23 09:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 06:12 . 2009-08-05 18:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-09-21 05:51 . 2009-09-21 05:51 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-21 05:48 . 2006-11-29 09:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-09-21 05:48 . 2009-09-21 05:48 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-21 05:42 . 2009-09-21 06:13 -------- d-----w- c:\program files\Microsoft
2009-09-21 05:42 . 2009-09-21 05:42 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-21 05:40 . 2009-09-21 06:12 -------- d-----w- c:\program files\Windows Live
2009-09-21 05:01 . 2009-09-21 05:01 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-12 00:00 . 2006-11-02 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-10-10 10:25 . 2009-02-23 11:07 -------- d-----w- c:\program files\NCH Software
2009-09-25 05:56 . 2004-08-03 22:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-22 12:42 . 2009-02-23 11:08 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-22 12:40 . 2009-02-23 12:52 -------- d-----w- c:\program files\VDJ5
2009-09-21 05:52 . 2006-11-06 06:04 -------- d-----w- c:\program files\Windows Live Toolbar
2009-09-16 04:02 . 2009-07-13 20:29 -------- d-----w- c:\program files\Common Files\Program4Pc
2009-09-16 04:02 . 2009-07-13 20:29 -------- d-----w- c:\program files\DJ Music Mixer
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 11:52 . 2009-08-19 08:50 -------- d-----w- c:\program files\EpicVJ
2009-08-12 20:54 . 2003-03-18 16:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-12 20:54 . 2003-02-21 00:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-05 09:11 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-03 21:20 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-26 12:44 . 2009-07-26 12:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-13 83608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2009-08-12 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-12 198160]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\moove\\_adv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
R3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe [2004-08-03 14336]
R3 ZSMC0305;Look 316;c:\windows\system32\Drivers\usbVM305.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfw tdir.sys [2009-05-14 94360]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r_tdi.sys [2009-08-05 54752]
S2 HPFECP16;HPFECP16; [x]
S3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\DRIVERS\slnt.sys [2003-11-20 18004]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-10-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 18:18]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*Yahoo! SearchBar Home Page
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Hell\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {2F9AE863-22DC-43E9-A166-9611145E5458} = 192.168.254.254
FF - ProfilePath - c:\documents and settings\simz\Application Data\Mozilla\Firefox\Profiles\l9si54vn.default\
FF - prefs.js: network.proxy.ftp - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy1.emirates.net.ae
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\simz\Application Data\Mozilla\Firefox\Profiles\l9si54vn.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\np_gp.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Opera7\Program\Plugins\nppl3260.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\nprjplug.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera7\Program\Plugins\npwmsdrm.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-19 14:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\combofix\CF6289.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_01\bin\jucheck.exe
.
************************************************** ************************
.
Completion time: 2009-10-19 14:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 10:33

Pre-Run: 10,408,349,696 bytes free
Post-Run: 10,396,102,656 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2B6FB73CEEAF1A88E2AF7307CEB7EA11

Crush · 4 Weeks Ago

All that looks fine. How are things running now?

princess · 2 Weeks Ago

sorry for replying so late but had some personal issues around..anyways..things are quite better now..not that worst though sometimes the system gets slow and shows that "virtual memory too low" message but still things aint miserable like before..thanks alot for helping me out pal

Crush · 2 Weeks Ago

Hi Princess,

Glad things are running better! I can get a member of the Tech Team in on this to troubleshoot any further issues if you wish

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

ComboFix /u

When ComboFix receives such an instruction, it will do the following:

a) Deletes the following files/folders:
* ComboFix.exe
* %system%\swxcacls.exe
* %system%\swsc.exe
* %system%\VFind.exe
* %system%\moveex.exe
* %system%\swreg.exe
* %systemroot%\catchme.exe
* \ComboFix
* \Qoobox
* \VundoFix Backups
* \Deckard
* \_OTMoveIt
* %systemroot%\erdnt\subs
b) Resets the clock settings.
c) Hides file extensions
d) Hides System/Hidden files
e) Clears System Restore cache and create new Restore point

10-15-2009	#8
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: Olmarik Trojan Issue Princess, Let's see what remains of that TDSS Rootkit. Next, lets download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages . http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe Combofix -> Anti-malware Tools -> Downloads * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. Double-click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes to continue scanning for malware. When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply. __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this**

4 Weeks Ago	#9
princess Bronze Member Join Date: Oct 2009 Posts: 6 PC Experience: Beginner	Re: Olmarik Trojan Issue sorry for the late reply here's the comb0fix log ComboFix 09-10-18.04 - simz 10/19/2009 14:15.1.1 - NTFSx86 Running from: c:\documents and settings\simz\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1957994488-413027322-1177238915-1004 c:\windows\desktop c:\windows\Palace.reg c:\windows\system32\4042794781.dat c:\windows\system32\rotscxlog.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_rotscxopxuscvm -------\Service_rotscxopxuscvm ((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 ))))))))))))))))))))))))))))))) . 2009-10-19 09:54 . 2009-10-19 09:54 34688 ----a-w- c:\documents and settings\simz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-15 23:47 . 2009-10-15 23:47 -------- d-----w- c:\documents and settings\simz\Local Settings\Application Data\PCHealth 2009-10-14 19:22 . 2009-10-14 19:22 -------- d-----w- c:\documents and settings\simz\Application Data\Malwarebytes 2009-10-14 19:21 . 2009-09-10 10:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-14 19:21 . 2009-10-14 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-14 19:21 . 2009-09-10 10:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-14 19:21 . 2009-10-14 19:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-14 00:27 . 2009-10-14 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-10-14 00:27 . 2009-10-14 00:27 -------- d-----w- c:\program files\NOS 2009-10-13 22:52 . 2009-10-13 22:55 -------- d-----w- c:\documents and settings\simz\WinWAP Temporary Files 2009-10-12 13:09 . 2009-10-12 13:16 -------- d-----w- c:\documents and settings\simz\Local Settings\Application Data\Microsoft 2009-10-12 13:09 . 2009-10-13 22:52 -------- d-----w- c:\documents and settings\simz 2009-10-10 11:54 . 2009-10-10 11:54 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla 2009-10-07 01:23 . 2009-10-10 09:14 -------- d-----w- c:\program files\Common Files\Stardock 2009-10-07 01:23 . 2009-10-07 01:23 -------- d-----w- c:\program files\Stardock 2009-10-06 23:35 . 2009-10-06 23:35 -------- d-----w- c:\program files\Common Files\SWF Studio 2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\windows\system32\XPSViewer 2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\program files\MSBuild 2009-09-22 23:29 . 2009-09-22 23:29 -------- d-----w- c:\program files\Reference Assemblies 2009-09-22 23:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintpr oc.dll 2009-09-22 23:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-09-22 23:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-09-22 23:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll 2009-09-22 23:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-09-22 23:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-09-22 23:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesv c.exe 2009-09-22 23:13 . 2009-09-22 23:13 -------- d-----w- c:\program files\MSXML 6.0 2009-09-22 14:43 . 2009-09-22 14:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2009-09-22 14:16 . 2009-09-22 14:16 -------- d-----w- c:\program files\ESET 2009-09-22 14:16 . 2009-09-22 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-09-22 04:36 . 2008-10-16 10:06 208744 ----a-w- c:\windows\system32\muweb.dll 2009-09-22 04:36 . 2008-10-16 10:06 268648 ----a-w- c:\windows\system32\mucltui.dll 2009-09-21 06:13 . 2009-09-23 09:02 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-21 06:12 . 2009-08-05 18:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys 2009-09-21 05:51 . 2009-09-21 05:51 -------- d-----w- c:\program files\Microsoft Sync Framework 2009-09-21 05:48 . 2006-11-29 09:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll 2009-09-21 05:48 . 2009-09-21 05:48 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2009-09-21 05:42 . 2009-09-21 06:13 -------- d-----w- c:\program files\Microsoft 2009-09-21 05:42 . 2009-09-21 05:42 -------- d-----w- c:\program files\Windows Live SkyDrive 2009-09-21 05:40 . 2009-09-21 06:12 -------- d-----w- c:\program files\Windows Live 2009-09-21 05:01 . 2009-09-21 05:01 -------- d-----w- c:\program files\Common Files\Windows Live . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-10-12 00:00 . 2006-11-02 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo! 2009-10-10 10:25 . 2009-02-23 11:07 -------- d-----w- c:\program files\NCH Software 2009-09-25 05:56 . 2004-08-03 22:56 662016 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-09-22 12:42 . 2009-02-23 11:08 -------- d-----w- c:\program files\NCH Swift Sound 2009-09-22 12:40 . 2009-02-23 12:52 -------- d-----w- c:\program files\VDJ5 2009-09-21 05:52 . 2006-11-06 06:04 -------- d-----w- c:\program files\Windows Live Toolbar 2009-09-16 04:02 . 2009-07-13 20:29 -------- d-----w- c:\program files\Common Files\Program4Pc 2009-09-16 04:02 . 2009-07-13 20:29 -------- d-----w- c:\program files\DJ Music Mixer 2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-20 11:52 . 2009-08-19 08:50 -------- d-----w- c:\program files\EpicVJ 2009-08-12 20:54 . 2003-03-18 16:14 499712 ----a-w- c:\windows\system32\msvcp71.dll 2009-08-12 20:54 . 2003-02-21 00:42 348160 ----a-w- c:\windows\system32\msvcr71.dll 2009-08-05 09:11 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 14:00 . 2004-08-03 21:20 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 13:13 . 2004-08-03 22:59 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-07-26 12:44 . 2009-07-26 12:44 48448 ----a-w- c:\windows\system32\sirenacm.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-13 83608] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2009-08-12 69632] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-12 198160] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592] Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472] [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Opera\\Opera.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\moove\\_adv.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900] R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864] R3 getPlusHelper;getPlus(R) Helper;c:\windows\System32\svchost.exe [2004-08-03 14336] R3 ZSMC0305;Look 316;c:\windows\system32\Drivers\usbVM305.sys [x] S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-05-14 107256] S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfw tdir.sys [2009-05-14 94360] S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-05-14 731840] S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r_tdi.sys [2009-08-05 54752] S2 HPFECP16;HPFECP16; [x] S3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;c:\windows\system32\DRIVERS\slnt.sys [2003-11-20 18004] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2009-10-19 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 18:18] . . ------- Supplementary Scan ------- . mStart Page = hxxp://www.yahoo.com/ mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/Yahoo! SearchBar Home Page IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Hell\Start Menu\Programs\IMVU\Run IMVU.lnk TCP: {2F9AE863-22DC-43E9-A166-9611145E5458} = 192.168.254.254 FF - ProfilePath - c:\documents and settings\simz\Application Data\Mozilla\Firefox\Profiles\l9si54vn.default\ FF - prefs.js: network.proxy.ftp - proxy1.emirates.net.ae FF - prefs.js: network.proxy.ftp_port - 8080 FF - prefs.js: network.proxy.gopher - proxy1.emirates.net.ae FF - prefs.js: network.proxy.gopher_port - 8080 FF - prefs.js: network.proxy.http - proxy1.emirates.net.ae FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.socks - proxy1.emirates.net.ae FF - prefs.js: network.proxy.socks_port - 8080 FF - prefs.js: network.proxy.ssl - proxy1.emirates.net.ae FF - prefs.js: network.proxy.ssl_port - 8080 FF - prefs.js: network.proxy.type - 1 FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll FF - plugin: c:\documents and settings\simz\Application Data\Mozilla\Firefox\Profiles\l9si54vn.default\ext ensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Opera7\Program\Plugins\np_gp.dll FF - plugin: c:\program files\Opera7\Program\Plugins\npdrmv2.dll FF - plugin: c:\program files\Opera7\Program\Plugins\npdsplay.dll FF - plugin: c:\program files\Opera7\Program\Plugins\NPOFFICE.DLL FF - plugin: c:\program files\Opera7\Program\Plugins\nppl3260.dll FF - plugin: c:\program files\Opera7\Program\Plugins\nprjplug.dll FF - plugin: c:\program files\Opera7\Program\Plugins\nprpjplug.dll FF - plugin: c:\program files\Opera7\Program\Plugins\NPSWF32.dll FF - plugin: c:\program files\Opera7\Program\Plugins\npwmsdrm.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKLM-Run-NWEReboot - (no file) *********************************************** ******************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2009-10-19 14:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Installer\UserData\LocalSystem\Componen ts\Ø•€\|ÿÿÿÿ•€\|ù•A~] "AB141C35E9F4BF344B9FC010BB17F68A"="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2308) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\combofix\CF6289.exe c:\windows\system32\WgaTray.exe c:\windows\system32\wscntfy.exe c:\program files\Java\jre1.6.0_01\bin\jucheck.exe . *********************************************** ********************** . Completion time: 2009-10-19 14:33 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-19 10:33 Pre-Run: 10,408,349,696 bytes free Post-Run: 10,396,102,656 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 2B6FB73CEEAF1A88E2AF7307CEB7EA11

4 Weeks Ago	#10
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: Olmarik Trojan Issue All that looks fine. How are things running now? __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

2 Weeks Ago	#11
princess Bronze Member Join Date: Oct 2009 Posts: 6 PC Experience: Beginner	Re: Olmarik Trojan Issue sorry for replying so late but had some personal issues around..anyways..things are quite better now..not that worst though sometimes the system gets slow and shows that "virtual memory too low" message but still things aint miserable like before..thanks alot for helping me out pal

2 Weeks Ago	#12
Crush Tech Support Team Join Date: Sep 2008 Location: Caldwell, New Jersey Posts: 10,112 PC Experience: Always Learning New Things	Re: Olmarik Trojan Issue Hi Princess, Glad things are running better! I can get a member of the Tech Team in on this to troubleshoot any further issues if you wish This will clear away any of the files and folders that were created by ComboFix. Go to : Start > Run then copy and paste the following highlighted text below and click OK. ComboFix /u When ComboFix receives such an instruction, it will do the following: a) Deletes the following files/folders: * ComboFix.exe * %system%\swxcacls.exe * %system%\swsc.exe * %system%\VFind.exe * %system%\moveex.exe * %system%\swreg.exe * %systemroot%\catchme.exe * \ComboFix * \Qoobox * \VundoFix Backups * \Deckard * \_OTMoveIt * %systemroot%\erdnt\subs b) Resets the clock settings. c) Hides file extensions d) Hides System/Hidden files e) Clears System Restore cache and create new Restore point __________________ Crush aka Chris [Prework][Afterwork][PCHF Rules][BSOD's][SFC][Screenshots][PC Specs][Donate] I am in fact, quite cool. My graphing calculator confirms this

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Resolved: Olmarik Is Bringing My System To Its Knees	Kirk0625	[Fixed] Hijackthis! Logs	5	09-30-2009 09:57 PM
Pending: Trojan Malware Hijack this issue	oshweeken	[Pending] HJT Logs	4	09-26-2009 03:50 AM
Fixed: Win32/Olmarik in working memory/Ram	MuratNL	[Fixed] Hijackthis! Logs	43	09-26-2009 03:29 AM
Help! Olmarik Trojan is killing my computer!	jomofour	[Fixed] Hijackthis! Logs	11	09-17-2009 12:59 PM
Fixed: Infected with Trojan Win32.Olmarik.JU	BigWayne	[Fixed] Hijackthis! Logs	14	08-10-2009 06:58 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode