Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Antivirus / Combofix Log


  • This topic is locked This topic is locked
18 replies to this topic

#1 Dave P.

Dave P.

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 12 August 2008 - 08:24 PM

Hi,

My computer was recently the victim of XP AntiVirus. My friend referred me to bleepingcomputer.com to use ComboFix. I have run CF (successfully I believe) and have posted the log below as I was instructed to. Any help as to what I should do next (and how) is greatly appreciated. (I am running Windows XP Pro operating system.)

Thank you for your time.

Dave

_______________________________________________________________________

ComboFix 08-08-12.01 - preferred user 2008-08-12 20:22:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1028 [GMT -4:00]
Running from: C:\Documents and Settings\preferred user\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\preferred user\Application Data\macromedia\Flash Player\#SharedObjects\7Z98WLPR\interclick.com
C:\Documents and Settings\preferred user\Application Data\macromedia\Flash Player\#SharedObjects\7Z98WLPR\interclick.com\ud.sol
C:\Documents and Settings\preferred user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\preferred user\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\preferred user\Application Data\rhca9aj0ela3
C:\Program Files\rhca9aj0ela3
C:\WINDOWS\system32\blphce9aj0ela3.scr
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\kdqml.exe
C:\WINDOWS\system32\lphce9aj0ela3.exe
C:\WINDOWS\system32\pphce9aj0ela3.exe
C:\WINDOWS\Sysvxd.exe
J:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-11 07:29 . 2008-08-12 20:51 109,150 --a------ C:\WINDOWS\system32\drivers\a7a8c7da.sys
2008-08-10 18:09 . 2008-08-10 18:09 106,187,686 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-08-03 08:14 . 2008-08-03 08:14 268 --ah----- C:\sqmdata03.sqm
2008-08-03 08:14 . 2008-08-03 08:14 244 --ah----- C:\sqmnoopt03.sqm
2008-07-29 17:23 . 2008-07-29 17:23 268 --ah----- C:\sqmdata02.sqm
2008-07-29 17:23 . 2008-07-29 17:23 244 --ah----- C:\sqmnoopt02.sqm
2008-07-22 20:08 . 2008-07-22 20:08 268 --ah----- C:\sqmdata01.sqm
2008-07-22 20:08 . 2008-07-22 20:08 244 --ah----- C:\sqmnoopt01.sqm
2008-07-22 20:03 . 2008-07-22 20:03 268 --ah----- C:\sqmdata00.sqm
2008-07-22 20:03 . 2008-07-22 20:03 244 --ah----- C:\sqmnoopt00.sqm
2008-07-21 03:09 . 2008-07-21 03:09 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-20 18:43 . 2008-07-20 18:43 921,624 --a------ C:\img2-001.raw
2008-07-20 10:35 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-20 10:35 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-20 10:35 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-19 21:58 . 2007-04-10 17:46 1,966,696 --a------ C:\WINDOWS\system32\drivers\VX3000.sys
2008-07-19 21:58 . 2007-04-10 17:46 709,992 --a------ C:\WINDOWS\vVX3000.exe
2008-07-19 21:58 . 2007-04-10 17:46 476,520 --a------ C:\WINDOWS\vVX3000.dll
2008-07-19 21:58 . 2007-04-10 17:46 202,088 --a------ C:\WINDOWS\system32\LCCoin14.dll
2008-07-19 21:58 . 2007-04-10 17:46 185,704 --a------ C:\WINDOWS\system32\cVX3000.dll
2008-07-19 21:58 . 2007-04-10 17:46 111,976 --a------ C:\WINDOWS\VX3000.dll
2008-07-19 21:58 . 2007-04-10 17:46 15,498 --a------ C:\WINDOWS\VX3000.ini
2008-07-19 21:58 . 2007-04-10 17:46 13,023 --a------ C:\WINDOWS\VX3000.src
2008-07-19 21:56 . 2008-07-19 21:58 <DIR> d-------- C:\Program Files\Microsoft LifeCam
2008-07-19 21:43 . 2008-07-20 20:24 <DIR> d-------- C:\Program Files\Windows Live
2008-07-19 21:43 . 2008-07-20 20:23 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-19 21:43 . 2008-07-20 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-19 21:42 . 2008-07-20 15:15 <DIR> d-------- C:\Program Files\Windows Live Messenger
2008-07-14 22:24 . 2008-07-14 22:24 <DIR> d-------- C:\Program Files\iPod
2008-07-14 22:23 . 2008-07-14 22:23 <DIR> d-------- C:\Program Files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 00:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-27 19:10 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-07-21 07:06 --------- d-----w C:\Program Files\Microsoft Works
2008-07-15 02:24 --------- d-----w C:\Program Files\iTunes
2008-07-15 02:22 --------- d-----w C:\Program Files\QuickTime
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 22:13 --------- d-----w C:\Program Files\Paint Shop Pro 7
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 03:06 14,336 ----a-w C:\Documents and Settings\preferred user\Application Data\iwsce.exe
2006-08-28 16:09 246,208 ----a-w C:\Documents and Settings\preferred user\Application Data\GDIPFONTCACHEV1.DAT
2003-01-13 16:20 278,528 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 21:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
.

------- Sigcheck -------

2004-08-04 08:00 16896 4e06f50f95357b8cfbc81f5699e754b7 C:\WINDOWS\system32\svchost.exe

2004-08-04 08:00 505856 e853481fef64a5be3fc3732d9d3d926a C:\WINDOWS\system32\winlogon.exe

2004-08-04 08:00 110080 5812a3513734517f8c2c5eab6b269864 C:\WINDOWS\system32\services.exe

2004-08-04 08:00 14336 c3e6b717e7b284e1fa89ba9f7a1be1ed C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 58368 44fce06d98349f92a39a9a242b88650f C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 17:45 279912]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 17:46 709992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.pcdv"= pcdv.acm
"vidc.cdvc"= cdvccodc.dll
"SENTINEL"= snti386.dll
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Macromedia\\Studio 8\\Dreamweaver 8\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port

R0 rapkrnl;rapkrnl;C:\WINDOWS\system32\DRIVERS\rapkrnl.sys [2000-06-01 10:01]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 17:45]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 21:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 02:27]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2004-10-06 11:39]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2001-10-05 18:30]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-04 07:28]
S3 BroadWaveService;BroadWave Service;C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe [2007-12-07 15:00]
S3 CSQ200;CSQ driver;C:\WINDOWS\system32\Drivers\CSQ200.sys [2003-09-25 02:16]
S4 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe []
.
Contents of the 'Scheduled Tasks' folder

2008-08-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-C:\WINDOWS\system32\kdqml.exe - C:\WINDOWS\system32\kdqml.exe
HKLM-Run-lphce9aj0ela3 - C:\WINDOWS\system32\lphce9aj0ela3.exe
SSODL-CfqaYsCQjV-{44AA5487-EE00-FE2D-AE7C-64BE6BEB2D15} - C:\WINDOWS\system32\ud.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\preferred user\Application Data\Mozilla\Firefox\Profiles\zg2x7y0d.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aroundmaine.com/Around_Town


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 20:50:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdqml.exe"="C:\\WINDOWS\\system32\\kdqml.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\a7a8c7da]
"ImagePath"="\SystemRoot\System32\drivers\a7a8c7da.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-12 21:01:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 01:01:13

Pre-Run: 41,979,068,416 bytes free
Post-Run: 42,629,955,584 bytes free

183 --- E O F --- 2008-07-22 07:09:07

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 22 August 2008 - 09:15 AM

Hello, Dave P..
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please DELETE any copies of ComboFix from your system before preforming the following.
We need an updated version.
Please tell your friend that running CF without having a qualified individual first look over the state of your system could lead to SEVERE consequences that may possibly prevent your machine from EVER starting again!

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 22 August 2008 - 09:17 AM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 23 August 2008 - 12:01 PM

Hi Billy,

My friend is a network technician (I'm not saying that makes him a god ...) that instructed me to do exactly nwhat you described. He told me to go to bleeping computer.com and follow the Combofix instructions, which I did, including posting the combofix log. I have barely used the infected computer for a couple of weeks while going through the combofix process carefully and waiting for a reply regarding the combofix log. This is where it was at until I heard from you. I did install the Recovery Console before running ComboFix and I posted the ComboFix log (above) for review.

Should I run ComboFix again, which is what I believe you are suggesting for the next step?

Thanks for your time,

Dave

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 23 August 2008 - 02:37 PM

Hello, Dave :thumbsup:

Yes, please delete any copies of CF you have and Re-Run. I just want to let you know occasionally we find things that make CF dangerous to run on machines, and the only way to know first is to post a HJT log and have someone who knows about how CF works analyse it :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 23 August 2008 - 02:51 PM

Hi Billy,

Please forgive my lack of understanding, which needs some clearing up. HJT, I believe, is Hijack This, which I have not run .... If I am possibly in danger if I run ComboFix without posting an HJT log first, should I be running HJT and posting that log next rather than running ComboFix again and posting its log?

Thanks again,

Dave

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 23 August 2008 - 03:31 PM

Yes, in the future, you should post a HiJack This log first, and then if ComboFix will be useful on your system, the helper will instruct you to run it.

Edit: if you look at the heading on EVERY PAGE in this forum:

DO NOT post a ComboFix log unless requested to.


Billy3

Edited by Billy O'Neal, 23 August 2008 - 03:32 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 24 August 2008 - 12:57 PM

Billy,

Sorry about that. I printed out and followed the bleepingcomputer.com ComboFix instructions exactly. No mention in there at all about running HiJackThis first, and I posted the CF log per the link provided in the bleepingcomp.com CF instructions. If I am the only person that made this mistake then I certainly missed the point, but if others do this as well then maybe amending the CF instructions would be helpful. Not trying to place blame elsewhere, just sharing my experience as a non-technical person that reads and follows instructions well ....

Thanks again for your help.

Dave

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:18 PM, on 8/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI31D0~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI31D0~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160966507265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6461 bytes

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 24 August 2008 - 03:22 PM

Hello, Dave P..

Before continuing, please remove any existing copies of ComboFix you have as it is updated often.

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 24 August 2008 - 04:37 PM

Billy,

I'll upload ComboFix.txt with this message. Thanks again for your patience and help. I wish the person that referred me to bleepingcomputer had told me to start at explaining my problem first rather than referring me to "How to use combofix" first. With that in mind remember that I have already run combofix, then HJT, now CF again. CombFIX ran much faster the second time around if that info is important to you.

Dave

Attached Files



#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 24 August 2008 - 10:25 PM

Hello, Dave P..
Please follow the excellent tutorial by usasma on repairing your system with SFC here:
http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

It appears several files crucial to operation of windows have been modified on your machine.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/162992/xp-antivirus-combofix-log/
    
    suspect::[54]
    C:\WINDOWS\system32\DRIVERS\rapkrnl.sys
    C:\WINDOWS\system32\drivers\tbcspud.sys
    C:\WINDOWS\system32\Drivers\CSQ200.sys
    
    file::
    C:\Documents and Settings\preferred user\Application Data\iwsce.exe
    C:\WINDOWS\system32\drivers\a7a8c7da.sys
    
    driver::
    PPCtlPriv
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt


Also, please paste the logs here rather than attaching them; it makes them easier for others to read :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 25 August 2008 - 05:57 AM

Billy,

Below is the new ComboFix.txt file.

Thanks, Dave.

ComboFix 08-08-23.03 - preferred user 2008-08-25 6:28:29.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1117 [GMT -4:00]
Running from: C:\Documents and Settings\preferred user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\preferred user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\preferred user\Application Data\iwsce.exe
C:\WINDOWS\system32\drivers\a7a8c7da.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\preferred user\Application Data\iwsce.exe
C:\WINDOWS\system32\drivers\a7a8c7da.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPCTLPRIV
-------\Service_PPCtlPriv
-------\Service_a7a8c7da


((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-10 18:09 . 2008-08-10 18:09 106,187,686 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-08-03 08:14 . 2008-08-03 08:14 268 --ah----- C:\sqmdata03.sqm
2008-08-03 08:14 . 2008-08-03 08:14 244 --ah----- C:\sqmnoopt03.sqm
2008-07-29 17:23 . 2008-07-29 17:23 268 --ah----- C:\sqmdata02.sqm
2008-07-29 17:23 . 2008-07-29 17:23 244 --ah----- C:\sqmnoopt02.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 21:11 --------- d-----w C:\Program Files\Microsoft Home Publishing 2000
2008-08-13 00:47 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-21 07:09 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-21 07:06 --------- d-----w C:\Program Files\Microsoft Works
2008-07-21 00:24 --------- d-----w C:\Program Files\Windows Live
2008-07-21 00:23 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-21 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-20 19:15 --------- d-----w C:\Program Files\Windows Live Messenger
2008-07-20 01:58 --------- d-----w C:\Program Files\Microsoft LifeCam
2008-07-15 02:24 --------- d-----w C:\Program Files\iTunes
2008-07-15 02:24 --------- d-----w C:\Program Files\iPod
2008-07-15 02:23 --------- d-----w C:\Program Files\Bonjour
2008-07-15 02:22 --------- d-----w C:\Program Files\QuickTime
2006-08-28 16:09 246,208 ----a-w C:\Documents and Settings\preferred user\Application Data\GDIPFONTCACHEV1.DAT
2003-01-13 16:20 278,528 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 21:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
.

------- Sigcheck -------

2004-08-04 08:00 16896 4e06f50f95357b8cfbc81f5699e754b7 C:\WINDOWS\system32\svchost.exe

2004-08-04 08:00 505856 e853481fef64a5be3fc3732d9d3d926a C:\WINDOWS\system32\winlogon.exe

2004-08-04 08:00 110080 5812a3513734517f8c2c5eab6b269864 C:\WINDOWS\system32\services.exe

2004-08-04 08:00 14336 c3e6b717e7b284e1fa89ba9f7a1be1ed C:\WINDOWS\system32\lsass.exe

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:53 58368 44fce06d98349f92a39a9a242b88650f C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 17:45 279912]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 17:46 709992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.pcdv"= pcdv.acm
"vidc.cdvc"= cdvccodc.dll
"SENTINEL"= snti386.dll
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\Macromedia\\Studio 8\\Dreamweaver 8\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4100:UDP"= 4100:UDP:uPNP Router Control Port

R0 rapkrnl;rapkrnl;C:\WINDOWS\system32\DRIVERS\rapkrnl.sys [2000-06-01 10:01]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 17:45]
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\system32\drivers\tbcspud.sys [2001-12-15 21:42]
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\system32\drivers\tbcwdm.sys [2001-12-16 02:27]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys [2004-10-06 11:39]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2001-10-05 18:30]
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys [2004-10-04 07:28]
S3 BroadWaveService;BroadWave Service;C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe [2007-12-07 15:00]
S3 CSQ200;CSQ driver;C:\WINDOWS\system32\Drivers\CSQ200.sys [2003-09-25 02:16]
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 06:34:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-25 6:46:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-25 10:46:10
ComboFix2.txt 2008-08-13 01:01:19

Pre-Run: 41,739,112,448 bytes free
Post-Run: 41,805,852,672 bytes free

141 --- E O F --- 2008-08-15 07:11:19

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 25 August 2008 - 09:01 AM

Hello, Dave P..
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 25 August 2008 - 08:46 PM

Billy,

I can't say thank you enough ....

Below is the Eset log followed by the new HJT log, which was run after Eset.
____________________________________
Eset log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3386 (20080825)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d5fadb68feeb794abb98484203db73f5
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-26 01:09:46
# local_time=2008-08-25 09:09:46 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=958892
# found=13
# scan_time=11202
C:\Documents and Settings\All Users\Application Data\TickWinDashPile\bashdart.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\preferred user\Application Data\plus license\agfbppqo.exe Win32/Obfuscated.A1 trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Rapidshare Unlimited\Uninstall.exe probably a variant of Win32/TrojanDropper.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-08-25_ 63026.92.zip Win32/Rustock trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2008-08-25_ 63026.92.zip »ZIP »a7a8c7da.sys Win32/Rustock trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\Documents and Settings\preferred user\Application Data\iwsce.exe.vir Win32/TrojanDownloader.FakeAlert.DU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\lphce9aj0ela3.exe.vir Win32/TrojanDownloader.FakeAlert.FT trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\pphce9aj0ela3.exe.vir Win32/TrojanDownloader.FakeAlert.FK trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\a7a8c7da.sys.vir Win32/Rustock trojan (unable to clean - deleted) 00000000000000000000000000000000
J:\DL\Apps\Downloaded Installs\FlashMenu164templates.rar probably a variant of Win32/Obfuscated trojan (deleted) 00000000000000000000000000000000
J:\DL\Apps\Downloaded Installs\FlashMenu164templates.rar »RAR »123 Flash Menu v1.64 + 100 extra templates\keygen.exe probably a variant of Win32/Obfuscated trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
J:\DL\Apps\123 Flash Menu\123 Flash Menu v1.64 + 100 extra templates\keygen.exe probably a variant of Win32/Obfuscated trojan (unable to clean - deleted) 00000000000000000000000000000000
J:\DL\Apps\DVD Ripper\Apollo.No1.DVD.Ripper.v6.2.1.WinAll.Incl.Keygen-TWK\Apollo.No1.DVD.Ripper.v6.2.1.Keygen-TWK.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

____________________________________
HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:42 PM, on 8/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI31D0~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI31D0~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160966507265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BroadWave Service (BroadWaveService) - Unknown owner - C:\Program Files\NCH Swift Sound\BroadWave\broadwave.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6545 bytes

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:37 PM

Posted 25 August 2008 - 09:34 PM

Hello, Dave P..
You now appear to be clean. Congratulations!

We need to remove ComboFix
  • Click START then RUN
  • Now type or copy Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    Posted Image
We need to clean up our tools.
  • Please download OTMoveIt2 by OldTimer and save it to your desktop.
  • Click the Clean Up button.
    Posted Image
  • Accept any prompts.
  • This will remove any tools we used, including OTMoveIt, and will require a reboot.
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The infections you had were "Several torjans, ZLOB"

Below are some steps to follow in order to dramatically lower the chances of reinfection.
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.
  • Set a New Restore Point to prevent possible reinfection from an old one.
    Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
    You can view a video of the following instructions.
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Then go to Start > Run and type: Cleanmgr
    • Click "OK".
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    Note: You should only do this once!
    :thumbsup:
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications.
    Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure
    • Click Start -> Run
    • Type "Inetcpl.cpl" (without quotes) & click OK.
    • Click on the Security tab.
    • Click "Reset all zones to default level"
    • Make sure the Internet Zone is selected & click "Custom level"
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls") to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Click OK, then Apply, then OK to exit the Internet Properties page.
    :)
  • Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    If you don't know what ActiveX controls are, see here
    You can download SpywareBlaster from here.
    :spacer:
  • Install and use Spybot Search & Destroy
    Instructions are located here
    Make sure you update, reimmunize & scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot Search & Destroy
    Every version of Microsoft Windows includes a hosts file. A hosts file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot Search & Destroy has a good HOSTS file built in. To enable it,
    • Run Spybot Search & Destroy
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot Search & Destroy, click on "Tools", and then on Hosts File.
    • Click on "Add Spybot-S&D hosts list"
    Note: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start -> Run.
    • Type "services.msc" (without quotes) & click OK.
    • In the list, find the service called "DNS Client" & double click on it.
    • On the dropdown box, change the setting from "Automatic" to "Manual".
    • Click OK.
    • Exit/close the Services window
    For a more detailed explanation of the HOSTS file, click here.
    :spacer:
  • Install a-squared Free & update and scan with it regularly
    a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here
    Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers
    :spacer:
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Dave P.

Dave P.
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 August 2008 - 08:33 AM

Billy,

One quirk about this system still lingers and raises question about how clean my computer is at this time. I have (had?) Symantec Corporate on this machine, which I disabled for the cleaning process.

In the little time spent working with you to fix my problem, and still as I try to use the computer, there is something odd happening.

Whenever I right click on the Start menu, or try to use cut, copy or paste in Windows Explorer a Symantec AntiVirus window pops up that says "Please wait while Windows configures Symantec AntiVirus". I have been immediately canceling this out to work through the cleaning processes. This happens every time I cut, copy or paste in Windows Explorer or even when I simply right click on the Start button, which is my favorite quick way to open Windows Explorer. I am able to cut, copy and paste fine after I close out the Symantec pop up window, unless I try to cut, copy or paste again in which case the popup occurs again and needs to be canceled out. This also happens when I right click on anything in Windows Explorer. (I tend to use right clicking a lot to places faster...)

Hopefully this is as simple as uninstalling Symantec, but I am not sure.

Thanks,

Dave

Edited by Dave P., 26 August 2008 - 08:42 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users