Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo. possible rootkit


  • This topic is locked This topic is locked
25 replies to this topic

#1 mattandi

mattandi

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 04 December 2008 - 12:24 PM

I have picked up some buggers. Need some help to get rid of them.

Symptoms:
Computer performance is erratic - at times very sluggish, at times better.
Hard drive very active, has a hard time settling down.
Had one instance of multiple pop-ups about 36 hours ago, opened about 2-3 per second until I killed power to computer.
Cannot access internet reliably, access is good for only a few minutes then can not navigate to any website. This has degraded over the last 48 hours.
Can not complete an online scan, but did get part way through a housecall scan about 36 hours ago.
Can not successfully update or download anything at this time.
Get the "Work offline" dialogue box occassionally when no browser open.

Other info:
Trend Micro Officescan has flagged BAT_FTPER.C, Mal_MLWR-5, PAK_Generic.001, and TROJ_VUNDO.YD and quarintined what it could.
Spybot has found Smitfraud-C and Virtumonde and cleaned what it could.
MBAM has found Vundo and tdss rootkit and cleaned what it could.
Vundo, Mal_MLWR-5, PAK_Generic.001 keep coming back. The rootkit evidence is new as of late last night, and persists.

I am posting from another computer.

Here's the RSIT log. Thanks for any help you can provide.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-12-04 12:14:05
Microsoft Windows XP Professional Service Pack 2
System drive C: has 19 GB (68%) free of 29 GB
Total RAM: 383 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:29 PM, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wtdss.exe
C:\WINDOWS\TEMP\WT2033.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system\NtLanSec.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Documents and Settings\administrator\Desktop\RSIT.exe
C:\Documents and Settings\administrator\Desktop\anti stuff\hjt\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wsfcs.k12.nc.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [msconfigsvrc] C:\WINDOWS\system\NtLanSec.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTEMON.EXE] "C:\Documents and Settings\All Users\Application Data\winlogon.exe" /h
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://wsfcs.k12.nc.us
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210712395503
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://wsfcs7.wsfcs.k12.nc.us/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsfcs.net
O17 - HKLM\Software\..\Telephony: DomainName = wsfcs.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsfcs.net
O20 - AppInit_DLLs: tzuycz.dll
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Windows TCP/IP Data Synchronization Service (WTDSS) - Unknown owner - C:\WINDOWS\system32\wtdss.exe

--
End of file - 7756 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-03 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-12 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-03 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - ZeroBar - C:\Program Files\NetZero\Toolbar.dll [2008-05-07 325120]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2007-12-11 710000]
"TrackPointSrv"=C:\WINDOWS\system32\tp4mon.exe [2004-08-04 82432]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-03 136600]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"msconfigsvrc"=C:\WINDOWS\system\NtLanSec.exe [2008-12-02 74764]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576]
"CTEMON.EXE"=C:\Documents and Settings\All Users\Application Data\winlogon.exe /h []
"ATIModeChange"=C:\WINDOWS\system32\Ati2mdxx.exe [2001-09-04 28672]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2003-06-27 88363]
"ACTIVfilter"=C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe [2002-11-07 23552]
"ActivDRVAutostart"=C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe [2003-02-26 383488]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-10-07 68856]
"NetZero_uoltray"=C:\Program Files\NetZero\exec.exe [2008-05-06 1701376]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
SMART Board Tools.lnk - C:\Program Files\SMART Board Software\SMARTBoardTools.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="tzuycz.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system\NtLanSec.exe"="C:\WINDOWS\system\NtLanSec.exe:*:Enabled:Microsoft Enabled"
"C:\WINDOWS\system32\wtdss.exe"="C:\WINDOWS\system32\wtdss.exe:*:Enabled:WTDSS"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:WTDSS"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXEC:\WINDOWS\Explorer.EXE:*:Enabled:WTDSS"
"\??\C:\WINDOWS\system32\winlogon.exe"="\??\C:\WINDOWS\system32\winlogon.exewinlogon.exe:*:Enabled:WTDSS"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\lsass.exe:*:Enabled:WTDSS"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\spoolsv.exe:*:Enabled:WTDSS"
"C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe"="C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exeC:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe:*:Enabled:WTDSS"
"\??\C:\WINDOWS\system32\csrss.exe"="\??\C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\csrss.exe:*:Enabled:WTDSS"
"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\services.exeC:\WINDOWS\system32\services.exe:*:Enabled:WTDSS"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2008-12-04 12:14:05 ----D---- C:\rsit
2008-12-03 21:02:40 ----D---- C:\Avenger
2008-12-03 20:19:16 ----RASH---- C:\WINDOWS\system32\wtdss.exe
2008-12-03 20:16:40 ----A---- C:\WINDOWS\system32\txrqchtv.exe
2008-12-03 19:48:17 ----A---- C:\WINDOWS\system32\javaws.exe
2008-12-03 19:48:17 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-03 19:48:17 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-03 19:48:16 ----A---- C:\WINDOWS\system32\java.exe
2008-12-03 11:32:47 ----D---- C:\Documents and Settings\administrator\Application Data\Malwarebytes
2008-12-03 11:32:28 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-03 11:32:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-03 01:18:48 ----A---- C:\WINDOWS\wininit.ini
2008-12-02 23:49:26 ----A---- C:\WINDOWS\resetlog.txt
2008-12-02 21:51:00 ----A---- C:\osde3.exe
2008-12-02 12:59:22 ----ASH---- C:\WINDOWS\system32\biqxvqiw.ini
2008-12-02 10:04:22 ----D---- C:\WINDOWS\pss
2008-12-02 07:40:56 ----A---- C:\WINDOWS\system32\673c120c-.txt
2008-12-01 23:38:12 ----A---- C:\odkw3.exe
2008-11-30 14:52:47 ----A---- C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt

======List of files/folders modified in the last 1 months======

2008-12-04 12:13:39 ----D---- C:\WINDOWS\Temp
2008-12-04 12:05:20 ----D---- C:\WINDOWS
2008-12-04 12:05:20 ----A---- C:\WINDOWS\DUMP7c29.tmp
2008-12-04 10:48:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-04 10:08:22 ----RASH---- C:\boot.ini
2008-12-04 10:08:22 ----N---- C:\WINDOWS\system.ini
2008-12-04 10:08:22 ----A---- C:\WINDOWS\win.ini
2008-12-04 10:06:15 ----D---- C:\WINDOWS\system32
2008-12-04 10:06:02 ----D---- C:\WINDOWS\system32\drivers
2008-12-04 09:35:02 ----D---- C:\WINDOWS\Prefetch
2008-12-03 20:17:31 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-03 19:46:55 ----SHD---- C:\WINDOWS\Installer
2008-12-03 19:46:45 ----D---- C:\Program Files\Java
2008-12-03 19:37:43 ----D---- C:\Program Files\Common Files
2008-12-03 19:35:42 ----D---- C:\WINDOWS\system32\appmgmt
2008-12-03 18:57:04 ----D---- C:\Program Files\Mozilla Firefox
2008-12-03 17:35:57 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-12-03 15:47:36 ----A---- C:\WINDOWS\cfgall.ini
2008-12-03 11:32:27 ----RD---- C:\Program Files
2008-12-03 11:03:23 ----A---- C:\WINDOWS\ntbtlog.txt
2008-12-02 16:14:56 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-02 13:15:37 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-01 23:17:50 ----D---- C:\WINDOWS\system
2008-11-30 14:52:21 ----A---- C:\WINDOWS\ModemLog_Lucent Technologies Soft Modem AMR.txt
2008-11-30 14:52:19 ----HD---- C:\WINDOWS\inf
2008-11-30 14:13:22 ----D---- C:\Documents and Settings
2008-11-28 21:02:55 ----A---- C:\WINDOWS\DUMP6117.tmp
2008-11-18 08:30:28 ----A---- C:\WINDOWS\DUMP5ae9.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
R2 ddnt;ddnt; \??\C:\WINDOWS\system32\drivers\ddnt.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-04 87424]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2001-08-23 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2001-08-23 55936]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
R3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2003-06-27 1196352]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-01-16 542208]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [2003-07-03 11344]
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2004-08-04 28672]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 TwoTrack;IBM PS/2 TrackPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\TwoTrack.sys [2001-08-17 11520]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard; C:\WINDOWS\System32\Drivers\ActivDRV_USB.sys [2003-01-20 17232]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-04 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 LucentSoftModem;Lucent Technologies Soft Modem; C:\WINDOWS\System32\DRIVERS\LTSM.sys [2001-08-17 802683]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-09-10 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-01-16 155648]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 IBMPMSVC;IBM PM Service; C:\WINDOWS\System32\i [2008-12-02 74]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-03 152984]
R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2007-12-11 779632]
R2 SMART Board Service;SMART Board Service; C:\Program Files\SMART Board Software\SMARTBoardService.exe [2004-07-08 610304]
R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2007-12-11 808304]
R2 WTDSS;Windows TCP/IP Data Synchronization Service; C:\WINDOWS\system32\wtdss.exe [2008-12-03 194680]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872]
S2 ActivDRVcontrol;ActivDRVcontrol; C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [2003-01-20 339456]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-28 138168]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 06 December 2008 - 04:16 PM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following....


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall




Post me these logs in your next reply..


1. SDFix
2. ComboFix
3. A fresh HijackThis log (after ComboFix step)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 07 December 2008 - 10:34 PM

Thanks fenzodahl512.

SDfix and combofix both ran well.

Computer much quicker.

Cannot install recovery console. System Restore disabled by group policy. Have to fly without that net.

Able to surf web now, but very iffy. Must click on alink multiple times before new page will load.

BTW - your instructions told me to extract SDfix twice. Was this right?

Here are the logs.


SDFix: Version 1.240
Run by Administrator on Sun 12/07/2008 at 09:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\drivers\TDSSrmpjwfvp.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 21:15:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system\\NtLanSec.exe"="C:\\WINDOWS\\system\\NtLanSec.exe:*:Enabled:Microsoft Enabled"
"C:\\WINDOWS\\system32\\wtdss.exe"="C:\\WINDOWS\\system32\\wtdss.exe:*:Enabled:WTDSS"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exeC:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:WTDSS"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXEC:\\WINDOWS\\Explorer.EXE:*:Enabled:WTDSS"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exewinlogon.exe:*:Enabled:WTDSS"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exeC:\\WINDOWS\\system32\\lsass.exe:*:Enabled:WTDSS"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exeC:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:WTDSS"
"C:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe"="C:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exeC:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe:*:Enabled:WTDSS"
"\\??\\C:\\WINDOWS\\system32\\csrss.exe"="\\??\\C:\\WINDOWS\\system32\\csrss.exeC:\\WINDOWS\\system32\\csrss.exe:*:Enabled:WTDSS"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exeC:\\WINDOWS\\system32\\services.exe:*:Enabled:WTDSS"
"C:\\Program Files\\iPod\\bin\\iPodService.exe"="C:\\Program Files\\iPod\\bin\\iPodService.exec:\\program files\\ipod\\bin\\ipodservice.exe:*:Enabled:WTDSS"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 25 Jun 2004 978,944 A..H. --- "C:\Program Files\SMART Board Software\DViTFlashWizard.exe"
Fri 25 Jun 2004 53,248 A..H. --- "C:\Program Files\SMART Board Software\UpdateDViTFirmware.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 2 Dec 2008 74,764 ..SHR --- "C:\WINDOWS\system\NtLanSec.exe"
Wed 3 Dec 2008 194,680 A.SHR --- "C:\WINDOWS\system32\wtdss.exe"
Wed 20 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

ComboFix 08-12-06.06 - Administrator 2008-12-07 21:27:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.104 [GMT -5:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://wsfcs9
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 21:03 . 2008-12-07 21:03 <DIR> d-------- c:\windows\ERUNT
2008-12-07 20:44 . 2008-12-07 21:18 <DIR> d-------- C:\SDFix
2008-12-05 11:50 . 2008-12-05 11:50 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-04 12:14 . 2008-12-04 12:14 <DIR> d-------- C:\rsit
2008-12-03 21:02 . 2008-12-05 09:14 32,256 --------- c:\windows\system32\TDSSfpxepmpr.dll
2008-12-03 20:19 . 2008-12-03 20:19 194,680 --ahs---- c:\windows\system32\wtdss.exe
2008-12-03 20:16 . 2008-12-03 20:17 232,960 --a------ c:\windows\system32\txrqchtv.exe
2008-12-03 19:48 . 2008-12-03 19:47 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 19:48 . 2008-12-03 19:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\administrator\Application Data\Malwarebytes
2008-12-03 11:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 01:18 . 2008-12-03 01:18 95 --a------ c:\windows\wininit.ini
2008-12-02 21:51 . 2008-12-03 20:19 348,240 --a------ C:\osde3.exe
2008-12-02 12:59 . 2008-12-02 12:59 120 --ahs---- c:\windows\system32\biqxvqiw.ini
2008-12-01 23:38 . 2008-12-02 10:11 309,248 --a------ C:\odkw3.exe
2008-12-01 23:17 . 2008-12-02 21:46 74,764 -r-hs---- c:\windows\system\NtLanSec.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 16:09 --------- d-----w c:\program files\Bonjour
2008-12-04 17:05 98,304 ----a-w c:\windows\DUMP7c29.tmp
2008-12-04 00:46 --------- d-----w c:\program files\Java
2008-12-03 22:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 02:02 98,304 ----a-w c:\windows\DUMP6117.tmp
2008-11-18 13:30 98,304 ----a-w c:\windows\DUMP5ae9.tmp
2008-07-11 15:02 382,346 ----a-w c:\documents and settings\All Users\Application Data\phn.dat
2007-12-21 02:43 63,712 ----a-w c:\documents and settings\administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-07 68856]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-06 1701376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"msconfigsvrc"="c:\windows\system\NtLanSec.exe" [2008-12-02 74764]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ACTIVfilter"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe" [2002-11-07 23552]
"ActivDRVAutostart"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe" [2003-02-26 383488]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 c:\windows\system32\tp4mon.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2004-06-25 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tzuycz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system\\NtLanSec.exe"=
"c:\\WINDOWS\\system32\\wtdss.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=c:\\WINDOWS\\system32\\spoolsv.exe
"c:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe"=c:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe
"c:\\WINDOWS\\system32\\services.exe"=c:\\WINDOWS\\system32\\services.exe
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=c:\\program files\\ipod\\bin\\ipodservice.exe

R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ACTIVdrv.sys [2003-02-18 66464]
R2 ddnt;ddnt;\??\c:\windows\system32\drivers\ddnt.sys [2004-08-24 7072]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2004-03-30 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2004-03-30 36368]
R2 WTDSS;Windows TCP/IP Data Synchronization Service;c:\windows\system32\wtdss.exe [2008-12-03 194680]
S2 ActivDRVcontrol;ActivDRVcontrol;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [2003-01-20 339456]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\Drivers\ActivDRV_USB.sys [2003-01-20 17232]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2004-08-16 802683]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CTEMON.EXE - c:\documents and settings\All Users\Application Data\winlogon.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\nr0fmmqi.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 21:35:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\Temp\YJAC1A.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-07 21:40:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 02:40:09

Pre-Run: 20,148,887,552 bytes free
Post-Run: 20,167,995,392 bytes free

163 --- E O F --- 2008-08-22 19:29:31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:44 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wtdss.exe
C:\WINDOWS\TEMP\CQ4489.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system\NtLanSec.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\Documents and Settings\administrator\Desktop\anti stuff\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [msconfigsvrc] C:\WINDOWS\system\NtLanSec.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://wsfcs.k12.nc.us
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210712395503
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://wsfcs7.wsfcs.k12.nc.us/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsfcs.net
O17 - HKLM\Software\..\Telephony: DomainName = wsfcs.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsfcs.net
O20 - AppInit_DLLs: tzuycz.dll
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board Software\SMARTBoardService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Windows TCP/IP Data Synchronization Service (WTDSS) - Unknown owner - C:\WINDOWS\system32\wtdss.exe

--
End of file - 7545 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 December 2008 - 05:27 AM

You seriously have a nasty infection..


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into Notepad. Save it and attach into this thread.


NEXT


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • C:\osde3.exe
      C:\odkw3.exe
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=184036&view=findpost&p=1036467

KillAll::

Driver::
WTDSS

Collect::
c:\windows\system32\TDSSfpxepmpr.dll
c:\windows\system32\wtdss.exe
c:\windows\system32\txrqchtv.exe
c:\windows\system32\biqxvqiw.ini
c:\windows\Temp\YJAC1A.EXE
C:\WINDOWS\TEMP\CQ4489.EXE

Suspect::
C:\osde3.exe
C:\odkw3.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Attach GMER report
  • VirScan.org results
  • Combofix.txt
  • A new HijackThis log.

**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open. DO NOT close that browser.
  • Simply follow the instructions to copy/paste/send the requested file.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 08 December 2008 - 10:34 AM

I am confident that both YJAC1A.EXE and CQ4489.EXE are in fact OfcDog.exe, part of Trend Micro's real time protection. This process loads at startup and is randomly renamed and copied to windows/temp. Name is always 6 alphanumeric characters all caps. The real time scan, ntrtscan, can be stopped, but this process will continue to run. It essentially behaves somewhat like a backup to reload the real time scan components of Trend Micro if they are stopped unexpectedly (not a perfect description, but in essence that is how it behaves). All controlled by HKLM reg entries.

Admittedly suspicious behavior, but it is an anti-hacking move by Trend Micro. Since the process is renamed each time it loads, it is more difficult for malware to identify it. Has caused chatter on antimalware forums for a couple of years at least. I researched it about a year or so ago while dealing with another infection. If I remember correctly, I found the info in Trend Micro's knowledge base.

Do you still want combofix to try and collect info on them?

I do not know anything about the other suspects you have flagged.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 December 2008 - 11:19 AM

Well since you say so, and I believe you.. Please continue with CFScript step with below script.. Not the above one :)


http://www.bleepingcomputer.com/forums/index.php?showtopic=184036&view=findpost&p=1036467

KillAll::

Driver::
WTDSS

Collect::
c:\windows\system32\TDSSfpxepmpr.dll
c:\windows\system32\wtdss.exe
c:\windows\system32\txrqchtv.exe
c:\windows\system32\biqxvqiw.ini

Suspect::
C:\osde3.exe
C:\odkw3.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Then, as usual, please post the log here.. Cheers.. :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 08 December 2008 - 02:16 PM

lol, don't trust me too much. I know just enough to get myself in trouble. :thumbsup:

Combofix did not open a dialogue box when it finished. Got kicked off internet while it ran. Using dial-up at home. I can

connect to a LAN if needed. Just need to change locations.

Web browsing experience is erractic. Browse fine for a few minutes when first connected. Then deteriorates quickly.

Appears that page formating and styling is messed up. Images will not load. Then after another short while, it

improves. Style improves. Images begin to load. Still takes some persistance on my part for pages to load. Must click

on a link multiple times. Do no get a 404 page, it simply won't immediately go to the next page.

Otherwise, computer performance is improved. Getting quicker.

Here's the logs.

VirSCAN.org Scanned Report :
Scanned time : 2008/12/08 12:56:41 (EST)
Scanner results: 38% Scanner(15/39) found malware!
File Name : odkw3.exe
File Size : 309248 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6d8ffd2426d21d9eca0d8cac4f5665bc
SHA1 : 1621463d1e9654e7cbe809a224efff605ff6bb30
Online report : http://virscan.org/report/5a229494c8cab4a1...968342e976.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081208195907 2008-12-08 3.53 VirTool.Win32.DelfInject!IK
AhnLab V3 2008.12.08.01 2008.12.08 2008-12-08 1.05 -
AntiVir 7.9.0.43 7.1.0.205 2008-12-08 1.57 Worm/Autorun.tpc
Antiy 2.0.18 20081208.1796541 2008-12-08 0.12 -
Arcavir 1.0.5 200812071316 2008-12-07 1.24 -
Authentium 5.1.1 200812081422 2008-12-08 1.07 W32/Autorun.CR (Exact)
AVAST! 3.0.1 081208-0 2008-12-08 0.75 Win32:Trojan-gen {Other}
AVG 7.5.52.442 270.9.15/1837 2008-12-08 1.79 Worm/Generic.QJC
BitDefender 7.81008.2336890 7.22389 2008-12-09 2.19 -
CA (VET) 9.0.0.143 31.6.6250 2008-12-08 8.03 Win32/DfInject.BA trojan.
ClamAV 0.94.1 8731 2008-12-08 0.07 -
Comodo 3.0 711 2008-12-08 0.80 -
CP Secure 1.1.0.715 2008.12.08 2008-12-08 6.19 -
Dr.Web 4.44.0.9170 2008.12.08 2008-12-08 3.73 -
ewido 4.0.0.2 2008.12.08 2008-12-08 3.31 -
F-Prot 4.4.4.56 20081208 2008-12-08 1.06 W32/Autorun.CR (exact)
F-Secure 5.51.6100 2008.12.08.12 2008-12-08 3.83 Worm.Win32.AutoRun.tpc [AVP]
Fortinet 2.81-3.117 9.794 2008-12-08 0.15 W32/AutoRun.TPC!worm
GData 19.1832/19.138 20081208 2008-12-08 3.93 Worm.Win32.AutoRun.tpc [Engine:A]
ViRobot 20081206 2008.12.06 2008-12-06 0.41 -
Ikarus T3.1.01.45 2008.12.08.71975 2008-12-08 3.70 VirTool.Win32.DelfInject
JiangMin 11.0.706 2008.12.08 2008-12-08 1.39 -
Kaspersky 5.5.10 2008.12.08 2008-12-08 0.03 Worm.Win32.AutoRun.tpc
KingSoft 2008.9.8.18 2008.12.8.20 2008-12-08 0.60 Worm.AutoRun.309248
McAfee 5.3.00 5457 2008-12-07 2.58 -
Microsoft 1.4205 2008.12.08 2008-12-08 6.20 VirTool:Win32/DelfInject.gen!AC
mks_vir 2.01 2008.12.07 2008-12-07 2.67 -
Norman 5.93.01 5.93.00 2008-12-08 5.69 -
Panda 9.05.01 2008.12.08 2008-12-08 3.22 -
Trend Micro 8.700-1004 5.696.11 2008-12-08 0.03 -
Quick Heal 10.00 2008.12.08 2008-12-08 0.93 -
Rising 20.0 21.07.02.00 2008-12-08 0.78 -
Sophos 2.81.2 4.36 2008-12-09 1.97 -
Sunbelt 4674 4674 2008-11-04 0.59 -
Symantec 1.3.0.24 20081207.005 2008-12-07 0.10 -
nProtect 2008-12-05.00 2742544 2008-12-05 3.53 -
The Hacker 6.3.1.2 v00179 2008-12-06 0.51 -
VBA32 3.12.8.10 20081207.0817 2008-12-07 1.36 Worm.Win32.AutoRun.tpc
VirusBuster 4.5.11.10 10.95.1/730088 2008-12-08 1.06 -


VirSCAN.org Scanned Report :
Scanned time : 2008/12/08 13:29:26 (EST)
Scanner results: 41% Scanner(16/39) found malware!
File Name : osde3.exe
File Size : 348240 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 6448a4a489c11d416081fc894b436789
SHA1 : 15a76001554561df7c1992d5889f767dc4bac597
Online report : http://virscan.org/report/6c5cee90ba5093ff...24ebbd62aa.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081208195907 2008-12-08 3.30 VirTool.Win32.DelfInject!IK
AhnLab V3 2008.12.08.01 2008.12.08 2008-12-08 1.11 -
AntiVir 7.9.0.43 7.1.0.205 2008-12-08 1.58 Worm/Autorun.TPC.1
Antiy 2.0.18 20081208.1796541 2008-12-08 0.12 -
Arcavir 1.0.5 200812071316 2008-12-07 1.24 -
Authentium 5.1.1 200812081422 2008-12-08 1.09 W32/Autorun.CR (Exact)
AVAST! 3.0.1 081208-0 2008-12-08 0.03 -
AVG 7.5.52.442 270.9.15/1837 2008-12-08 1.79 Worm/Generic.QJC
BitDefender 7.81008.2336890 7.22389 2008-12-09 2.18 -
CA (VET) 9.0.0.143 31.6.6250 2008-12-08 4.00 Win32/DfInject.BA trojan.
ClamAV 0.94.1 8731 2008-12-08 0.07 -
Comodo 3.0 711 2008-12-08 1.29 -
CP Secure 1.1.0.715 2008.12.08 2008-12-08 6.08 -
Dr.Web 4.44.0.9170 2008.12.08 2008-12-08 3.71 -
ewido 4.0.0.2 2008.12.08 2008-12-08 3.51 -
F-Prot 4.4.4.56 20081208 2008-12-08 1.09 W32/Autorun.CR (exact)
F-Secure 5.51.6100 2008.12.08.12 2008-12-08 0.05 Worm.Win32.AutoRun.tpc [AVP]
Fortinet 2.81-3.117 9.794 2008-12-08 0.29 W32/AutoRun.TPC!worm
GData 19.1832/19.138 20081208 2008-12-08 3.02 Worm.Win32.AutoRun.tpc [Engine:A]
ViRobot 20081206 2008.12.06 2008-12-06 0.41 -
Ikarus T3.1.01.45 2008.12.08.71975 2008-12-08 3.70 VirTool.Win32.DelfInject
JiangMin 11.0.706 2008.12.08 2008-12-08 2.42 -
Kaspersky 5.5.10 2008.12.08 2008-12-08 0.03 Worm.Win32.AutoRun.tpc
KingSoft 2008.9.8.18 2008.12.8.20 2008-12-08 0.56 Worm.AutoRun.348240
McAfee 5.3.00 5457 2008-12-07 2.58 -
Microsoft 1.4205 2008.12.08 2008-12-08 7.95 VirTool:Win32/DelfInject.gen!AC
mks_vir 2.01 2008.12.07 2008-12-07 2.68 -
Norman 5.93.01 5.93.00 2008-12-08 5.75 W32/AutoRun.IYS
Panda 9.05.01 2008.12.08 2008-12-08 3.92 -
Trend Micro 8.700-1004 5.696.11 2008-12-08 0.03 -
Quick Heal 10.00 2008.12.08 2008-12-08 0.84 Worm.AutoRun.tpc
Rising 20.0 21.07.02.00 2008-12-08 3.21 -
Sophos 2.81.2 4.36 2008-12-09 2.00 -
Sunbelt 4674 4674 2008-11-04 0.67 -
Symantec 1.3.0.24 20081207.005 2008-12-07 0.05 -
nProtect 2008-12-08.01 2751014 2008-12-08 7.56 -
The Hacker 6.3.1.2 v00179 2008-12-06 0.48 -
VBA32 3.12.8.10 20081207.0817 2008-12-07 1.38 Worm.Win32.AutoRun.tpc
VirusBuster 4.5.11.10 10.95.1/730088 2008-12-08 1.09 -


ComboFix 08-12-06.06 - Administrator 2008-12-08 13:41:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT -5:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED

!!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\biqxvqiw.ini
c:\windows\system32\TDSSfpxepmpr.dll
c:\windows\system32\txrqchtv.exe
c:\windows\system32\wtdss.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WTDSS
-------\Service_WTDSS


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-08 12:06 . 2008-12-08 12:06 250 --a------ c:\windows\gmer.ini
2008-12-07 21:03 . 2008-12-07 21:03 <DIR> d-------- c:\windows\ERUNT
2008-12-07 20:44 . 2008-12-07 21:18 <DIR> d-------- C:\SDFix
2008-12-05 11:50 . 2008-12-05 11:50 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-04 12:14 . 2008-12-04 12:14 <DIR> d-------- C:\rsit
2008-12-03 19:48 . 2008-12-03 19:47 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 19:48 . 2008-12-03 19:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\All Users\Application

Data\Malwarebytes
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\administrator\Application

Data\Malwarebytes
2008-12-03 11:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 01:18 . 2008-12-03 01:18 95 --a------ c:\windows\wininit.ini
2008-12-02 21:51 . 2008-12-03 20:19 348,240 --a------ C:\osde3.exe
2008-12-01 23:38 . 2008-12-02 10:11 309,248 --a------ C:\odkw3.exe
2008-12-01 23:17 . 2008-12-02 21:46 74,764 -r-hs---- c:\windows\system\NtLanSec.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 16:09 --------- d-----w c:\program files\Bonjour
2008-12-04 17:05 98,304 ----a-w c:\windows\DUMP7c29.tmp
2008-12-04 00:46 --------- d-----w c:\program files\Java
2008-12-03 22:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 02:02 98,304 ----a-w c:\windows\DUMP6117.tmp
2008-11-18 13:30 98,304 ----a-w c:\windows\DUMP5ae9.tmp
2008-07-11 15:02 382,346 ----a-w c:\documents and settings\All Users\Application Data\phn.dat
2007-12-21 02:43 63,712 ----a-w c:\documents and settings\administrator\Application

Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_21.38.47.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 17:06:12 884,736 ----a-w c:\windows\gmer.dll
+ 2008-12-08 15:26:47 811,008 ----a-w c:\windows\gmer.exe
+ 2008-10-16 19:09:44 92,696 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\cdm.dll
+ 2008-10-16 19:12:20 561,688 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wuapi.dll
+ 2008-10-16 19:09:44 51,224 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wuauclt.exe
+ 2008-10-16 19:13:40 1,809,944 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wuaueng.dll
+ 2008-10-16 19:12:22 323,608 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wucltui.dll
+ 2008-10-16 19:08:58 34,328 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wups.dll
+ 2008-10-16 19:09:44 43,544 ------w c:\windows\SoftwareDistribution\SelfUpdate\Default\wups2.dll
+ 2008-12-08 17:06:12 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2007-12-11 23:32:08 300,392 ----a-w c:\windows\Temp\DB1B1F.EXE
+ 2008-12-08 18:45:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-07 68856]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-06 1701376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"msconfigsvrc"="c:\windows\system\NtLanSec.exe" [2008-12-02 74764]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ACTIVfilter"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe" [2002-11-07 23552]
"ActivDRVAutostart"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe" [2003-02-26 383488]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 c:\windows\system32\tp4mon.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2004-06-25 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system\\NtLanSec.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=c:\\WINDOWS\\system32\\spoolsv.exe
"c:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe"=c:\\Program Files\\ACTIV

Software\\ACTIVdriver\\ACTIVcontrol.exe
"c:\\WINDOWS\\system32\\services.exe"=c:\\WINDOWS\\system32\\services.exe
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=c:\\program files\\ipod\\bin\\ipodservice.exe

R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ACTIVdrv.sys [2003-02-18 66464]
R2 ddnt;ddnt;\??\c:\windows\system32\drivers\ddnt.sys [2004-08-24 7072]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2004-03-30 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2004-03-30

36368]
S2 ActivDRVcontrol;ActivDRVcontrol;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe

[2003-01-20 339456]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\Drivers\ActivDRV_USB.sys

[2003-01-20 17232]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2004-08-16

802683]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\nr0fmmqi.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 13:47:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\Temp\DB1B1F.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
.
**************************************************************************
.
Completion time: 2008-12-08 13:51:37 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-12-08 18:51:32
ComboFix2.txt 2008-12-08 02:40:23

Pre-Run: 20,126,363,648 bytes free
Post-Run: 20,120,330,240 bytes free

167 --- E O F --- 2008-08-22 19:29:31


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:37 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\SMART Board Software\SMARTBoardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\DB1B1F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system\NtLanSec.exe
C:\Program Files\SMART Board Software\SMARTBoardTools.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SMART Board Software\Aware.exe
C:\Program Files\SMART Board Software\Marker.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\administrator\Desktop\anti stuff\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program

Files\NetZero\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"

-HideWindow
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [msconfigsvrc] C:\WINDOWS\system\NtLanSec.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SMART Board Tools.lnk = C:\Program Files\SMART Board Software\SMARTBoardTools.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://wsfcs.k12.nc.us
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...b?1210712395503
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) -

http://wsfcs7.wsfcs.k12.nc.us/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wsfcs.net
O17 - HKLM\Software\..\Telephony: DomainName = wsfcs.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wsfcs.net
O23 - Service: ActivDRVcontrol - ACTIV Software Ltd - C:\Program Files\ACTIV

Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan

Client\ntrtscan.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Board

Software\SMARTBoardService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan

Client\tmlisten.exe

--
End of file - 7554 bytes

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 December 2008 - 02:26 PM

Please open Notepad >> Go to Format tab >> untick Word Wrap



Please delete these two files manually...

C:\osde3.exe
C:\odkw3.exe



Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download JavaRa to your desktop and unzip it to its own folder. <<MIRROR>>
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
Then, please download and install the latest Java from HERE




NEXT


Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Post these logs in your next reply..

1. Malwarebytes'
2. Kaspersky Online
3. Tell me, how is the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 08 December 2008 - 02:39 PM

oops, sorry, I thought word wrap was unchecked. :thumbsup:

Since last post I have browsed around a bit. Browsing much improved. For at least the last little while, not experiencing symptoms as described before.

Will run next steps and post back tomorrow.

Thanks.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 December 2008 - 02:53 PM

No worries, don't forget to delete those two files, they are malware :thumbsup:


Waiting for you tomorrow..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 09 December 2008 - 11:14 AM

So, last night the computer was left on and unattended for a few hours. It was not connected to the internet. When I got back to it late last night, browsing was not good. It was back to needing multiple clicks to navigate. Rebooted and everything was better.

Computer performance seems a bit slower this morning.

Deleted the 2 files.

I recently already removed older versions of Java and installed Java 6 build 11. Javara removed a few remnants of older versions.

Ran MBAM. It cleaned a couple of things.

Started Kaspersky before going to bed. Sometime during the night, the computer rebooted. I suspect a Windows auto-update downloaded and installed and rebooted the computer. Not sure, just guessing.

Reconnected to Kaspersky and all engine parts had downloaded, but the database needed to download. That took a while, but got it done. The scan ran just fine.

Here's the reports.

Malwarebytes' Anti-Malware 1.31
Database version: 1476
Windows 5.1.2600 Service Pack 2

12/8/2008 11:56:30 PM
mbam-log-2008-12-08 (23-56-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105119
Time elapsed: 56 minute(s), 14 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\WINDOWS\system\NtLanSec.exe (Trojan.VB) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system\NtLanSec.exe (Trojan.VB) -> Delete on reboot.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 09, 2008 07:35:57
Records in database: 1446104
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 66697
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:02:00


File name / Threat name / Threats count
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\[4]-Submit_2008-12-08@13.41.zip Infected: Backdoor.Win32.Agent.uuv 1
C:\Program Files\Trend Micro\OfficeScan Client\Suspect\[4]-Submit_2008-12-08@13.41.zip Infected: Worm.Win32.AutoRun.tpc 2

The selected area was scanned.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 09 December 2008 - 01:03 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\osde3.exe
C:\odkw3.exe
c:\windows\system\NtLanSec.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • ESET Online Scanner.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 09 December 2008 - 07:40 PM

Ok, browsing is better for now at least.

explorer is still a little sluggish. Not horrible, just noticably slower than say a week or so ago.

Here's the logs.

ComboFix 08-12-06.06 - Administrator 2008-12-09 14:20:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT -5:00]
Running from: c:\documents and settings\administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\odkw3.exe
C:\osde3.exe
c:\windows\system\NtLanSec.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 10:30 . 2008-12-09 11:38 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-08 12:06 . 2008-12-08 12:06 250 --a------ c:\windows\gmer.ini
2008-12-07 21:03 . 2008-12-07 21:03 <DIR> d-------- c:\windows\ERUNT
2008-12-07 20:44 . 2008-12-07 21:18 <DIR> d-------- C:\SDFix
2008-12-05 11:50 . 2008-12-05 11:50 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-12-04 12:14 . 2008-12-04 12:14 <DIR> d-------- C:\rsit
2008-12-03 19:48 . 2008-12-03 19:47 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 19:48 . 2008-12-03 19:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-03 11:32 . 2008-12-08 22:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-03 11:32 . 2008-12-03 11:32 <DIR> d-------- c:\documents and settings\administrator\Application Data\Malwarebytes
2008-12-03 11:32 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 11:32 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 01:18 . 2008-12-03 01:18 95 --a------ c:\windows\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 18:54 98,304 ----a-w c:\windows\DUMP673c.tmp
2008-12-09 05:02 --------- d-----w c:\program files\Java
2008-12-05 16:09 --------- d-----w c:\program files\Bonjour
2008-12-04 17:05 98,304 ----a-w c:\windows\DUMP7c29.tmp
2008-12-03 22:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-29 02:02 98,304 ----a-w c:\windows\DUMP6117.tmp
2008-11-18 13:30 98,304 ----a-w c:\windows\DUMP5ae9.tmp
2008-07-11 15:02 382,346 ----a-w c:\documents and settings\All Users\Application Data\phn.dat
2007-12-21 02:43 63,712 ----a-w c:\documents and settings\administrator\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_21.38.47.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-18 14:32:13 450,560 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13 417,792 ----a-w c:\windows\$hf_mig$\KB944338-v2\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36 14,048 ----a-w c:\windows\$hf_mig$\KB944338-v2\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w c:\windows\$hf_mig$\KB944338-v2\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w c:\windows\$hf_mig$\KB944338-v2\update\updspapi.dll
+ 2008-12-08 17:06:12 884,736 ----a-w c:\windows\gmer.dll
+ 2008-12-08 15:26:47 811,008 ----a-w c:\windows\gmer.exe
- 2007-07-30 23:19:20 92,504 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2007-07-30 23:19:20 92,504 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2007-08-21 06:15:44 683,520 -c----w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c----w c:\windows\system32\dllcache\inetcomm.dll
- 2007-11-14 07:26:56 450,560 -c----w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c----w c:\windows\system32\dllcache\jscript.dll
- 2007-06-26 06:08:16 1,104,896 -c----w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c----w c:\windows\system32\dllcache\msxml3.dll
- 2006-07-13 08:48:58 202,240 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2007-12-18 14:40:58 417,792 -c----w c:\windows\system32\dllcache\vbscript.dll
- 2007-07-30 23:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-30 23:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-30 23:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-30 23:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-30 23:18:40 33,624 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2007-07-30 23:19:46 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-12-08 17:06:12 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2006-07-13 08:48:58 202,240 ----a-w c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2007-08-21 06:15:44 683,520 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2007-11-14 07:26:56 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2007-06-26 06:08:16 1,104,896 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2006-09-25 21:58:48 14,640 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-01-29 08:58:06 60,416 ----a-w c:\windows\system32\tzchange.exe
+ 2008-07-14 11:09:18 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2004-08-04 07:56:46 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2006-10-19 01:47:20 295,936 ----a-w c:\windows\system32\wmpeffects.dll
+ 2008-06-24 23:12:58 295,936 ----a-w c:\windows\system32\wmpeffects.dll
- 2007-07-30 23:19:36 549,720 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2007-07-30 23:19:16 53,080 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2007-07-30 23:19:42 1,712,984 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2007-07-30 23:19:32 325,976 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2007-07-30 23:18:40 33,624 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2007-07-30 23:19:12 43,352 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2007-07-30 23:19:46 203,096 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
+ 2008-12-09 19:24:20 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5d8.dat
+ 2007-12-11 23:32:08 300,392 ----a-w c:\windows\temp\ZJ8BC9.EXE
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-07 68856]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-06 1701376]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-12-11 710000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ACTIVfilter"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe" [2002-11-07 23552]
"ActivDRVAutostart"="c:\program files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe" [2003-02-26 383488]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 c:\windows\system32\tp4mon.exe]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SMART Board Tools.lnk - c:\program files\SMART Board Software\SMARTBoardTools.exe [2004-06-25 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=c:\\WINDOWS\\system32\\spoolsv.exe
"c:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe"=c:\\Program Files\\ACTIV Software\\ACTIVdriver\\ACTIVcontrol.exe
"c:\\WINDOWS\\system32\\services.exe"=c:\\WINDOWS\\system32\\services.exe
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=c:\\program files\\ipod\\bin\\ipodservice.exe

R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ACTIVdrv.sys [2003-02-18 66464]
R2 ddnt;ddnt;\??\c:\windows\system32\drivers\ddnt.sys [2004-08-24 7072]
R2 TmFilter;Trend Micro Filter;\??\c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2004-03-30 205328]
R2 TmPreFilter;Trend Micro PreFilter;\??\c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2004-03-30 36368]
S2 ActivDRVcontrol;ActivDRVcontrol;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [2003-01-20 339456]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\Drivers\ActivDRV_USB.sys [2003-01-20 17232]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\DRIVERS\LTSM.sys [2004-08-16 802683]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-msconfigsvrc - c:\windows\system\NtLanSec.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\administrator\Application Data\Mozilla\Firefox\Profiles\nr0fmmqi.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 14:27:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\SMART Board Software\SMARTBoardService.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\temp\ZJ8BC9.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\SMART Board Software\Aware.exe
c:\program files\SMART Board Software\Marker.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-09 14:32:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 19:32:09
ComboFix2.txt 2008-12-08 18:51:39
ComboFix3.txt 2008-12-08 02:40:23

Pre-Run: 19,282,870,272 bytes free
Post-Run: 19,330,768,896 bytes free

219 --- E O F --- 2008-12-09 08:02:56


ESET log

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3679 (20081209)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=61b5a8b6fe93f940a5b2226e4c2043f5
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-09 11:19:47
# local_time=2008-12-09 06:19:48 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=188715
# found=2
# scan_time=2334
C:\SDFix\backups\catchme.zip Win32/Olmarik.M trojan (deleted) 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip »ZIP »TDSSrmpjwfvp.sys Win32/Olmarik.M trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 December 2008 - 12:56 AM

Looks good to me.. How is the computer now?.. I need you to scan a file which I don't know its status...

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\ddnt.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 mattandi

mattandi
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 10 December 2008 - 12:17 PM

Computer is behaving better. Like I mentioned earlier, explorer is a bit sluggish. Not terrible, just slower. It was waaaaay slow before we started and as we have been working to clean this up.

Web browsing is much improved. Left the computer connected to the web overnight last night. Have been able to browse ok today. Couldn't get to either virscan or virustotal earlier, but just because their servers were busy. It would just time out, but at least it was trying to connect. Otherwise I seem to be able to go anywhere I choose. At least for now.

Looks like you caught another. Let me know what I should do next.

Here is the virscan log.

VirSCAN.org Scanned Report :
Scanned time : 2008/12/10 12:07:09 (EST)
Scanner results: 31% Scanner(12/39) found malware!
File Name : ddnt.sys
File Size : 7072 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 874152d9c956adff05839b2c967f6cf8
SHA1 : 0a24ed097a1dc8c3cc5ba6205a19581ee041965f
Online report : http://virscan.org/report/18f374b8d752c674...381a67dbb4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.27 20081210173920 2008-12-10 3.06 Rootkit.Win32.Agent.ec!IK
AhnLab V3 2008.12.10.01 2008.12.10 2008-12-10 1.02 -
AntiVir 7.9.0.43 7.1.0.215 2008-12-10 1.57 -
Antiy 2.0.18 20081210.1828531 2008-12-10 0.12 -
Arcavir 1.0.5 200812071316 2008-12-07 1.21 Trojan.Rootkit.Agent.Ec
Authentium 5.1.1 200812100844 2008-12-10 1.09 W32/Rootkit.NE (Exact)
AVAST! 3.0.1 081209-1 2008-12-09 0.00 -
AVG 7.5.52.442 270.9.16/1840 2008-12-09 1.75 -
BitDefender 7.81008.2340140 7.22428 2008-12-10 2.16 -
CA (VET) 9.0.0.143 31.6.6253 2008-12-10 3.97 -
ClamAV 0.94.1 8741 2008-12-10 0.01 -
Comodo 3.0 718 2008-12-10 0.79 -
CP Secure 1.1.0.715 2008.12.10 2008-12-10 6.09 -
Dr.Web 4.44.0.9170 2008.12.10 2008-12-10 3.70 -
ewido 4.0.0.2 2008.12.10 2008-12-10 4.58 -
F-Prot 4.4.4.56 20081210 2008-12-10 1.06 W32/Rootkit.NE (exact)
F-Secure 5.51.6100 2008.12.10.04 2008-12-10 0.04 -
Fortinet 2.81-3.117 9.799 2008-12-09 0.18 W32/Agent.EC!tr.rkit
GData 19.1846/19.140 20081210 2008-12-10 2.76 -
ViRobot 20081210 2008.12.10 2008-12-10 0.41 -
Ikarus T3.1.01.45 2008.12.10.71985 2008-12-10 3.67 Rootkit.Win32.Agent.ec
JiangMin 11.0.706 2008.12.10 2008-12-10 2.02 -
Kaspersky 5.5.10 2008.12.10 2008-12-10 0.04 -
KingSoft 2008.9.8.18 2008.12.10.21 2008-12-10 4.12 Win32.Hack.Agent.sf.7072
McAfee 5.3.00 5459 2008-12-09 2.56 -
Microsoft 1.4205 2008.12.10 2008-12-10 3.93 -
mks_vir 2.01 2008.12.10 2008-12-10 2.57 Trojan.Agent.Ec
Norman 5.93.01 5.93.00 2008-12-09 5.62 -
Panda 9.05.01 2008.12.09 2008-12-09 3.01 -
Trend Micro 8.700-1004 5.702.02 2008-12-10 0.02 -
Quick Heal 10.00 2008.12.10 2008-12-10 0.85 -
Rising 20.0 21.07.22.00 2008-12-10 0.95 RootKit.Agent.sf
Sophos 2.81.2 4.36 2008-12-10 2.00 -
Sunbelt 4674 4674 2008-11-04 0.64 -
Symantec 1.3.0.24 20081209.003 2008-12-09 0.20 -
nProtect 2008-12-10.01 2754999 2008-12-10 3.98 -
The Hacker 6.3.1.2 v00182 2008-12-09 0.65 Trojan/Agent.ec
VBA32 3.12.8.10 20081209.1019 2008-12-09 1.51 Rootkit.Win32.Agent.ec
VirusBuster 4.5.11.10 10.95.2/730120 2008-12-09 0.93 Rootkit.Agent.BVCO




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users