Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan Downloader.zlob, Trojan Clicker.VSE


  • This topic is locked This topic is locked
11 replies to this topic

#1 PatrickAT

PatrickAT

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 02 January 2009 - 10:20 PM

My laptop became infected today with a Trojan that AVG Antivirus described as Trojan Downloader.zlob and Trojan Clicker.VBE. The trojan caused the PC to crash and reboot after it first appeared, added two porn web site shortcuts to my desktop, and made both IE and Firefox begin popping up a website for "AntiVirus 2009", which I learned from a quick search via my desktop (which is not networked to the laptop) was some sort of scam. The malware also did something that kept me from accessing this web site, the site for Ad Aware, and several other web sites related to Malware removal.

I ran a full scan with AVG and it found several files which it quarantined, including "prrunnet.exe" and "msiconf.exe". After that, I cleared all caches and temporary internet files for both browsers, but the pop-ups continued. I then ran Malwarebyte's Anti-Malware and that found and removed 16 additional files. I then rebooted and the pop-ups and web site blocking are gone.

I'm still having an with the "DCOM Server Process Launcher" crashing, which forces the computer to reboot. I'm also not sure all the malware has been removed, so I'm hoping someone can take a look at my DDS logs. Here is my DDS.txt report, and the Attach.txt file is attached.

Thank you in advance.

* * * * * * * * * *

DDS (Version 1.1.0) - NTFSx86
Run by Patrick Toman at 21:57:58.67 on Fri 01/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.485 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: AVG Firewall 7.5.500 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Documents and Settings\Patrick Toman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\patric~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\patric~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\patrick toman\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\avgfwafu.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: turbotax.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgwlntf - avgwlntf.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patric~1\applic~1\mozilla\firefox\profiles\8wvjgavk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-9-2 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2007-9-2 26952]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-9-2 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-9-2 49664]
R2 AvgCoreSvc;AVG7 Resident Shield Service;c:\progra~1\grisoft\avg7\avgrssvc.exe [2007-9-2 192512]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-9-2 406528]
R2 AVGFwSrv;AVG Firewall;c:\progra~1\grisoft\avg7\avgfwsrv.exe /srvfsys [2007-9-2 838656]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-9-2 4960]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2007-7-26 1458688]

=============== Created Last 30 ================

2009-01-02 20:27 <DIR> --d----- c:\docume~1\patric~1\applic~1\Malwarebytes
2009-01-02 20:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 20:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 20:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 20:08 <DIR> --d----- c:\program files\CCleaner
2009-01-02 15:59 12,302,799 -------- C:\avg7qt.dat
2009-01-02 14:57 40,448 a------- c:\windows\system32\k9261108.exe
2008-12-21 12:37 59,264 a------- c:\windows\system32\drivers\USBAUDIO.sys
2008-12-21 12:37 59,264 a------- c:\windows\system32\dllcache\usbaudio.sys
2008-12-11 22:26 <DIR> --d----- c:\program files\Mids Hero Designer
2008-12-05 20:57 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2006-11-26 16:50 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 21:58:25.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 10 January 2009 - 02:23 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled.

Since AVG is outdated, please uninstall it using Add/Remove Programs. Reboot after the uninstall.

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 PatrickAT

PatrickAT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 10 January 2009 - 10:03 PM

Panda,

Thank you replying. I followed the instructions that you gave. I first removed the outdated AVG 7.5 and rebooted. Will I be able to install the newer AVG 8.0 after I'm sure that the malware is gone?

I downloaded Combofix and tried to run it per the instructions. It installed the Windows Recovery Console and started to scan, but stopped making progress at the point where the window said:

Completed Stage_50

'"C:\WINDOWS\system32\"' is not recognized as an internal or external command,
operable program or batch file.

I left it sit for over an hour and it did nothing further, and there was no Combofix.txt file log created. I closed the Combofix window, shut down, and rebooted. I tried again to run Combofix, but it again stopped progressing at the same point. I'm not sure what's wrong. The path "C:\WINDOWS\system32\" exists on the machine.

You asked for any changes I've made since starting my topic. Before I posted, I had only run a Quick Scan with Malwarebyte's Anti-Malware. The day after I posted, I ran a Full Scan. That scan found two infected registry keys and five infected files, and it had to reboot the computer to complete the removal. I ran another full scan with Malwarebyte's Anti-Malware later that day and it came up clean. I've attached the logs of both of those scans.

In the past week since running the full scans, I have not experienced the "DCOM Server Process Launcher" problem again. The laptop seems to be working normally, but to be safe I have kept it disconnected from the internet and not shared any files between it and other computers.

Even though I could not get Combofix to generate a log, I did run DDS again. The new DDS log is below. I'll wait for further guidance from you before doing anything else.

Thanks.

- Patrick

* * * * * * * * * *

DDS (Version 1.1.0) - NTFSx86
Run by Patrick Toman at 21:05:13.14 on 2009-01-10
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.590 [GMT -5:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Patrick Toman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\patric~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\patric~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\patrick toman\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: turbotax.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patric~1\applic~1\mozilla\firefox\profiles\8wvjgavk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2007-7-26 1458688]

=============== Created Last 30 ================

2009-01-10 20:42 388,608 a------- c:\windows\system32\CF2133.exe
2009-01-10 20:35 388,608 a------- c:\windows\system32\CF777.exe
2009-01-10 20:16 388,608 a------- c:\windows\system32\CF29754.exe
2009-01-10 20:04 388,608 a------- c:\windows\system32\CF27465.exe
2009-01-10 20:01 388,608 a------- c:\windows\system32\CF26821.exe
2009-01-10 19:45 388,608 a------- c:\windows\system32\CF23765.exe
2009-01-10 19:27 <DIR> a-dshr-- C:\cmdcons
2009-01-10 19:25 161,792 a------- c:\windows\SWREG.exe
2009-01-10 19:25 98,816 a------- c:\windows\sed.exe
2009-01-10 19:25 388,608 a------- c:\windows\system32\CF19882.exe
2009-01-02 20:27 <DIR> --d----- c:\docume~1\patric~1\applic~1\Malwarebytes
2009-01-02 20:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-02 20:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 20:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-02 20:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 20:08 <DIR> --d----- c:\program files\CCleaner
2009-01-02 14:57 40,448 a------- c:\windows\system32\k9261108.exe
2008-12-21 12:37 59,264 a------- c:\windows\system32\drivers\USBAUDIO.sys
2008-12-21 12:37 59,264 a------- c:\windows\system32\dllcache\usbaudio.sys
2008-12-11 22:26 <DIR> --d----- c:\program files\Mids Hero Designer

==================== Find3M ====================

2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2006-11-26 16:50 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 21:05:43.32 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 11 January 2009 - 10:27 AM

Hello.

ComboFix's last version had a little bug. Pleased delete your current copy, download a new copy from the links in my above post, and run ComboFix again.

Post back with the log.

With Regards,
The Panda

#5 PatrickAT

PatrickAT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 11 January 2009 - 07:50 PM

Panda,

Downloaded a new copy of Combofix and it ran successfully this time. Combofix log is copy pasted below.

- Patrick

* * * * * * * * * *

ComboFix 09-01-10.03 - Patrick Toman 2009-01-11 19:39:56.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.589 [GMT -5:00]
Running from: c:\documents and settings\Patrick Toman\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-10 19:23 . 2009-01-10 19:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\documents and settings\Patrick Toman\Application Data\Malwarebytes
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 20:27 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 20:27 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 20:08 . 2009-01-02 20:08 <DIR> d-------- c:\program files\CCleaner
2009-01-02 14:57 . 2009-01-02 14:57 40,448 --a------ c:\windows\system32\k9261108.exe
2008-12-21 12:37 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-21 12:37 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\dllcache\usbaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 01:14 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-03 00:59 --------- d-----w c:\program files\BitComet
2009-01-02 17:38 --------- d-----w c:\program files\Avery Wizard 3.0
2009-01-02 05:32 --------- d-----w c:\program files\Trillian
2009-01-01 02:10 --------- d-----w c:\program files\SecondLife
2008-12-31 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-16 22:06 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 03:27 --------- d-----w c:\program files\Mids Hero Designer
2008-12-06 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-06 01:57 --------- d-----w c:\program files\Yahoo!
2008-11-16 20:14 --------- d-----w c:\documents and settings\Patrick Toman\Application Data\Ventrilo
2008-11-16 18:06 --------- d-----w c:\program files\Ventrilo
2008-11-16 18:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-19 23:56 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 23:56 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 23:56 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 23:56 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 23:56 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-11-26 21:50 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"DeleteLog"="c:\windows\system32\oobe\DeleteLog.exe" [2005-01-06 36864]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\Patrick Toman\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21827:TCP"= 21827:TCP:BitComet 21827 TCP
"21827:UDP"= 21827:UDP:BitComet 21827 UDP

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2007-07-26 1458688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df74ba62-37b9-11dc-bfb8-0014a56c94b0}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-11 c:\windows\Tasks\duhtvtwv.job
- c:\windows\system32\rundll32.exe [2004-08-04 03:00]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Patrick Toman\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.turbotax.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
FF - ProfilePath - c:\documents and settings\Patrick Toman\Application Data\Mozilla\Firefox\Profiles\8wvjgavk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 19:43:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????7????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-11 19:45:58
ComboFix-quarantined-files.txt 2009-01-12 00:45:08

Pre-Run: 11,794,415,616 bytes free
Post-Run: 11,782,471,680 bytes free

153 --- E O F --- 2008-12-18 03:32:48

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 11 January 2009 - 08:09 PM

Hello Patrick.

Let's take care of what is left.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/191634/infected-with-trojan-downloaderzlob-trojan-clickervse/
    
    File::
    c:\windows\system32\k9261108.exe
    c:\windows\Tasks\duhtvtwv.job
    
    Suspect::[59]
    c:\windows\system32\oobe\DeleteLog.exe
    
    Registry::
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antimalwareguard.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gomyhit.com]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gomyhit.com]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antimalwareguard.com]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
Please remind me in your next reply that you submitted a sample.
------
AVG7 is now outdated. Please uninstall it using Add/Remove Programs.

Then install a new antivirus.After installing, update the database, run a full system scan and remove any items found.
With Regards,
The Panda

#7 PatrickAT

PatrickAT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 12 January 2009 - 11:10 PM

Hello Panda,

I followed your instructions and ran Combofix with CFScript, and submitted the sample at the end. The Combofix log is below.

Afterwards, I installed AVG Free and ran a full scan. It found two files in C:\WINDOWS\system32\config\systemprofile\Application Data\ that it identified as "Trojan horse Generic_C.TSW" and "Trojan Horse Generic_C.TST" that it removed.

Let me know how things are looking, and thanks for your patience. I've only been able to work on this in the evenings when I'm home from work.

Regards,

Patrick

* * * * * * * * * *

ComboFix 09-01-10.03 - Patrick Toman 2009-01-12 19:35:34.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.582 [GMT -5:00]
Running from: c:\documents and settings\Patrick Toman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Patrick Toman\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\k9261108.exe
c:\windows\Tasks\duhtvtwv.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\k9261108.exe
c:\windows\Tasks\duhtvtwv.job

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-10 19:23 . 2009-01-10 19:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\documents and settings\Patrick Toman\Application Data\Malwarebytes
2009-01-02 20:27 . 2009-01-02 20:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-02 20:27 . 2008-12-03 19:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 20:27 . 2008-12-03 19:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 20:08 . 2009-01-02 20:08 <DIR> d-------- c:\program files\CCleaner
2008-12-21 12:37 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-21 12:37 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\dllcache\usbaudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 01:14 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-03 00:59 --------- d-----w c:\program files\BitComet
2009-01-02 17:38 --------- d-----w c:\program files\Avery Wizard 3.0
2009-01-02 05:32 --------- d-----w c:\program files\Trillian
2009-01-01 02:10 --------- d-----w c:\program files\SecondLife
2008-12-31 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-12-16 22:06 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-12 03:27 --------- d-----w c:\program files\Mids Hero Designer
2008-12-06 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-06 01:57 --------- d-----w c:\program files\Yahoo!
2008-11-16 20:14 --------- d-----w c:\documents and settings\Patrick Toman\Application Data\Ventrilo
2008-11-16 18:06 --------- d-----w c:\program files\Ventrilo
2008-11-16 18:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-19 23:56 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 23:56 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 23:56 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 23:56 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 23:56 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-11-26 21:50 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_19.44.19.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-13 00:29:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_77c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-07 409600]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"DeleteLog"="c:\windows\system32\oobe\DeleteLog.exe" [2005-01-06 36864]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\Patrick Toman\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21827:TCP"= 21827:TCP:BitComet 21827 TCP
"21827:UDP"= 21827:UDP:BitComet 21827 UDP

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2007-07-26 1458688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df74ba62-37b9-11dc-bfb8-0014a56c94b0}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Patrick Toman\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\Patrick Toman\Application Data\Mozilla\Firefox\Profiles\8wvjgavk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 19:39:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe??????????\????|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 19:41:40
ComboFix-quarantined-files.txt 2009-01-13 00:40:44
ComboFix2.txt 2009-01-12 00:46:00

Pre-Run: 11,762,520,064 bytes free
Post-Run: 11,750,805,504 bytes free

158 --- E O F --- 2008-12-18 03:32:48

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 13 January 2009 - 12:22 PM

Hello.

It's looking good. No active infections from what I see.

Tell AVG to remove those items and see if they come back. It will probably flag the files in ComboFix's quarentine when you run a full scan.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
F-Secure Online Scan
Please run F-Secure Online Scanner to check for anything we missed.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#9 PatrickAT

PatrickAT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 13 January 2009 - 09:44 PM

Hello,

AVG removed those two files and they haven't returned.

I downloaded ATF Cleaner and ran it.

I ran F-Secure Online Scanner per the instructions. I did the Automatic Cleaning when the scan was complete. A copy of the report is below.

Thanks,

- Patrick

* * * * * * * * * *

Scanning Report
Tuesday, January 13, 2009 20:11:33 - 21:21:52

Computer name: COMPAQ5115
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 6 malware found
TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Trojan-Downloader.JS.FlingStone (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\96T0JGAR.SLT\CACHE(2)\BE7C255BD01 (Renamed & Submitted)

Statistics
Scanned:

* Files: 64466
* System: 3299
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 1
* Deleted: 0
* None: 5
* Submitted: 1

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0314\VALUES

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Hydra: 2.8.8110, 2009-01-13
* F-Secure AVP: 7.0.171, 2009-01-13
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 14 January 2009 - 08:09 AM

Looks like you are clean.

Unless you have any further problems, we can wrap up.

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Reset clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear the System Restore cache and create new a restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#11 PatrickAT

PatrickAT
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:18 PM

Posted 14 January 2009 - 08:01 PM

Panda,

I've uninstalled Combofix, and I'll definitely read over the information contained in those links. I have no other questions at this time. Thank you so much for all your help.

Sincerely,

Patrick

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:18 AM

Posted 14 January 2009 - 08:04 PM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users