Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown serious infection - google redirect + more


  • This topic is locked This topic is locked
11 replies to this topic

#1 dray1971

dray1971

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 January 2009 - 02:47 PM

Hi. I've been a software engineer for many years and have never ran across anything I couldn't get rid of either with one of the existing scanners or by hand. Recently however my PC has become infected and I have been absolutely unable to get it cleaned back up. This oe may be a bit of a challenge.

What I know so far is that I have had the rogue antivirus program antivirus2009. I'm pretty sure it's gone. I also have the google redirect where all google search results go to go.google.com..... It doesn't always seem to be running however. I have a booting issue with the PC as well. Mostly it will boot just fine sometimes however it gets to various stages before hanging.. before login prompt - after login but before icons show up - after icons are loaded. I have also noticed that sometimes when I go to Task Manager the running processes are mostly all running as a blank user. Sometimes that is normal and processes are either running as Me or System or whatever they normally run as. I also have certain sites being blocked from my browser. This one for instance I had to use another PC to get to. Certain antivirus tools and antispyware tools are blocked from being able to update as well, and at one point some of them wouldn't even execute. Most recently I have noticed that if I try to defrag the drive I get a message that the defragmenter could not be started. When trying to run checkdisk I get a similar message. Trying to run chkdsk from the command prompt I get a message that it cannot run because of another process and I should schedule it for the next boot. When attempting to run at next boot it says it cannot run because the drive type is RAW. My drives however are fine. I checked them with one utility and neither flagged as dirty. One thing I did notice form the Disk Management screen. I show my C drive where the OS lives as a healthy NTFS partition 9.77 GB I show my D drive as a healthy NTFS partition 64.69 GB. Now one thing I never noticed before but couldnt swear it wasn't there.... it shows 39MB Healthy FAT partition logically before the C partition says Healthy(EISA Configuration), no drive letter. Right clicking on that partition only gives me the context menu foe Help. I will post a HijackThis log although it looks a little small and gladly put this in the hands of somewhere here. I am way to frustarted with this one.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:05 PM, on 1/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dmremote.exe
C:\WINDOWS\System32\dmadmin.exe
D:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: (no name) - {0780E8B2-3AEB-4129-9731-60F98868E0C7} - C:\WINDOWS\system32\browsew.dll (file missing)
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1151995576734
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{069B1AFA-C76C-4E96-BC71-50E4AC122D00}: NameServer = 69.1.30.11,69.1.30.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{069B1AFA-C76C-4E96-BC71-50E4AC122D00}: NameServer = 69.1.30.11,69.1.30.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{069B1AFA-C76C-4E96-BC71-50E4AC122D00}: NameServer = 69.1.30.11,69.1.30.10
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

--
End of file - 6029 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 January 2009 - 03:56 PM

Requested DDS files


DDS (Ver_09-01-07.01) - NTFSx86
Run by Donny at 14:51:59.84 on Sat 01/10/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.189 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dmremote.exe
C:\WINDOWS\System32\dmadmin.exe
D:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
\\192.168.2.4\donny's music\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
BHO: {0780e8b2-3aeb-4129-9731-60f98868e0c7} - c:\windows\system32\browsew.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre0.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
TCP: {069B1AFA-C76C-4E96-BC71-50E4AC122D00} = 69.1.30.11,69.1.30.10
Notify: igfxcui - igfxdev.dll
SEH: {00A6E88E-D7A2-456A-AE04-EB9ABF822FE4} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donny\applic~1\mozilla\firefox\profiles\n9hcjdta.default\
FF - component: c:\documents and settings\donny\application data\mozilla\firefox\profiles\n9hcjdta.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll

============= SERVICES / DRIVERS ===============

R0 yfjpayfo;yfjpayfo;c:\windows\system32\drivers\vnrcxhlm.dat --> c:\windows\system32\drivers\vnrcxhlm.dat [?]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;d:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R4 MSSQL$AUTODEALERSFTWRE;MSSQL$AUTODEALERSFTWRE;c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlservr.exe -sautodealersftwre --> c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlservr.exe -sAUTODEALERSFTWRE [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-26 18560]
S3 SQLAgent$AUTODEALERSFTWRE;SQLAgent$AUTODEALERSFTWRE;c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlagent.exe -i autodealersftwre --> c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlagent.EXE -i AUTODEALERSFTWRE [?]
S3 SQLAgent$CARDEALERDB;SQLAgent$CARDEALERDB;d:\progra~1\micros~2\mssql$~1\binn\sqlagent.exe -i cardealerdb --> d:\progra~1\micros~2\mssql$~1\binn\sqlagent.exe -i CARDEALERDB [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 MSSQL$CARDEALERDB;MSSQL$CARDEALERDB;d:\progra~1\micros~2\mssql$~1\binn\sqlservr.exe -scardealerdb --> d:\progra~1\micros~2\mssql$~1\binn\sqlservr.exe -sCARDEALERDB [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-01-03 18:16 223,744 a------- c:\windows\system32\CNMLM97.DLL
2009-01-03 18:15 <DIR> --d----- c:\program files\Canon
2008-12-28 22:38 <DIR> --d----- C:\logs
2008-12-26 22:17 18,560 a------- c:\windows\system32\drivers\FlyUsb.sys
2008-12-26 22:16 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-26 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-26 22:14 <DIR> --d----- c:\program files\LeapFrog
2008-12-22 18:03 <DIR> --d----- c:\docume~1\donny\applic~1\MysteryStudio
2008-12-17 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NevoSoft Games
2008-12-14 16:05 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2008-12-14 16:05 <DIR> --d----- c:\program files\Virtools
2008-12-12 17:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VirtualFarm

==================== Find3M ====================

2008-12-08 13:11 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2008-12-06 13:17 61,440 a------- c:\windows\system32\drivers\lutwcvgo.sys
2008-06-14 21:40 0 ---sh--- c:\program files\desktoq.ini
2007-11-03 23:27 0 a------- c:\program files\common files\dht342126
2006-10-18 20:07 46 a------- c:\docume~1\donny\applic~1\Dxcuknwrd.dll
2002-07-01 08:13 243 a--sh--- c:\docume~1\alluse~1\applic~1\system16driver.dat
2006-10-18 17:28 507,236 ---sh--- c:\windows\system32\hgjlm.bak1
2006-10-19 17:28 526,834 ---sh--- c:\windows\system32\hgjlm.bak2

============= FINISH: 14:52:36.18 ===============

Attached Files



#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:07 AM

Posted 22 January 2009 - 05:18 PM

Hello Dray1971,

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the ComboFix log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 22 January 2009 - 08:19 PM

I have it running now. It would not run as ComboFix.exe. Had to rename it to ComboFix2.exe before it would even attempt to execute. Will post the log after it has finished.

#5 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 22 January 2009 - 09:12 PM

Had trouble getting it to run finally rebooted and it ran. installed the recovery console and started scanning. found a rootkit right off the bat had me write down a bunch of file names and restart. came up and scanned, deleted a bunch of files seemed to finish, I stepped outside and when I came back it was sitting at a BSOD. I restarted and it came up and successfully ran check disk, everything was ok and it went ahead to start and blue screened again. Attempting to start in normal mode or safe mode get's the blue screen, trying to start in safe mode with networking get's so far and restart's on it on. the blue screen say's SESSION5_INITIALIZATION_FAILED stop code 0x00000071.


Please Advise

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:07 AM

Posted 23 January 2009 - 06:05 AM

Hello Dray1971,

Let's try this :

1. Boot your computer using the "Last Known Good Configuration" option.

2. Reset Windows TCP/IP for removing any network hooks :
Go to Start > Run. Copy and paste (or type) in the Open box and then press ENTER: cmd
In the command window, copy and paste (or type) and then press ENTER: netsh int ip reset c:\resetlog.txt
Type exit to close the command window.

3. Download and Run WinsockFix
  • Download WinsockXPFix and save it to your desktop.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot afterwards.
4. Download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Greetings,
Thunder

Edited by Thunder, 23 January 2009 - 06:06 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 23 January 2009 - 06:56 PM

Got it back up. ComboFix actually came back up and finished doing it's thing. I am attaching it's log even though it may be no good after having to go to last known good config. I will also attach the resetlog.txt from the netsh command. Ran the Winsock fix. Ran MBAM it was able to update itself for the first time in a while. It found 1 file and three registry values. Took care of the file but couldn't get the values. They have been there for a while. Rebooted like it asked but MBAM didn't do anything else at startup and those three registry values remain in there. MBAM Log pasted below:

Malwarebytes' Anti-Malware 1.33
Database version: 1685
Windows 5.1.2600 Service Pack 2

1/23/2009 5:45:29 PM
mbam-log-2009-01-23 (17-45-29).txt

Scan type: Quick Scan
Objects scanned: 55372
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.

Attached Files



#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:07 AM

Posted 23 January 2009 - 08:03 PM

Looking a lot better now, Dray1971 :thumbsup:

Go to Start > Control Panel > Software > Add/remove programs and uninstall Freecorder Toolbar

Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/194027/unknown-serious-infection-google-redirect-more/
Collect::
c:\windows\system32\drivers\lutwcvgo.sys
c:\documents and settings\All Users\Application Data\system16driver.dat
c:\windows\system32\drivers\vnrcxhlm.dat
File::
c:\program files\desktoq.ini
c:\program files\Common Files\dht342126
Driver::
yfjpayfo
RegNull::
[HKEY_USERS\S-1-5-21-1085031214-682003330-1839750887-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72ED32D4-85FD-C974-AF34-0455D27137B1}*]
RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\TDSSserv.sys]
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
[-HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :)

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 23 January 2009 - 11:37 PM

So far so good. I didn't see CF upload any files, but I don't see C:\CF-Submit.htm either. ChkDsk works again. About to attempt to defrag. no more go.google redirects, every process in task manager is running as the correct user. Unless you see something else below I'll kind of evaluate and make sure everything runs well tonight and in the morning and let you know tomorrow. Thanks for all your help so far.

ComboFix log:

ComboFix 09-01-21.04 - Donny 2009-01-23 21:32:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.229 [GMT -6:00]
Running from: c:\documents and settings\Donny\Desktop\ComboFix2.exe
Command switches used :: c:\documents and settings\Donny\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\Common Files\dht342126
c:\program files\desktoq.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\system16driver.dat
c:\program files\Common Files\dht342126
c:\program files\desktoq.ini
c:\windows\system32\drivers\lutwcvgo.sys
c:\windows\system32\drivers\vnrcxhlm.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_ISODRIVE
-------\Legacy_M_HOOK
-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Legacy_YFJPAYFO
-------\Service_TDSSserv.sys
-------\Service_yfjpayfo


((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-10 21:54 . 2009-01-10 21:54 45 --a------ c:\windows\system32\initdebug.nfo
2009-01-10 18:41 . 2009-01-10 18:41 <DIR> d-------- c:\documents and settings\Donny\Application Data\Unity
2009-01-10 18:33 . 2009-01-10 18:33 <DIR> d-------- c:\program files\Unity
2009-01-03 18:16 . 2009-01-03 18:16 <DIR> d--h----- c:\windows\system32\CanonIJ Uninstaller Information
2009-01-03 18:16 . 2009-01-03 18:16 <DIR> d--h----- c:\program files\CanonBJ
2009-01-03 18:16 . 2009-01-03 18:16 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-01-03 18:16 . 2007-10-21 23:00 223,744 --a------ c:\windows\system32\CNMLM97.DLL
2009-01-03 18:15 . 2009-01-03 18:19 <DIR> d-------- c:\program files\Canon
2008-12-28 22:38 . 2008-12-28 22:38 <DIR> d-------- C:\logs
2008-12-26 22:17 . 2008-11-25 12:39 18,560 --a------ c:\windows\system32\drivers\FlyUsb.sys
2008-12-26 22:16 . 2008-12-26 22:16 110 --a------ c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-26 22:14 . 2008-12-26 22:14 <DIR> d-------- c:\program files\LeapFrog
2008-12-26 22:14 . 2008-12-26 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Leapfrog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 23:41 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-14 22:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 22:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-10 07:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-03 23:57 --------- d-----w c:\program files\Lexmark Toolbar
2008-12-29 03:02 --------- d-----w c:\program files\Lx_cats
2008-12-28 23:19 --------- d-----w c:\documents and settings\Donny\Application Data\SmartDraw
2008-12-27 04:16 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-25 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\Gogii
2008-12-24 21:27 --------- d-----w c:\documents and settings\Donny\Application Data\MysteryStudio
2008-12-18 01:48 --------- d-----w c:\documents and settings\All Users\Application Data\NevoSoft Games
2008-12-14 22:05 --------- d-----w c:\program files\Virtools
2008-12-13 00:11 --------- d-----w c:\documents and settings\All Users\Application Data\VirtualFarm
2008-12-09 00:03 --------- d-----w c:\documents and settings\All Users\Application Data\Cached Installations
2008-11-30 07:06 --------- d-----w c:\documents and settings\Donny\Application Data\Pogo Games
.

((((((((((((((((((((((((((((( snapshot@2009-01-23_17.30.53.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-23 23:29:35 225,985 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-24 03:37:23 225,990 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2009-01-23 01:29:50 96,842 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-23 23:33:27 96,842 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-23 01:29:50 495,322 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-23 23:33:27 495,322 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-24 03:35:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_510.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 185,896 2007-04-14 18:49:02 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 36,975 2005-11-10 18:03:52 c:\program files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 15,360 2004-08-04 10:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 10:00:00 c:\windows\system32\ctfmon.exe

----a-w 77,824 2006-03-24 01:13:40 c:\windows\system32\bak\hkcmd.exe
----a-w 163,840 2008-06-18 04:00:17 c:\windows\system32\hkcmd.exe

----a-w 118,784 2006-03-24 01:17:50 c:\windows\system32\bak\igfxpers.exe
----a-w 135,168 2008-06-18 04:00:19 c:\windows\system32\igfxpers.exe

----a-w 94,208 2006-03-24 01:17:04 c:\windows\system32\bak\igfxtray.exe
----a-w 131,072 2008-06-18 04:00:20 c:\windows\system32\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0780E8B2-3AEB-4129-9731-60F98868E0C7}]
c:\windows\system32\browsew.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 135168]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-04 113664]
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-01-11 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
--a------ 2008-11-25 12:58 356352 d:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\bak\bak\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
--a------ 2004-08-04 04:00 8384000 c:\windows\system32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\UnrealTournament\\System\\UnrealTournament.exe"=
"d:\\Program Files\\eMule\\emule.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdcpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdctime.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"14799:TCP"= 14799:TCP:BitComet 14799 TCP
"14799:UDP"= 14799:UDP:BitComet 14799 UDP
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;d:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
R4 MSSQL$AUTODEALERSFTWRE;MSSQL$AUTODEALERSFTWRE;c:\program files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe -sAUTODEALERSFTWRE --> c:\program files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe -sAUTODEALERSFTWRE [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-26 18560]
S3 SQLAgent$AUTODEALERSFTWRE;SQLAgent$AUTODEALERSFTWRE;c:\program files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlagent.EXE -i AUTODEALERSFTWRE --> c:\program files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlagent.EXE -i AUTODEALERSFTWRE [?]
S3 SQLAgent$CARDEALERDB;SQLAgent$CARDEALERDB;d:\progra~1\MICROS~2\MSSQL$~1\binn\sqlagent.exe -i CARDEALERDB --> d:\progra~1\MICROS~2\MSSQL$~1\binn\sqlagent.exe -i CARDEALERDB [?]
S4 MSSQL$CARDEALERDB;MSSQL$CARDEALERDB;d:\progra~1\MICROS~2\MSSQL$~1\binn\sqlservr.exe -sCARDEALERDB --> d:\progra~1\MICROS~2\MSSQL$~1\binn\sqlservr.exe -sCARDEALERDB [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.google.com
FF - ProfilePath - c:\documents and settings\Donny\Application Data\Mozilla\Firefox\Profiles\n9hcjdta.default\
FF - component: c:\documents and settings\Donny\Application Data\Mozilla\Firefox\Profiles\n9hcjdta.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 22:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-23 22:14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 04:14:04
ComboFix2.txt 2009-01-23 23:34:30

Pre-Run: 1,991,950,336 bytes free
Post-Run: 1,980,379,136 bytes free

208

DDS Scan:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Donny at 22:24:43.20 on Fri 01/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.194 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$AUTODEALERSFTWRE\Binn\sqlservr.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Donny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.google.com
BHO: {0780e8b2-3aeb-4129-9731-60f98868e0c7} - c:\windows\system32\browsew.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - d:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\donny\applic~1\mozilla\firefox\profiles\n9hcjdta.default\
FF - component: c:\documents and settings\donny\application data\mozilla\firefox\profiles\n9hcjdta.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll

============= SERVICES / DRIVERS ===============

R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;d:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R4 MSSQL$AUTODEALERSFTWRE;MSSQL$AUTODEALERSFTWRE;c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlservr.exe -sautodealersftwre --> c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlservr.exe -sAUTODEALERSFTWRE [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-26 18560]
S3 SQLAgent$AUTODEALERSFTWRE;SQLAgent$AUTODEALERSFTWRE;c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlagent.exe -i autodealersftwre --> c:\program files\microsoft sql server\mssql$autodealersftwre\binn\sqlagent.EXE -i AUTODEALERSFTWRE [?]
S3 SQLAgent$CARDEALERDB;SQLAgent$CARDEALERDB;d:\progra~1\micros~2\mssql$~1\binn\sqlagent.exe -i cardealerdb --> d:\progra~1\micros~2\mssql$~1\binn\sqlagent.exe -i CARDEALERDB [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 MSSQL$CARDEALERDB;MSSQL$CARDEALERDB;d:\progra~1\micros~2\mssql$~1\binn\sqlservr.exe -scardealerdb --> d:\progra~1\micros~2\mssql$~1\binn\sqlservr.exe -sCARDEALERDB [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
Unknown4 yfjpayfo;yfjpayfo; [x]

=============== Created Last 30 ================

2009-01-22 19:27 <DIR> a-dshr-- C:\cmdcons
2009-01-22 19:17 161,792 a------- c:\windows\SWREG.exe
2009-01-22 19:17 98,816 a------- c:\windows\sed.exe
2009-01-10 21:54 45 a------- c:\windows\system32\initdebug.nfo
2009-01-10 18:41 <DIR> --d----- c:\docume~1\donny\applic~1\Unity
2009-01-10 18:33 <DIR> --d----- c:\program files\Unity
2009-01-03 18:16 223,744 a------- c:\windows\system32\CNMLM97.DLL
2009-01-03 18:15 <DIR> --d----- c:\program files\Canon
2008-12-28 22:38 <DIR> --d----- C:\logs
2008-12-26 22:17 18,560 a------- c:\windows\system32\drivers\FlyUsb.sys
2008-12-26 22:16 110 a------- c:\windows\{CF055C57-A988-42E6-BDAF-E3D94C6973A8}_WiseFW.ini
2008-12-26 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Leapfrog
2008-12-26 22:14 <DIR> --d----- c:\program files\LeapFrog

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-08 13:11 25,992 a------- c:\windows\system32\pgdfgsvc.exe

============= FINISH: 22:24:57.07 ===============

Attached Files



#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:07 AM

Posted 24 January 2009 - 03:51 PM

Hello Dray1971,

I didn't receive any upload. Was it blocked somehow ?
Another easy way to upload a sample file is :
Simply go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : 1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=194027
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :thumbsup:
Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the Download button to the right of Java SE Runtime Environment (JRE) 6 Update 11 (first option).
  • Select your Platform (Windows version) and check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click "Continue" and the page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 dray1971

dray1971
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 26 January 2009 - 09:41 PM

Uploaded the file. Downloading new java. Everything else appears to be good. Any idea what exactly I had, or was it just random crap?

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:01:07 AM

Posted 27 January 2009 - 05:05 PM

Glad we could help, Dray1971 :thumbsup:

You suffered a nasty rootkit infection, accompanied by some packed adware.

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users