Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by PWS.Banker/Infostealer Virus


  • This topic is locked This topic is locked
15 replies to this topic

#1 hackeduser

hackeduser

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 18 January 2009 - 10:49 PM

Hello,

About a week ago, I ran a ".exe" file, bad move I know, and I instantly began receiving reports from Windows that a virus had been detected and that there was a security threat. At the time, I had McAfee, which DID detect the Trojan and appeared to have deleted it. However, the virus placed two inappropriate icons on my desktop, which I could not delete. Altough it seemed that McAfee got rid of the virus, I still received constant reports from Windows that there was still malicious activity on my computer. There were a few times during which the "blue screen of death" popped up - and I believe Windows said something along the lines of there being a driver error. Before returning back to my desktop, the screen went black showing the Windows logo. Beneath it, it said that I had a version of Rapid Antivirus on my computer, which I never intentionally installed myself. I'm sorry for not being able to provide a detailed description of the message, as it has gone away since (see below).

I downloaded a free trial of Trend Micro, which required me to get rid of McAfee. After running a scan, the icons on my desktop seemed to have gone away and the threat messages from Windows have stopped coming up, along with the blue screen of death. However, I am very uneasy as to whether or not the virus is gone. In addition, I tried to connect to Internet Explorer by double-clicking the icon on my desktop, which I always have, and it doesn't respond. I double-click - nothing happens. My wireless Network Connection is up and running as always.

I have searched the internet non stop for solutions to the PWS Banker/Infostealer virus and have come up empty handed. It's hard to know which antivirus/antimalware programs can be trusted. Can you help me get my computer running again? I would greatly appreciate it!

A copy of my DDS.txt log is pasted below:

DDS (Ver_09-01-18.01) - NTFSx86
Run by justin lutz at 22:23:24.06 on Sun 01/18/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.405 [GMT -5:00]

AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
c:\Program Files\RITVPN\cvpnd.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\justin lutz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
mSearch Page =
mStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: D: {fe2ec97b-c704-3824-8a7a-17b08d21fe04} - c:\windows\system32\xel49740.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [appcfg.exe] c:\windows\system32\appcfg.exe
uRun: [Aim6]
uRun: [msiexec.exe] msiconf.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [EPSON Stylus CX4600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
mRun: [Windows Hosts File] WindowsHosts.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [EPSON Stylus CX4600 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE /P35 "EPSON Stylus CX4600 Series (Copy 1)" /O6 "USB002" /M "Stylus CX4600"
mRun: [SysUpdate] c:\windows\winupd.exe
mRun: [YcDf5] c:\windows\gcmumga.exe
mRun: [# K"h'9Ӝ3rWc:\program files\istsvc\istsvc.exe] c:\windows\gcmumga.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRunServices: [Windows Hosts File] WindowsHosts.exe
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-1-14 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-1-14 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-14 36368]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-1 24652]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-15 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-15 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-15 81288]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-15 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-15 1079176]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-16 189792]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-1-14 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-1-14 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-1-14 677128]

=============== Created Last 30 ================

2009-01-15 22:21 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-15 22:21 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-15 22:21 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-15 22:21 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-15 22:21 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-15 22:21 <DIR> --d----- c:\docume~1\justin~1\applic~1\PC Tools
2009-01-14 20:24 <DIR> --d----- C:\Log
2009-01-14 20:20 <DIR> --d----- c:\windows\LocalSSL
2009-01-14 20:19 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-14 20:19 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-01-14 20:19 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-01-14 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-01-14 20:17 <DIR> --d----- c:\program files\Trend Micro
2009-01-14 20:06 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-01-14 20:06 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2009-01-14 20:06 334,352 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-01-14 20:06 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-01-14 20:06 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-01-14 20:06 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-01-14 18:55 <DIR> --d----- c:\docume~1\justin~1\applic~1\AdwareAlert
2009-01-09 20:08 <DIR> --d----- c:\windows\pss
2009-01-08 21:55 176,128 a------- c:\windows\system32\xel49740.dll
2009-01-08 21:55 176,128 a------- c:\windows\system32\el49740.dll
2009-01-08 21:55 182,272 a------- c:\program files\common files\Ndm336a2rL.exe

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-03-16 12:02 1,474 ac------ c:\program files\uninstal.log
2008-09-15 19:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091520080916\index.dat

============= FINISH: 22:24:09.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 19 January 2009 - 03:11 AM

Hi,

Please uninstall AdwareAlert and Viewpoint Media Player via software > add & remove programs. This because both are not recommended.
Reboot afterwards.
After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 19 January 2009 - 07:42 PM

Hi, miekiemoes. Thank you for your reply.

I removed the two programs, as specified, and then rebooted. I then ran ComboFix and obained the following log file.

Thanks again for your help with this!
___________________________________

ComboFix 09-01-19.03 - justin lutz 2009-01-19 19:19:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.421 [GMT -5:00]
Running from: c:\documents and settings\justin lutz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\justin lutz\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_RPCPATCH
-------\Legacy_RPCTFTPD


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-15 22:21 . 2009-01-15 23:05 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-15 22:21 . 2009-01-15 22:21 <DIR> d-------- c:\documents and settings\justin lutz\Application Data\PC Tools
2009-01-15 22:21 . 2009-01-17 11:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 22:21 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-15 22:21 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-15 22:21 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-15 22:21 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-14 20:24 . 2009-01-14 20:24 <DIR> d-------- C:\Log
2009-01-14 20:20 . 2009-01-14 20:20 <DIR> d-------- c:\windows\LocalSSL
2009-01-14 20:19 . 2009-01-14 20:05 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-14 20:19 . 2009-01-14 20:05 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-14 20:19 . 2009-01-14 20:05 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-14 20:18 . 2009-01-15 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-14 20:17 . 2009-01-14 20:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-14 20:06 . 2008-11-26 20:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-14 20:06 . 2009-01-14 20:06 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-14 20:06 . 2009-01-14 20:06 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-14 20:06 . 2008-11-26 20:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-14 20:06 . 2009-01-14 20:06 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-14 20:06 . 2008-11-26 20:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-14 18:55 . 2009-01-14 18:56 <DIR> d-------- c:\documents and settings\justin lutz\Application Data\AdwareAlert
2009-01-14 18:26 . 2009-01-14 18:27 <DIR> d-------- C:\ERDNT
2009-01-13 17:14 . 2004-05-16 13:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-13 17:14 . 2004-05-16 13:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-13 17:14 . 2009-01-13 17:14 <DIR> d-------- c:\documents and settings\Administrator
2009-01-08 21:55 . 2009-01-08 21:55 182,272 --a------ c:\program files\Common Files\Ndm336a2rL.exe
2009-01-08 21:55 . 2009-01-08 21:55 176,128 --a------ c:\windows\system32\xel49740.dll
2009-01-08 21:55 . 2009-01-08 21:55 176,128 --a------ c:\windows\system32\el49740.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-15 00:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-15 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-15 00:23 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-15 00:00 --------- d-----w c:\documents and settings\justin lutz\Application Data\Lavasoft
2009-01-14 23:45 --------- d-----w c:\program files\Java
2008-12-13 19:56 --------- d-----w c:\program files\Hp
2008-12-13 19:55 --------- d-----w c:\program files\Hewlett-Packard
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-03-16 17:02 1,474 -c--a-w c:\program files\uninstal.log
2005-10-12 21:04 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2008-09-16 00:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE2EC97B-C704-3824-8A7A-17B08D21FE04}]
2009-01-08 21:55 176128 --a------ c:\windows\system32\xel49740.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"EPSON Stylus CX4600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-05 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-14 970808]
"nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-14 497008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\wkgszvx.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-14 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-14 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-14 36368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-15 356920]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-14 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-14 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-14 677128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5713ca5f-e4c1-11dd-99dd-00904b5ddcff}]
\Shell\AutoRun\command - F:\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-19 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert\AdwareAlert.exe []

2009-01-19 c:\windows\Tasks\AdwareAlert Scheduled Scan.job
- c:\program files\AdwareAlert []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-appcfg.exe - c:\windows\system32\appcfg.exe
HKCU-Run-RecordNow! - (no file)
HKCU-Run-Aim6 - (no file)
HKCU-Run-msiexec.exe - msiconf.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-SysUpdate - c:\windows\winupd.exe
HKLM-Run-YcDf5 - c:\windows\gcmumga.exe
HKLM-Run-# Kh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe - c:\windows\gcmumga.exe
HKLM-Run-Windows Hosts File - WindowsHosts.exe
HKLM-RunServices-Windows Hosts File - WindowsHosts.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 19:31:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?????? ???B???????????????B? ??????
Windows Hosts File = WindowsHosts.exe?
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Hosts File = WindowsHosts.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"# K\"h'9Ӝ3rWc:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\gcmumga.exe"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\RITVPN\cvpnd.exe
c:\windows\system32\gearsec.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-19 19:35:49 - machine was rebooted [justin lutz]
ComboFix-quarantined-files.txt 2009-01-20 00:35:46

Pre-Run: 16,132,157,440 bytes free
Post-Run: 16,193,327,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

187 --- E O F --- 2009-01-14 02:53:31

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 20 January 2009 - 02:03 AM

Hi,

We're not finished yet... The logs are a bit confusing, because I'm not sure if some orphaned entries are removed now.
Anyway, a next log would show...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\AdwareAlert Scheduled Scan.job
c:\program files\Common Files\Ndm336a2rL.exe
c:\windows\system32\xel49740.dll
c:\windows\system32\el49740.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE2EC97B-C704-3824-8A7A-17B08D21FE04}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Hosts File"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Hosts File"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 20 January 2009 - 02:26 AM

By the way..

About a week ago, I ran a ".exe" file, bad move I know, and I instantly began receiving reports from Windows that a virus had been detected and that there was a security threat

Do you still have that exe or know where to get it? This because I would like to have the full installer to analyse.
Please answer via PM if you know where I can find it - because we don't want others to see this :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 20 January 2009 - 07:16 AM

I am at work right now, so I will investigate this evening and try to get that information for you.

Do you think that what you're seeing right now has anything to do with why internet explorer will not open? When I try to open it from my Program Files folder, Windows opens a window that says it cannot find iexplore.exe. I ran a search to manually locate it and I found a file with the name "iexplore.exe.mui" Could this be related to internet explorer issue?

Sorry, don't mean to skip ahead to separate topics, just wanted to get your thoughts.

Thanks again!

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 20 January 2009 - 07:38 AM

Hi,

Do you think that what you're seeing right now has anything to do with why internet explorer will not open? When I try to open it from my Program Files folder, Windows opens a window that says it cannot find iexplore.exe. I ran a search to manually locate it and I found a file with the name "iexplore.exe.mui" Could this be related to internet explorer issue?

Yes, and my previous instructions should fix that.

The reason why you are getting this error is because the malware you were dealing with created a debugger under the image file execution options key in the registry.
This is how it was set in your case:

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\wkgszvx.exe

So, in this case, a debugger was set for iexplore.exe (your internet explorer).
When you launch a program, Windows always checks in the registry first if there's a debugger present for that program.
So, in this case, there's a debugger present for iexplore.exe (because that's how it was set in the registry). If there's a debugger present, it looks what it says in the "Debugger" path. In this case, it refers to c:\windows\system32\wkgszvx.exe (which is malware and a part of the infection you were dealing with)
But... since the c:\windows\system32\wkgszvx.exe was already deleted by any of the scanners you've used (most probably Trendmicro), if you launch iexplore.exe, windows checks for the debugger, sees it in the registry (c:\windows\system32\wkgszvx.exe), but can't load it since the related file is already gone. And that's why you get that error.

My previous instructions will remove the HKLM\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe key since this one is not present by default anyway. Such subkeys are only created when people want to add a debugger to it.
Also see here for more info how this exactly works / what it does: http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx

Hope that explains it a bit :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 20 January 2009 - 09:12 AM

Yes, it does. Thank you for the explanation. I'll be back to post this evening.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 20 January 2009 - 09:35 AM

Ok, I read you later :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 20 January 2009 - 09:19 PM

After dragging CFScript onto the ComboFix icon and running ComboFix again, the log file below was created. Internet Explorer now opens when double-clicking the icon on the desktop.

Will you be able to tell for sure if all malware/viruses, etc. have been removed from my computer? Are there additional steps for us to take in eliminating it entirely?

So far, so good... Thank you for your help, miekiemoes!

__________________________________________

ComboFix 09-01-19.03 - justin lutz 2009-01-20 17:57:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.466 [GMT -5:00]
Running from: c:\documents and settings\justin lutz\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\justin lutz\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\program files\Common Files\Ndm336a2rL.exe
c:\windows\system32\el49740.dll
c:\windows\system32\xel49740.dll
c:\windows\Tasks\AdwareAlert Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Ndm336a2rL.exe
c:\windows\system32\el49740.dll
c:\windows\system32\xel49740.dll
c:\windows\Tasks\AdwareAlert Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-15 22:21 . 2009-01-15 23:05 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-15 22:21 . 2009-01-15 22:21 <DIR> d-------- c:\documents and settings\justin lutz\Application Data\PC Tools
2009-01-15 22:21 . 2009-01-17 11:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-15 22:21 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-15 22:21 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-15 22:21 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-15 22:21 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-14 20:24 . 2009-01-14 20:24 <DIR> d-------- C:\Log
2009-01-14 20:20 . 2009-01-14 20:20 <DIR> d-------- c:\windows\LocalSSL
2009-01-14 20:19 . 2009-01-14 20:05 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-14 20:19 . 2009-01-14 20:05 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-01-14 20:19 . 2009-01-14 20:05 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-01-14 20:18 . 2009-01-15 22:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-01-14 20:17 . 2009-01-14 20:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-14 20:06 . 2008-11-26 20:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-01-14 20:06 . 2009-01-14 20:06 661,808 --a------ c:\windows\system32\UfWSC.cpl
2009-01-14 20:06 . 2009-01-14 20:06 334,352 --a------ c:\windows\system32\drivers\TM_CFW.sys
2009-01-14 20:06 . 2008-11-26 20:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-01-14 20:06 . 2009-01-14 20:06 80,400 --a------ c:\windows\system32\drivers\tmtdi.sys
2009-01-14 20:06 . 2008-11-26 20:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-01-14 18:55 . 2009-01-14 18:56 <DIR> d-------- c:\documents and settings\justin lutz\Application Data\AdwareAlert
2009-01-14 18:26 . 2009-01-14 18:27 <DIR> d-------- C:\ERDNT
2009-01-13 17:14 . 2004-05-16 13:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-13 17:14 . 2004-05-16 13:35 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-01-13 17:14 . 2009-01-13 17:14 <DIR> d-------- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-15 00:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-15 00:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-15 00:23 --------- d-----w c:\program files\Common Files\Network Associates
2009-01-15 00:00 --------- d-----w c:\documents and settings\justin lutz\Application Data\Lavasoft
2009-01-14 23:45 --------- d-----w c:\program files\Java
2008-12-13 19:56 --------- d-----w c:\program files\Hp
2008-12-13 19:55 --------- d-----w c:\program files\Hewlett-Packard
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2007-03-16 17:02 1,474 -c--a-w c:\program files\uninstal.log
2005-10-12 21:04 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2008-09-16 00:47 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080916\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-14 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"EPSON Stylus CX4600 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-05 180269]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-14 970808]
"nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-01-14 497008]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-01-14 334352]
R4 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-01-14 181584]
R4 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-01-14 36368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-15 356920]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-01-14 49680]
S4 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-01-14 492888]
S4 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-01-14 677128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5713ca5f-e4c1-11dd-99dd-00904b5ddcff}]
\Shell\AutoRun\command - F:\WDSetup.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-# Kh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe - c:\windows\gcmumga.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 18:01:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?p???? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"# K\"h'9Ӝ3rWc:\\Program Files\\ISTsvc\\istsvc.exe"="c:\\WINDOWS\\gcmumga.exe"
.
Completion time: 2009-01-20 18:03:55
ComboFix-quarantined-files.txt 2009-01-20 23:03:43
ComboFix2.txt 2009-01-20 00:35:51

Pre-Run: 16,186,130,432 bytes free
Post-Run: 16,171,126,784 bytes free

138 --- E O F --- 2009-01-14 02:53:31

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 21 January 2009 - 02:18 AM

Hi,

Navigate to and delete the following folder:

c:\documents and settings\justin lutz\Application Data\AdwareAlert

It looks like Combofix is having problems with deleting an orphaned entry. That doesn't suprise me since it has strange characters in the key.
We'll delete it with a regfix (delete the whole key and recreate it again with only the legitimate characters), but for that I need an export of that key first, because above logs don't show the valuedata properly.

To do this...
Open notepad and copy and paste next present in the quotebox in it:

regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 21 January 2009 - 05:47 PM

miekiemoes,

AdwareAlert Folder has been deleted. The following contents are a result of double-clicking on the look.bat file:

_______________________________

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"EPSON Stylus CX4600 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P35 \"EPSON Stylus CX4600 Series (Copy 1)\" /O6 \"USB002\" /M \"Stylus CX4600\""
"# K\"h'9Ӝ3rWC:\\Program Files\\ISTsvc\\istsvc.exe"="C:\\WINDOWS\\gcmumga.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"UfSeAgnt.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 21 January 2009 - 05:56 PM

Hi,

Open notepad and copy and paste next present in the quotebox below in it:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"EPSON Stylus CX4600 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P35 \"EPSON Stylus CX4600 Series (Copy 1)\" /O6 \"USB002\" /M \"Stylus CX4600\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"UfSeAgnt.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 hackeduser

hackeduser
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:19 PM

Posted 23 January 2009 - 12:44 PM

miekiemoes,

Well, so far, so good. I did however, run a virus scan with the Trend Micro trial version that I have and it found a trojan that it couldn't fix, so it quarantined it. I believe it was a trojan bho, or something like that. When I get home, I can check for sure and let you know. Are quarantined files still a risk? Is there any way to fix the infected file? Do you have any personal recommendations in terms of what spyware/virus removal software to use for regular protection??

As I said the other day, my internet explorer is back up and running and everything SEEMS relatively normal. Is there any way to be sure that all malware is gone? I'm still just a little nervous about online banking and that sort of thing...


Thanks again for all of your help!

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:19 AM

Posted 23 January 2009 - 02:27 PM

Hi,

Yes, it is normal that your scanner may still find some leftovers. After all, we can only tell you what to delete what we see in logs. Then it's up for the scanners to deal with the rest that we don't see in logs. But.... we always make sure first that the malware is not active and running anymore. So as a matter of fact, whatever your scanners may find afterwards are only leftovers and are not active anymore. So, don't worry :thumbup2:

Are quarantined files still a risk? Is there any way to fix the infected file?

No, a quarantined file is safe. Don't worry about that. And no, you cannot "fix" the file, because the file itself is malware. The fix option is only Viruses/File infectors. A Virus (File infector) infects legitimate files as well and those files should indeed be fixed/disinfected.
In your case, you weren't dealing with Viruses (file infectors), so it's OK to quarantine the file. There should be an option to empty the quarantine though, but it's ok as well to leave it there. It cant do anything anyway :)

Glad I could help. :step4:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users