Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Worm Downadup


  • Please log in to reply
3 replies to this topic

#1 ~GR~

~GR~

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 20 January 2009 - 11:10 PM

Hello. My sister asked me to look at her computer because she has been having trouble with it for a few days now. I took a look and found that AVG Free Anti-Virus detected a virus/worm called Downadup. I tried to remove it, thinking it to be like any other virus/worm. After it was removed, I recieved the lovely blue screen of death. I rebooted it, and anytime an application tried to load I recieved a message saying "The application has failed to start because mstdrkitfw.dll was not found. Re-installing the application may fix this problem" (ironically the programs still worked but to do anything at all I had to go through roughly 5 to 10 of those messages before I could continue on with what I was doing). After a bit of tinkering, I discovered that the Downadup worm was connected to the file mstdrkitfw.dll and, with no other options left, I had to undo my actions by removing it from the virus vault (system restores did not work). I quickly ran a scan with Spybot S&D, which came up with no results, and then Ad-Aware Anniversary Edition, which found the exact same problem as AVG. So I figured perhaps Ad-Aware would be able to remove the threat (I've had this happen in the past where one software could remove a threat another one couldn't), but it did the same thing as the first time I removed it. I have since then undone the virus/worm removal, and have attempted to look for ways to remove this threat. Unfortunately, I have found none. Now I am here. Hopefully I will get some answers here. Any help will be much appreciated as it looks like a lose lose situation for me.

The file is under C:\WINDOWS\system32\mstdrkitfw.dll if that helps at all.


DDS (Ver_09-01-18.01) - NTFSx86
Run by Christie at 20:49:00.46 on Tue 01/20/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1303 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Christie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar =
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061205
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: dellfix.com
Trusted Zone: microsoft.com
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-21 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-21 26824]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-21 76040]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-29 24652]

=============== Created Last 30 ================

2009-01-20 20:19 10,804 a------- c:\windows\system32\mstdrkitfw.dll
2009-01-20 19:51 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-20 19:26 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 19:25 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-11 20:08 <DIR> --d----- c:\docume~1\christie\applic~1\Windows Search
2009-01-08 19:13 <DIR> --d----- C:\OEMSettings
2009-01-08 19:13 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2009-01-08 19:08 266,360 a------- c:\windows\system32\TweakUI.exe
2009-01-08 19:08 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-01-03 21:25 <DIR> --d----- c:\program files\NETGEAR
2009-01-03 12:30 <DIR> --d----- c:\docume~1\christie\applic~1\Windows Desktop Search
2009-01-03 12:30 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-01-03 12:30 <DIR> --d----- c:\program files\Windows Desktop Search
2009-01-03 12:29 192,000 -------- c:\windows\system32\dllcache\offfilt.dll
2009-01-03 12:29 98,304 -------- c:\windows\system32\dllcache\nlhtml.dll
2009-01-03 12:29 29,696 -------- c:\windows\system32\dllcache\mimefilt.dll
2008-12-22 22:14 <DIR> --d----- c:\program files\iPod
2008-12-22 22:14 <DIR> --d----- c:\program files\iTunes
2008-12-22 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2008-12-30 16:23 110,592 a------- c:\windows\system32\imm32.dll
2008-12-12 23:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 03:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 04:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 05:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 05:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2006-12-04 11:57 35,232 a------- c:\windows\inf\wpn311\ME_INST.EXE
2006-12-04 11:57 26,112 a------- c:\windows\inf\wpn311\install.exe
2006-07-05 05:33 472,000 a------- c:\windows\inf\wpn311\WPN311.sys
2008-05-25 17:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052520080526\index.dat

============= FINISH: 20:49:37.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:47 AM

Posted 23 January 2009 - 04:24 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 ~GR~

~GR~
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 24 January 2009 - 02:58 AM

Sorry it took so long. Here you go.

ComboFix 09-01-21.04 - Christie 2009-01-24 12:38:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1453 [GMT -7:00]
Running from: c:\documents and settings\Christie\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_005185_.tmp.dll
c:\windows\system32\_005186_.tmp.dll
c:\windows\system32\_005187_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005195_.tmp.dll
c:\windows\system32\_005196_.tmp.dll
c:\windows\system32\_005197_.tmp.dll
c:\windows\system32\_005198_.tmp.dll
c:\windows\system32\_005200_.tmp.dll
c:\windows\system32\_005201_.tmp.dll
c:\windows\system32\_005204_.tmp.dll
c:\windows\system32\_005205_.tmp.dll
c:\windows\system32\_005207_.tmp.dll
c:\windows\system32\_005208_.tmp.dll
c:\windows\system32\_005209_.tmp.dll
c:\windows\system32\_005211_.tmp.dll
c:\windows\system32\_005214_.tmp.dll
c:\windows\system32\_005215_.tmp.dll
c:\windows\system32\_005219_.tmp.dll
c:\windows\system32\_005220_.tmp.dll
c:\windows\system32\_005222_.tmp.dll
c:\windows\system32\_005225_.tmp.dll
c:\windows\system32\_005227_.tmp.dll
c:\windows\system32\_005228_.tmp.dll
c:\windows\system32\_005229_.tmp.dll
c:\windows\system32\_005230_.tmp.dll
c:\windows\system32\_005231_.tmp.dll
c:\windows\system32\_005234_.tmp.dll
c:\windows\system32\_005235_.tmp.dll
c:\windows\system32\_005236_.tmp.dll
c:\windows\system32\_005237_.tmp.dll
c:\windows\system32\_005238_.tmp.dll
c:\windows\system32\_005243_.tmp.dll
c:\windows\system32\_005245_.tmp.dll
c:\windows\system32\_005246_.tmp.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-23 21:34 . 2009-01-23 21:34 1,374 --a------ c:\windows\imsins.BAK
2009-01-23 21:07 . 2009-01-23 21:07 <DIR> d-------- c:\program files\NetPerSec
2009-01-23 20:50 . 2009-01-23 20:50 <DIR> d-------- c:\documents and settings\Christie\WINDOWS
2009-01-23 20:49 . 2009-01-23 20:49 <DIR> d-------- c:\program files\NexusFont
2009-01-23 20:46 . 2009-01-23 20:46 <DIR> d-------- c:\program files\Metapad351
2009-01-23 20:45 . 2009-01-23 20:45 <DIR> d-------- c:\program files\Desktop Restore
2009-01-23 20:44 . 2009-01-23 20:44 <DIR> d-------- c:\program files\Send To Toys
2009-01-23 20:44 . 2007-02-09 16:46 167,936 --a------ c:\windows\system32\SendToToys.cpl
2009-01-23 20:42 . 2009-01-23 20:42 <DIR> d-------- c:\program files\Defraggler
2009-01-23 20:41 . 2009-01-23 20:41 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-23 20:40 . 2009-01-23 20:40 <DIR> d-------- c:\program files\SysInternals PageDefrag
2009-01-23 20:39 . 2009-01-23 20:39 <DIR> d-------- c:\documents and settings\Christie\Application Data\ZipGenius
2009-01-23 20:39 . 2009-01-23 22:32 428 --a------ c:\windows\zipgenius.xml
2009-01-23 20:38 . 2009-01-23 20:38 <DIR> d-------- c:\program files\ZipGenius
2009-01-23 20:11 . 2009-01-23 20:12 <DIR> d-------- c:\program files\ACW
2009-01-23 19:37 . 2009-01-23 19:37 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-23 19:08 . 2009-01-23 19:14 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-23 19:08 . 2009-01-23 19:09 <DIR> d-------- C:\4c679482f17390e03335eb170d
2009-01-23 19:08 . 2008-07-06 05:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-01-23 19:08 . 2008-07-06 03:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-23 19:08 . 2008-07-06 05:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-23 19:08 . 2008-07-06 05:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-23 17:30 . 2009-01-23 17:30 132 --ah----- C:\aaw7boot.cmd
2009-01-23 16:09 . 2009-01-23 16:09 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 16:09 . 2009-01-23 16:09 <DIR> d-------- c:\program files\Adobe Media Player
2009-01-22 23:43 . 2008-10-16 13:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-01-22 23:43 . 2007-04-17 02:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-22 23:43 . 2007-03-07 22:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-22 23:43 . 2008-10-16 13:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-01-22 23:43 . 2008-10-16 13:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-01-22 23:43 . 2008-10-16 13:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-01-22 23:43 . 2008-10-16 13:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-01-22 23:43 . 2008-10-16 13:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-22 23:43 . 2008-10-16 06:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-01-22 21:47 . 2009-01-23 18:48 <DIR> d-------- c:\program files\Seagate
2009-01-22 21:42 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-01-22 21:41 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-22 21:41 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-22 21:41 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-22 21:41 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-22 21:41 . 2008-09-15 05:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-22 21:40 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-22 21:39 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-22 21:39 . 2008-05-08 07:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-01-22 21:38 . 2008-04-11 12:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-22 21:28 . 2008-12-11 03:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-22 20:56 . 2008-12-12 23:40 3,593,216 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-01-22 20:40 . 2008-04-13 17:12 8,461,312 --a------ c:\windows\system32\SET531.tmp
2009-01-22 20:39 . 2008-04-13 17:09 285,696 --a------ c:\windows\system32\SET78E.tmp
2009-01-22 20:39 . 2008-04-13 17:11 193,536 --a------ c:\windows\system32\SET7A2.tmp
2009-01-22 20:39 . 2008-04-13 17:11 143,360 --a------ c:\windows\system32\SET79D.tmp
2009-01-22 20:39 . 2008-04-13 17:11 125,952 --a------ c:\windows\system32\SET795.tmp
2009-01-22 20:39 . 2008-04-13 17:11 99,840 --a------ c:\windows\system32\SET79A.tmp
2009-01-22 20:39 . 2008-04-13 17:11 98,304 --a------ c:\windows\system32\SET7A0.tmp
2009-01-22 20:39 . 2008-04-13 17:11 65,024 --a------ c:\windows\system32\SET792.tmp
2009-01-22 20:39 . 2008-04-13 17:11 62,464 --a------ c:\windows\system32\SET78A.tmp
2009-01-22 20:39 . 2008-04-13 17:11 58,880 --a------ c:\windows\system32\SET790.tmp
2009-01-22 20:39 . 2008-04-13 17:11 52,736 --a------ c:\windows\system32\SET786.tmp
2009-01-22 20:39 . 2008-04-13 17:12 44,544 --a------ c:\windows\system32\SET798.tmp
2009-01-22 20:39 . 2008-04-13 17:11 42,496 --a------ c:\windows\system32\SET78B.tmp
2009-01-22 20:39 . 2008-04-13 17:11 29,184 --a------ c:\windows\system32\SET785.tmp
2009-01-22 20:18 . 2009-01-22 21:27 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-22 20:08 . 2009-01-24 12:42 21,165 --a------ c:\windows\system32\Config.MPF
2009-01-22 20:07 . 2009-01-22 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-22 20:07 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2009-01-22 20:03 . 2009-01-22 20:03 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-22 20:03 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-01-22 20:03 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-01-22 20:03 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-01-22 20:03 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-01-22 20:03 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-01-22 20:03 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-01-22 19:42 . 2006-07-21 15:46 155,648 --a------ c:\windows\system32\igfxres.dll
2009-01-22 19:34 . 2004-08-10 04:13 73,728 --a--c--- c:\windows\system32\dllcache\ehresja.dll
2009-01-22 19:34 . 2004-08-10 04:13 69,632 --a--c--- c:\windows\system32\dllcache\ehresko.dll
2009-01-22 19:34 . 2004-08-10 04:13 69,632 --a--c--- c:\windows\system32\dllcache\ehresfr.dll
2009-01-22 19:34 . 2004-08-10 04:13 69,632 --a--c--- c:\windows\system32\dllcache\ehresde.dll
2009-01-22 19:34 . 2004-08-10 04:13 61,440 --a--c--- c:\windows\system32\dllcache\ehreschs.dll
2009-01-22 19:32 . 2008-04-13 17:09 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-01-22 19:31 . 2008-04-13 17:12 364,544 --a--c--- c:\windows\system32\dllcache\npdsplay.dll
2009-01-22 19:29 . 2004-08-10 04:00 16,384 --a--c--- c:\windows\system32\dllcache\isignup.exe
2009-01-22 19:29 . 2009-01-22 19:29 749 -rah----- c:\windows\WindowsShell.Manifest
2009-01-22 19:29 . 2009-01-22 19:29 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-22 19:29 . 2009-01-22 19:29 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-01-22 19:29 . 2009-01-22 19:29 749 -rah----- c:\windows\system32\nwc.cpl.manifest
2009-01-22 19:29 . 2009-01-22 19:29 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-01-22 19:29 . 2009-01-22 19:29 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-01-22 19:20 . 2009-01-22 19:20 <DIR> d-------- C:\$WINDOWS.~LS
2009-01-22 19:20 . 2009-01-22 19:20 <DIR> d-------- C:\$WINDOWS.~BT
2009-01-22 19:20 . 2009-01-22 19:20 268,435,456 --ahs---- C:\WinPEpge.sys
2009-01-22 19:20 . 2009-01-22 19:20 0 -rahs---- C:\$lsdrive$
2009-01-22 19:20 . 2009-01-22 19:20 0 -rahs---- C:\$installdrive$
2009-01-22 19:20 . 2009-01-22 19:20 0 -rahs---- C:\$bootdrive$
2009-01-22 19:11 . 2004-08-10 04:00 24,661 --a------ c:\windows\system32\spxcoins.dll
2009-01-22 19:11 . 2004-08-10 04:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll
2009-01-22 19:11 . 2004-08-10 04:00 13,312 --a------ c:\windows\system32\irclass.dll
2009-01-22 19:11 . 2004-08-10 04:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll
2009-01-22 17:09 . 2009-01-22 17:09 <DIR> d-------- c:\program files\Alwil Software
2009-01-22 17:06 . 2009-01-22 17:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-22 11:58 . 2009-01-22 11:58 <DIR> d-------- c:\windows\dell
2009-01-21 23:59 . 2009-01-21 23:59 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 20:35 . 2009-01-21 20:36 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-21 20:11 . 2009-01-21 20:11 <DIR> d-------- c:\program files\Microsoft
2009-01-21 20:02 . 2009-01-21 20:02 <DIR> d-------- c:\program files\Common Files\Scanner
2009-01-21 20:02 . 2009-01-21 20:02 <DIR> d-------- c:\documents and settings\Christie\Application Data\Yahoo!
2009-01-21 19:15 . 2009-01-21 19:17 32,836 --a------ c:\windows\diagerr.xml
2009-01-21 19:15 . 2009-01-21 19:17 1,905 --a------ c:\windows\diagwrn.xml
2009-01-21 16:01 . 2009-01-21 20:02 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2009-01-21 16:00 . 2009-01-21 16:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-21 15:56 . 2009-01-22 16:16 29,278 --a------ c:\windows\setupapi.old
2009-01-21 15:44 . 2009-01-21 20:00 <DIR> d-------- c:\documents and settings\Christie\.housecall6.6
2009-01-21 15:44 . 2009-01-21 15:44 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-11 20:08 . 2009-01-11 20:08 <DIR> d-------- c:\documents and settings\Christie\Application Data\Windows Search
2009-01-08 19:13 . 2009-01-08 19:13 <DIR> d-------- C:\OEMSettings
2009-01-08 19:13 . 2009-01-08 19:13 17,801 --a------ c:\windows\system32\drivers\AegisP.sys
2009-01-08 19:08 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-08 19:08 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-03 21:25 . 2009-01-08 19:13 <DIR> d-------- c:\program files\NETGEAR
2009-01-03 12:32 . 2009-01-03 12:32 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-03 12:30 . 2009-01-03 12:30 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-01-03 12:30 . 2009-01-03 12:30 <DIR> d-------- c:\program files\Windows Desktop Search
2009-01-03 12:30 . 2009-01-03 12:30 <DIR> d-------- c:\documents and settings\Christie\Application Data\Windows Desktop Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 19:41 --------- d-----w c:\program files\Yahoo!
2009-01-24 04:03 --------- d-----w c:\program files\McAfee
2009-01-24 03:37 --------- d-----w c:\program files\CCleaner
2009-01-24 01:41 --------- d-----w c:\program files\Lavasoft
2009-01-24 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-23 04:45 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-23 03:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-23 03:03 --------- d-----w c:\program files\McAfee.com
2009-01-23 03:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-23 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-22 22:48 --------- d-----w c:\documents and settings\Christie\Application Data\Corel
2009-01-22 22:39 --------- d-----w c:\program files\Common Files\aolshare
2009-01-22 22:39 --------- d-----w c:\program files\Common Files\AOL
2009-01-22 22:39 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-01-22 03:01 --------- d-----w c:\program files\Serif
2009-01-21 01:29 --------- d-----w c:\program files\Google
2009-01-21 01:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 01:09 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-17 09:40 --------- d-----w c:\program files\Common
2008-12-23 05:15 --------- d-----w c:\program files\iTunes
2008-12-23 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 05:14 --------- d-----w c:\program files\iPod
2008-12-23 05:14 --------- d-----w c:\program files\Common Files\Apple
2008-12-23 05:12 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-05 24576]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-22 206096]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-01-29 24652]
R4 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-23 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-23 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: dellfix.com
Trusted Zone: microsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-24 12:42:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\searchindexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-24 12:46:55 - machine was rebooted [Christie]
ComboFix-quarantined-files.txt 2009-01-24 19:46:51

Pre-Run: 120,554,950,656 bytes free
Post-Run: 120,598,429,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

323 --- E O F --- 2009-01-24 02:48:33

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,613 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:47 AM

Posted 25 January 2009 - 04:04 PM

Follow the instructions here:

http://www.bleepingcomputer.com/malware-re...nadup-conficker

When done post the contents of the C:\Win32.Worm.Downladup.Gen.log file as a reply to this topic




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users