Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port settings keep changing - Smitfraud-c.? virus?


  • This topic is locked This topic is locked
24 replies to this topic

#1 auntna

auntna

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 08 February 2009 - 10:19 PM

The first problem I noticed was that when I clicked on my Firefox quick start I was not getting the connection screen. When I checked the settings from the windows settings side the manual proxy settings were now unchecked and port 80 had replaced port 5400. Prior to that I had discovered that I was not properly using the Fastlane Accelerator provided by my ISP properly. I had then changed the settings from Automatic Detect to Manual with 127.0.0.1 and Port 5400 which is what the Fastlane setup had put in. Another activity that I was then doing was trying to convert some MP3 files so I could copy them. I had downloaded a couple converters the last one being DbPoweramp and then subsequently uninstalled.

So I wasn't getting a connect screen through my default browser FF and was also getting knocked offline and error 691 frequently and having to keep changing the port settings back and also retyping my password just to get a connection. I ran a SpyBot scan which found one entry for a Smitfraud-c. _ _ . Can't remember the end, maybe gp? Removed it and found none on subsequent scans. Still was experiencing connection trouble and changes in the port setting. My ISP advised resetting my browsers which I did and this seemed to help. But then began not being able to get a connect screen again through the Firefox only. I've cleaned the registry and run several scans and just at the moment things seem to have straightened out but I am not convinced that all is well. The pattern has been a day or two being okay then the connection problem again where I need to change the windows connection setting from port 80 back to the Fastlane numbers.

I hope this all makes sense to you and you are able to help me to know if I am still infected with a virus or whatnot. I want to go through the HJT preparation just to do all the scans and see if anything else pops up.

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:48 AM

Posted 20 February 2009 - 12:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:01:48 AM

Posted 25 February 2009 - 01:55 PM

Opened at member's request.

Edited by KoanYorel, 26 February 2009 - 04:28 PM.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 26 February 2009 - 05:43 PM

Hi again,

Im sorry that I was so slow getting back to this. I have been trying to get rid of this thing every day since I posted. This is what Ive found so far.
Before the first posting I ran Spybot S&D and found the Smitfraud-C.gp and fixed. But I was still having the problems as described in the first posting. So I then ran AdAware and found:

WIN32.TROJANDOWNLOADER.ZLOB

obj[0]=Regkey : S-1-5-21-1214440339-1383384898-1060284298-1004\software\microsoft\windows\currentversion\ext\stats\{9034a523-d068-4be8-a284-9df278be776e}
obj[1]=Regkey : S-1-5-21-1214440339-1383384898-1060284298-1004\software\microsoft\windows\currentversion\ext\stats\{d46beaa4-a304-40b3-a9da-ec7f7f501f25}
obj[11]=Regkey : software\applications
obj[12]=RegValue : software\applications "65400"
obj[13]=RegValue : software\applications "65401"
obj[14]=RegValue : software\applications "65402"
obj[15]=RegValue : software\applications "65003"
obj[16]=RegValue : software\applications "65333"
obj[17]=RegValue : software\applications "65005"

WIN32.WORM.LOVGATE

obj[2]=Regkey : CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}
obj[3]=Regkey : CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}
obj[4]=Regkey : CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}
obj[5]=Regkey : CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}
obj[18]=File : c:\program files\essentials codec pack\realmediasplitter.ax

Ran AdAware again this time in safe mode from msconfig and found this:
Quarantined items:
Description: C:\WINDOWS\IsUninst.exe Family Name: Win32.Worm.Brontok Clean status: Success Item ID: 567092 Family ID: 1245

I have been running Spybot several times since in safe mode from msconfig and keep finding this entry now:
Virtumonde (C:\Windows\System32\Zipfldr.dll) This will not go away.

In the middle of all this we installed a new monitor. Dont know if this has any bearing on the Virtumonde problem.

I believe that there is still a problem even though my port settings are now OK and the disconnects are now very infrequent because yesterday while using the computer my Incredimail program went back to its default settings for no reason. I was not even in the program when the default notifier (I use one of the others)came on for an email notify and when I opened the program to send email all the settings were at default and my addresses were gone. I decided to do a system restore to a couple of days earlier to get my addresses and settings back and when windows logged off I noticed that it also had gone back to default log off sound. So there must have been more changes in the whole system. Im at a loss as to what is going on and how to fix it. I am most worried because I do not have any installation disks for reformatting. I am stuck with what I have in whatever shape it is in. Prior to these problems I was looking for a freeware program that would back up my system in case there was a problem. Too late!

One other question I would have is how to protect my computer from this happening again. I have AVG free, Sygate personal firewall and now have AdAware personal active which I did not have before. I have the Windows security disabled. I thought it might interfere with the other programs.

I am attaching the new scan for you and thanks for your help with this mess.


DDS (Ver_09-02-01.01) - NTFSx86
Run by USER at 17:33:27.01 on Thu 02/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.227 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Outdated)
FW: Sygate Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Fastlane Web Accelerator\slipcore.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\NetWaiting\netwaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fastlane Web Accelerator\slipgui.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\USER\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.550access.com/
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: PBlockHelper Class: {4115122b-85ff-4dd3-9515-f075bede5eb5} - c:\program files\fastlane web accelerator\PBHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
TB: {26CB33C5-1F3C-4C52-8B26-29D6E0635770} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netwaiting.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [SlipStream] "c:\program files\fastlane web accelerator\slipcore.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fastlane.lnk - c:\program files\fastlane web accelerator\slipgui.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224900153653
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bh3hew56.default\
FF - prefs.js: browser.startup.homepage - hxxps://signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=http%3A%2F%2Fwww.ebay.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5400
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-10 64160]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-5-14 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-5-14 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-5-14 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-5-14 10760]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-6-28 58464]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-5-14 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-5-14 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-5-14 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-5-14 4960]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-9-23 72672]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-2-20 540448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S4 McAfeeFramework;McAfee Framework Service; [x]
S4 McTaskManager;Network Associates Task Manager; [x]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================


==================== Find3M ====================

2009-02-23 11:26 347,418 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-01-30 18:49 129,536 a------- c:\windows\system32\Access550HuntingNumbers.dll
2009-01-26 12:06 10,886,008 a------- c:\windows\system32\SpoonUninstall.exe
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2007-10-30 17:11 505,667 a------- c:\program files\mm.rm
2007-10-27 13:29 1,813,872 a------- c:\program files\WLinstaller.exe
2007-09-29 21:01 6,016,952 a------- c:\program files\Firefox Setup 2.0.0.7.exe
2004-07-30 09:56 90,112 a------- c:\program files\common files\PCSBclean.exe
2004-07-26 15:30 291,840 a------- c:\program files\common files\PCSBoff.exe
2003-04-09 13:01 90,112 a------- c:\windows\inf\MdmXSdk.dll

============= FINISH: 17:34:18.71 ===============

Edited by Billy O'Neal, 26 February 2009 - 09:26 PM.


#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:48 PM

Posted 26 February 2009 - 09:27 PM

Hello, auntna
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 27 February 2009 - 03:56 PM

I ran the Combo Fix and am posting the results. I hope I did it right. I noticed that a new Internet Explorer shortcut was created on my desktop.


ComboFix 09-02-26.02 - USER 2009-02-27 7:56:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.130 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Outdated)
FW: Sygate Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\USER\My Documents\My Music\My Music.url
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-24 18:25 . 2009-02-24 18:25 <DIR> d-------- c:\program files\Broderbund
2009-02-22 22:56 . 2009-02-22 22:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\program files\Portrait Displays
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\documents and settings\USER\Application Data\DisplayTune
2009-02-20 17:51 . 2009-02-20 17:51 <DIR> d-------- c:\program files\PDF Complete
2009-02-20 17:51 . 2007-04-13 09:44 15,632 --a------ c:\windows\system32\pdfc_port.dll
2009-02-16 10:33 . 2009-02-16 10:33 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-16 10:33 . 2009-02-16 10:33 1,409 --a------ c:\windows\QTFont.for
2009-02-13 19:47 . 2009-02-17 18:26 <DIR> d-------- C:\MyAudio
2009-02-13 19:42 . 2009-02-14 16:07 <DIR> d-------- c:\program files\AoA Audio Extractor
2009-02-10 13:54 . 2009-02-10 13:55 <DIR> d-------- c:\program files\Fastlane Web Accelerator
2009-02-10 11:19 . 2009-02-22 23:53 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-09 09:33 . 2009-02-09 09:33 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 20:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 14:54 --------- d-----w c:\documents and settings\USER\Application Data\AVG7
2009-02-26 05:17 --------- d-----w c:\program files\The Print Shop 20
2009-02-24 23:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 23:08 --------- d-----w c:\program files\BHODemon 2
2009-02-23 03:56 --------- d-----w c:\program files\Lavasoft
2009-02-23 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-22 04:59 --------- d-----w c:\documents and settings\USER\Application Data\DVD Flick
2009-02-21 04:19 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 18:05 --------- d-----w c:\documents and settings\USER\Application Data\Lavasoft
2009-02-17 23:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-17 14:17 --------- d-----w c:\program files\IncrediMail
2009-02-09 21:25 --------- d-----w c:\program files\Essentials Codec Pack
2009-02-08 00:15 --------- d-----w c:\program files\XoftSpySE
2009-02-07 15:04 --------- d-----w c:\program files\CCleaner
2009-02-02 17:09 --------- d-----w c:\documents and settings\USER\Application Data\Uniblue
2009-02-01 13:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-30 23:49 129,536 ----a-w c:\windows\system32\Access550HuntingNumbers.dll
2009-01-26 17:06 10,886,008 ----a-w c:\windows\system32\SpoonUninstall.exe
2009-01-24 16:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-09 01:26 --------- d-----w c:\program files\Quicken
2009-01-08 23:12 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-08 23:12 --------- d-----w c:\program files\Common Files\Intuit
2009-01-08 23:12 --------- d-----w c:\documents and settings\USER\Application Data\Intuit
2009-01-08 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2007-10-30 22:11 505,667 ----a-w c:\program files\mm.rm
2007-10-27 18:29 1,813,872 ----a-w c:\program files\WLinstaller.exe
2007-09-30 02:01 6,016,952 ----a-w c:\program files\Firefox Setup 2.0.0.7.exe
2004-07-30 14:56 90,112 ----a-w c:\program files\Common Files\PCSBclean.exe
2004-07-26 20:30 291,840 ----a-w c:\program files\Common Files\PCSBoff.exe
2003-04-09 18:01 90,112 ----a-w c:\windows\inf\MdmXSdk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netwaiting.exe" [2002-08-02 20480]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SlipStream"="c:\program files\Fastlane Web Accelerator\slipcore.exe" [2005-08-18 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-04-13 331552]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-26 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-22 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-05-14 219136]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Fastlane.lnk - c:\program files\Fastlane Web Accelerator\slipgui.exe [2009-02-10 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"=
"c:\\Program Files\\NetWaiting\\netwaiting.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-06-28 58464]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-09-23 72672]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2009-02-20 540448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-22 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.550access.com/
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
TCP: {184060BE-63C3-42F6-B0CD-8D65FBFA3518} = 64.136.173.5 64.136.164.77
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\bh3hew56.default\
FF - prefs.js: browser.startup.homepage - hxxps://signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=http%3A%2F%2Fwww.ebay.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5400
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 07:58:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2009-02-27 8:02:09
ComboFix-quarantined-files.txt 2009-02-27 13:02:06

Pre-Run: 56,700,022,784 bytes free
Post-Run: 56,691,150,848 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

173 --- E O F --- 2009-02-26 05:47:54

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:48 PM

Posted 27 February 2009 - 06:31 PM

Hello, auntna
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    DDS::
    uStart Page = hxxp://www.550access.com/
    TCP: {184060BE-63C3-42F6-B0CD-8D65FBFA3518} = 64.136.173.5 64.136.164.77
    file::
    c:\windows\system32\SpoonUninstall.exe
    c:\windows\system32\Access550HuntingNumbers.dll
    c:\program files\mm.rm
    c:\program files\Firefox Setup 2.0.0.7.exe
    c:\windows\inf\MdmXSdk.dll
    firefox::
    FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\bh3hew56.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 5400
    FF - prefs.js: network.proxy.type - 1
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 27 February 2009 - 08:38 PM

Here is the new ComboFix log. This time I had to reset my old port settings back from no proxy (I couldn't get any web pages open), rebooted and I also reinstalled my accelerator to be sure it worked.

ComboFix 09-02-27.01 - USER 2009-02-27 19:48:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.217 [GMT -5:00]
Running from: c:\documents and settings\USER\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\USER\Desktop\CFScript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
FW: Sygate Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\program files\Firefox Setup 2.0.0.7.exe
c:\program files\mm.rm
c:\windows\inf\MdmXSdk.dll
c:\windows\system32\Access550HuntingNumbers.dll
c:\windows\system32\SpoonUninstall.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Firefox Setup 2.0.0.7.exe
c:\program files\mm.rm
c:\windows\inf\MdmXSdk.dll
c:\windows\system32\Access550HuntingNumbers.dll
c:\windows\system32\SpoonUninstall.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-24 18:25 . 2009-02-24 18:25 <DIR> d-------- c:\program files\Broderbund
2009-02-22 22:56 . 2009-02-22 22:56 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\program files\Portrait Displays
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\program files\Common Files\Portrait Displays
2009-02-20 23:21 . 2009-02-20 23:21 <DIR> d-------- c:\documents and settings\USER\Application Data\DisplayTune
2009-02-20 17:51 . 2009-02-20 17:51 <DIR> d-------- c:\program files\PDF Complete
2009-02-20 17:51 . 2007-04-13 09:44 15,632 --a------ c:\windows\system32\pdfc_port.dll
2009-02-16 10:33 . 2009-02-16 10:33 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-16 10:33 . 2009-02-16 10:33 1,409 --a------ c:\windows\QTFont.for
2009-02-13 19:47 . 2009-02-27 16:22 <DIR> d-------- C:\MyAudio
2009-02-13 19:42 . 2009-02-14 16:07 <DIR> d-------- c:\program files\AoA Audio Extractor
2009-02-10 13:54 . 2009-02-10 13:55 <DIR> d-------- c:\program files\Fastlane Web Accelerator
2009-02-10 11:19 . 2009-02-22 23:53 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-09 09:33 . 2009-02-09 09:33 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 21:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 19:06 --------- d-----w c:\documents and settings\USER\Application Data\AVG7
2009-02-26 20:43 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 05:17 --------- d-----w c:\program files\The Print Shop 20
2009-02-24 23:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 23:08 --------- d-----w c:\program files\BHODemon 2
2009-02-23 03:56 --------- d-----w c:\program files\Lavasoft
2009-02-23 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-22 04:59 --------- d-----w c:\documents and settings\USER\Application Data\DVD Flick
2009-02-21 04:19 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-19 18:05 --------- d-----w c:\documents and settings\USER\Application Data\Lavasoft
2009-02-17 14:17 --------- d-----w c:\program files\IncrediMail
2009-02-09 21:25 --------- d-----w c:\program files\Essentials Codec Pack
2009-02-08 00:15 --------- d-----w c:\program files\XoftSpySE
2009-02-07 15:04 --------- d-----w c:\program files\CCleaner
2009-02-02 17:09 --------- d-----w c:\documents and settings\USER\Application Data\Uniblue
2009-02-01 13:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-24 16:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-09 01:26 --------- d-----w c:\program files\Quicken
2009-01-08 23:12 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-08 23:12 --------- d-----w c:\program files\Common Files\Intuit
2009-01-08 23:12 --------- d-----w c:\documents and settings\USER\Application Data\Intuit
2009-01-08 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2007-10-27 18:29 1,813,872 ----a-w c:\program files\WLinstaller.exe
2004-07-30 14:56 90,112 ----a-w c:\program files\Common Files\PCSBclean.exe
2004-07-26 20:30 291,840 ----a-w c:\program files\Common Files\PCSBoff.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netwaiting.exe" [2002-08-02 20480]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SlipStream"="c:\program files\Fastlane Web Accelerator\slipcore.exe" [2005-08-18 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-04-13 331552]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-26 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-22 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-05-14 219136]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Fastlane.lnk - c:\program files\Fastlane Web Accelerator\slipgui.exe [2009-02-10 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgw.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgvv.exe"=
"c:\\Program Files\\NetWaiting\\netwaiting.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-06-28 58464]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-09-23 72672]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2009-02-20 540448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-22 23:51]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5400
uInternet Settings,ProxyOverride = <local>;127.0.0.1:5400;*update.microsoft.com;*windowsupdate.com;download.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;download.mcafee.com;*.phobos.apple.com;update.adobe.com;localhost;www.007guard.com;007guard.com;008i.com;www.008k.com;008k.com;www.00hq.com;00hq.com;010402.com;www.032439.com;032439.com;www.0scan.com;0scan.com;1000gratisproben.com;www.1000gratisproben.com;www.1001namen.com;1001namen.com;www.100888290cs.com;100888290cs.com;www.100sexlinks.com;100sexlinks.com;www.10sek.com;10sek.com;www.1-2005-search.com;1-2005-search.com;123haustiereundmehr.com;www.123haustiereundmehr.com;www.123simsen.com;123simsen.com;123topsearch.com;www.123topsearch.com;125sms.co.uk;www.125sms.co.uk;125sms.com;www.125sms.com;www.132.com;132.com;1337crew.info;www.1337crew.info;www.1337-crew.to;1337-crew.to;136136.net;www.136136.net;150freesms.de;www.150freesms.de;163ns.com;www.163ns.com;171203.com;17-plus.com;1800searchonline.com;www.1800searchonline.com;180searchassistant.com;www.180searchassistant.com;180solutions.com;www.180solutions.com;181.365soft.info;www.181.365soft.info;www.1987324.com;1987324.com;1-domains-registrations.com;www.1-domains-registrations.com;www.1sexparty.com
IE: Show All Original Images - c:\program files\Fastlane Web Accelerator\gui_resource.dll/327
IE: Show Original Image - c:\program files\Fastlane Web Accelerator\gui_resource.dll/328
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\bh3hew56.default\
FF - prefs.js: browser.startup.homepage - hxxps://signin.ebay.com/ws/eBayISAPI.dll?SignIn&ru=http%3A%2F%2Fwww.ebay.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 19:50:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2009-02-27 19:53:14
ComboFix-quarantined-files.txt 2009-02-28 00:53:11
ComboFix2.txt 2009-02-27 13:02:11

Pre-Run: 56,621,821,952 bytes free
Post-Run: 56,595,595,264 bytes free

159 --- E O F --- 2009-02-26 05:47:54

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:48 PM

Posted 27 February 2009 - 09:35 PM

Hello, auntna
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 02 March 2009 - 04:20 PM

Hi!

I finally got this scan done and am posting the results below. As a note to anyone who may use this scanner, give it some time between steps 3-4 and 4-5. There is really no indication of anything happening, just be patient. The scan itself took about 50 minutes also.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3901 (20090302)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f2d22d645985a24da20591d3cc04f971
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-02 09:05:05
# local_time=2009-03-02 04:05:05 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=223734
# found=0
# scan_time=2972


As a note to my advisor, I downloaded and ran the scan with AVG and the Firewall disabled. The results were negative.

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:48 PM

Posted 02 March 2009 - 07:22 PM

Hello, auntna
Lookin good! :thumbup2:

How are things running?

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • A new DDS.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 02 March 2009 - 07:57 PM

Hi.

I have my updates setting at Notify but don't automatically download or install so I can choose when and what to install. I am concerned about Service Pack 3. I currently have SP 2 and was not sure if SP 3 was something that could potentially cause a problem so I never installed it. I think I have all current updates besides that one but I can check the updates again. What is your advice on SP 3 before I do that?

#13 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 02 March 2009 - 08:06 PM

Hi again,

Sorry, I didn't answer your question. I haven't had any odd problems since the default settings problem but I did run another Spybot today before the Eset scan and it still found the Virtumonde entry. Is this a problem or not? It is something that wasn't in the Spybot scans previous to this current infection.

What about my flash drive since it had been connected to the computer a few times while it was infected. Is it possible that the virus could have migrated to it too? How do I do a scan of it?

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:48 PM

Posted 03 March 2009 - 05:16 PM

Hello, auntna

SP 3 was something that could potentially cause a problem so I never installed it.

Please install SP3. If it causes you any problems, that's why I'm here :thumbup2:

Spybot today before the Eset scan and it still found the Virtumonde entry. Is this a problem or not? It is something that wasn't in the Spybot scans previous to this current infection.

Does it list a location for what it's detecting?

What about my flash drive since it had been connected to the computer a few times while it was infected. Is it possible that the virus could have migrated to it too? How do I do a scan of it?

ESET should have scanned that when you ran ESET. Given the infections which were on this machine, migration to your flash drive is very unlikely.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 auntna

auntna
  • Topic Starter

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:01:48 AM

Posted 05 March 2009 - 09:50 AM

This is the file Spybot finds: Virtumonde (C:\Windows\System32\Zipfldr.dll)

I am still working on the updates. I got the sp3 in. Tried to get the MS . NET Framework 3.5 SP1 and .NET Framework 3.5 Family Update but it failed. It is 248.4 MB in size. I have dial up. It says it will take 39 hours to download. Is this thing necessary?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users