Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer - Possible Trojan - csrssc.exe,winlognn


  • This topic is locked This topic is locked
9 replies to this topic

#1 Michael63

Michael63

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 11 February 2009 - 11:32 PM

Folder Options Missing, Administrator rights such as regedit access denied, some programs won't open, random crashings of mozilla. I have reformatted my comp twice in the last month in attempts to remove this Trojan (if that's what it is). All I have managed to do is spread it to other computers. It is either on my USB flash drive or my external 1TB hard drive because it comes back after recopying my files. I have two questions. 1) what to look for on the usb key and/or the hard drive that could be causing this Trojan to reallocate itself? 2) Looking at my Hijack this log, what can I do for this computer without reformatting again? Assuming someone can help with this 2nd question for my computer I hope you will allow me to post another hjack this log with another computer's similar problems. Much thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:56 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: C:\WINDOWS\system32\hsfi3ujndf.dll - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\hsfi3ujndf.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O22 - SharedTaskScheduler: har78w3uhewf8yurhefd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\hsfi3ujndf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3571 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 20 February 2009 - 04:32 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 Michael63

Michael63
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 22 February 2009 - 05:58 PM

ComboFix 09-02-21.01 - Administrator 2009-02-22 14:45:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1705 [GMT -6:00]
Running from: c:\bit torrents\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-22 14:43 . 2009-02-22 14:44 250 --a------ c:\windows\gmer.ini
2009-02-15 16:40 . 2009-02-17 18:07 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-15 16:40 . 2009-02-15 16:40 1,409 --a------ c:\windows\QTFont.for
2009-02-15 16:32 . 2009-02-15 16:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-15 16:32 . 2009-02-15 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-15 16:32 . 2009-02-15 16:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-15 16:32 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-15 16:32 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-12 22:16 . 2009-02-12 22:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\GameRanger
2009-02-12 18:28 . 2009-02-12 18:43 139,264 --a------ c:\windows\War3Unin.exe
2009-02-12 18:28 . 2009-02-12 18:53 77,221 --a------ c:\windows\War3Unin.dat
2009-02-12 18:28 . 2009-02-12 18:43 2,829 --a------ c:\windows\War3Unin.pif
2009-02-12 18:25 . 2009-02-22 11:09 <DIR> d-------- c:\program files\Warcraft III
2009-02-12 14:16 . 2009-02-12 14:16 <DIR> d-------- c:\program files\Bonjour
2009-02-11 20:13 . 2009-02-11 20:13 <DIR> d-------- c:\program files\Trend Micro
2009-02-11 19:01 . 2009-02-11 19:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-10 07:55 . 2009-02-10 08:24 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2009-02-09 15:48 . 2009-02-09 15:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DivX
2009-02-09 15:47 . 2009-02-09 15:47 <DIR> d-------- c:\program files\DivX
2009-02-09 15:46 . 2009-02-09 15:46 <DIR> d-------- c:\windows\system32\QuickTime
2009-02-09 15:46 . 2009-02-09 15:46 <DIR> d-------- c:\program files\K-Lite Codec Pack
2009-02-08 19:11 . 2009-02-08 19:11 13,416 --ah----- c:\windows\system32\mlfcache.dat
2009-02-08 17:38 . 2009-02-08 17:40 <DIR> d-------- c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-03 23:24 . 2009-02-09 23:42 <DIR> d-------- c:\documents and settings\Administrator\Application Data\vlc
2009-02-03 22:58 . 2009-02-03 22:58 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\SecuROM
2009-02-03 22:42 . 2009-02-03 22:42 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-02-03 22:40 . 2009-02-03 22:40 <DIR> d-------- c:\windows\system32\xlive
2009-02-03 22:40 . 2009-02-03 22:57 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-02-03 22:40 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-02-03 22:40 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-02-03 22:40 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-02-03 22:40 . 2007-04-04 18:53 81,768 --a------ c:\windows\system32\xinput1_3.dll
2009-02-03 22:00 . 2009-02-03 22:00 <DIR> d-------- c:\program files\MSBuild
2009-02-03 21:57 . 2009-02-03 21:57 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-03 21:57 . 2009-02-03 21:57 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-03 21:57 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-02-03 21:55 . 2009-02-03 22:03 <DIR> d-------- c:\program files\Rockstar Games
2009-02-03 12:06 . 2009-02-03 12:06 <DIR> d-------- c:\windows\Sun
2009-02-03 11:56 . 2009-02-03 11:56 <DIR> d-------- c:\program files\Common Files\Adobe Systems Shared
2009-02-03 11:56 . 2009-02-03 11:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-02-03 11:55 . 2009-02-03 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-02-03 11:54 . 2009-02-03 11:55 <DIR> d-------- c:\program files\CyberLink
2009-02-03 11:54 . 2009-02-03 11:54 <DIR> d-------- c:\program files\Common Files\Nero
2009-02-03 11:54 . 2009-02-03 11:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-02-03 11:54 . 2009-02-03 11:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-02-03 11:53 . 2009-02-03 11:54 <DIR> d-------- c:\program files\Nero 9
2009-02-03 11:34 . 2009-02-03 11:34 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-02-03 11:34 . 2009-02-03 11:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-03 11:29 . 2009-02-03 11:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-03 11:08 . 2009-02-03 11:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-02 22:24 . 2009-02-03 11:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-02-02 22:24 . 2009-02-02 22:24 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-02 22:23 . 2009-02-02 22:23 <DIR> d-------- c:\program files\VideoLAN
2009-02-02 22:22 . 2009-02-02 22:22 <DIR> d-------- c:\program files\uTorrent
2009-02-02 22:22 . 2009-02-12 18:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-02 22:21 . 2009-02-02 22:21 <DIR> d-------- c:\program files\Java
2009-02-02 22:21 . 2009-02-02 22:21 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 22:21 . 2009-02-02 22:21 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-02 22:21 . 2009-02-02 22:21 376 --a------ c:\windows\ODBC.INI
2009-02-02 22:20 . 2009-02-02 22:20 <DIR> d-------- c:\windows\SHELLNEW
2009-02-02 22:20 . 2009-02-02 22:20 <DIR> d-------- c:\program files\Microsoft ActiveSync
2009-02-02 22:19 . 2009-02-12 14:17 <DIR> d-------- c:\program files\Safari
2009-02-02 22:19 . 2009-02-02 22:19 <DIR> d-------- c:\program files\LimeWire
2009-02-02 22:19 . 2009-02-02 22:19 0 --a------ c:\windows\nsreg.dat
2009-02-02 22:18 . 2009-02-02 22:18 <DIR> d-------- c:\program files\iTunes
2009-02-02 22:18 . 2009-02-02 22:18 <DIR> d-------- c:\program files\iPod
2009-02-02 22:18 . 2009-02-02 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-02 22:18 . 2009-02-08 19:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-02-02 22:18 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-02-02 22:18 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-02 22:17 . 2009-02-02 22:18 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-02 22:17 . 2009-02-02 22:18 <DIR> d-------- c:\program files\QuickTime
2009-02-02 22:17 . 2009-02-02 22:18 <DIR> d-------- c:\program files\Common Files\Apple
2009-02-02 22:17 . 2009-02-02 22:17 <DIR> d-------- c:\program files\Apple Software Update
2009-02-02 22:17 . 2009-02-02 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-02 22:17 . 2009-02-02 22:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-02 22:17 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-02-02 22:11 . 2009-02-02 22:11 <DIR> d-------- c:\program files\PowerISO
2009-02-02 22:10 . 2009-02-02 22:10 <DIR> d-------- c:\program files\MagicDVDRipper
2009-02-02 22:10 . 2009-02-02 22:10 34,308 --a------ c:\windows\system32\Chip.dll
2009-02-02 22:09 . 2009-02-02 22:10 <DIR> d-------- c:\program files\Allok MPEG4 Converter
2009-02-02 22:09 . 2004-01-11 08:02 258,048 --a------ c:\windows\system32\GplMpgDec.ax
2009-02-02 22:09 . 2007-04-12 14:19 129,024 --a------ c:\windows\system32\AVERM.dll
2009-02-02 22:09 . 2006-09-26 13:57 28,672 --a------ c:\windows\system32\AVEQT.dll
2009-02-02 22:04 . 2009-02-02 22:04 <DIR> d-------- c:\windows\dog3 dir
2009-02-02 22:04 . 2009-02-02 22:04 471,040 --a------ c:\windows\dog3.scr
2009-02-02 22:00 . 2009-02-02 22:01 <DIR> d-------- c:\windows\dog2 dir
2009-02-02 22:00 . 2009-02-02 22:01 471,040 --a------ c:\windows\dog2.scr
2009-02-02 22:00 . 2009-02-02 22:04 12,288 --a------ c:\windows\impborl.dll
2009-02-02 21:52 . 2009-02-22 13:34 200,819 --a------ c:\windows\system32\nvapps.xml
2009-02-02 21:52 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2009-02-02 21:37 . 2009-02-22 14:43 <DIR> d-------- C:\Bit Torrents
2009-02-02 21:30 . 2009-02-09 14:47 584 --a------ c:\windows\system32\settingsbkup.sfm
2009-02-02 21:30 . 2009-02-09 14:47 584 --a------ c:\windows\system32\settings.sfm
2009-02-02 21:26 . 2009-02-02 21:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Logitech
2009-02-02 21:26 . 2004-12-21 16:51 7,794 --a------ c:\windows\vp171b-2.cat
2009-02-02 21:26 . 2005-03-04 05:41 7,786 --a------ c:\windows\g90f-3.cat
2009-02-02 21:26 . 2005-03-03 04:36 7,782 --a------ c:\windows\q51-9.cat
2009-02-02 21:26 . 2004-12-20 11:38 1,224 --a------ c:\windows\VP171b-2.inf
2009-02-02 21:26 . 2005-03-01 16:43 1,204 --a------ c:\windows\Q51-9.inf
2009-02-02 21:26 . 2005-03-01 16:43 1,164 --a------ c:\windows\G90f-3.inf
2009-02-02 21:26 . 2004-09-16 06:18 512 --a------ c:\windows\VP171b-2.icm
2009-02-02 21:26 . 2004-11-04 01:00 512 --a------ c:\windows\Q51-9.icm
2009-02-02 21:26 . 2004-07-23 01:00 512 --a------ c:\windows\G90f-3.icm
2009-02-02 21:25 . 2009-02-02 21:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2009-02-02 21:25 . 2008-11-07 16:37 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-02-02 21:25 . 2008-11-07 16:38 170,512 --a------ c:\windows\system32\kemutb.dll
2009-02-02 21:25 . 2008-11-07 16:38 145,936 --a------ c:\windows\system32\KemUtil.dll
2009-02-02 21:25 . 2008-11-07 16:38 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-02-02 21:25 . 2008-11-07 16:38 84,496 --a------ c:\windows\system32\KemXML.dll
2009-02-02 21:25 . 2006-10-16 16:10 23,856 --a------ c:\windows\system32\spupdsvc.exe
2009-02-02 21:25 . 2008-09-26 09:52 10,384 --a------ c:\windows\system32\drivers\LBeepKE.sys
2009-02-02 21:25 . 2009-02-02 21:25 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-02-02 21:25 . 2009-02-02 21:25 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-02-02 21:25 . 2009-02-02 21:25 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-02-02 21:24 . 2009-02-02 21:24 <DIR> d-------- c:\program files\Logitech
2009-02-02 21:24 . 2009-02-02 21:25 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-02-02 21:24 . 2009-02-02 21:24 <DIR> d--hs---- c:\documents and settings\All Users\DRM
2009-02-02 21:24 . 2009-02-02 21:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2009-02-02 21:24 . 2009-02-02 21:24 316,640 --a------ c:\windows\WMSysPr9.prx
2009-02-02 21:23 . 2009-02-02 21:23 <DIR> d-------- c:\windows\system32\Data
2009-02-02 21:23 . 2009-02-08 19:16 <DIR> d-------- c:\program files\Creative
2009-02-02 21:23 . 2009-02-08 19:15 405,504 --a------ c:\windows\system32\wrap_oal.dll
2009-02-02 21:23 . 2005-06-27 18:37 133,632 --a------ c:\windows\system32\CtDvInst.dll
2009-02-02 21:23 . 2009-02-08 19:15 86,016 --a------ c:\windows\system32\OpenAL32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 16:14 98,304 ----a-w c:\windows\DUMP2e72.tmp
2009-02-22 16:13 98,304 ----a-w c:\windows\DUMP2f8b.tmp
2009-02-22 01:41 98,304 ----a-w c:\windows\DUMP2d49.tmp
2009-02-19 04:54 98,304 ----a-w c:\windows\DUMP2f6c.tmp
2009-02-03 17:54 505,392 ----a-w c:\windows\system32\msvcp71.dll
2008-12-12 17:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 17:11 61,440 ----a-w c:\windows\system32\dnssd.dll
.

------- Sigcheck -------

2008-10-20 19:39 361600 cbeebeb899e31ef52b962cb31fc8ca5c c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-02-22_14.42.44.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-22 20:43:49 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2009-02-22 20:43:49 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-13 c:\windows\system32\advpack.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-02-02 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2"= 3ivxVfWCodec.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-08-19 11:57 91432 c:\program files\CyberLink\Shared files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-12-29 04:40 687560 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2008-05-14 14:48 62760 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-10-07 13:33 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 13:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2008-08-18 19:01 203296 c:\windows\system32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 18:05 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2008-07-21 17:32 87336 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-02 22:21 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2008-10-10 14:46 69632 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2006-03-17 16:11 81408 c:\windows\system32\P17.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-08-04 19:09:16 61424]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-02-02 10384]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-03-20 1452032]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b00e4602-f26f-11dd-9dc5-001731151393}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b00e4603-f26f-11dd-9dc5-001731151393}]
\Shell\Auto\command - F:\boot.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yl5wcprw.default\
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yl5wcprw.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 14:46:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\SecuROM\License information*]
"datasecu"=hex:4c,ac,1c,bc,97,31,9e,a9,49,92,cf,48,44,da,89,ec,18,a8,55,a3,7e,
e3,88,0b,4f,48,2e,89,10,99,be,9d,1f,87,77,d3,38,78,52,09,8f,89,a7,31,e9,54,\
"rkeysecu"=hex:81,cd,84,7e,61,b1,8c,8d,00,b1,32,e1,6e,6c,2e,a5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-02-22 14:46:57
ComboFix-quarantined-files.txt 2009-02-22 20:46:54
ComboFix2.txt 2009-02-22 20:43:05

Pre-Run: 269,565,042,688 bytes free
Post-Run: 269,559,013,376 bytes free

287







GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-22 14:50:27
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spqn.sys ZwCreateKey [0xBA6A80E0]
SSDT spqn.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spqn.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spqn.sys ZwOpenKey [0xBA6A80C0]
SSDT spqn.sys ZwQueryKey [0xBA6C7108]
SSDT spqn.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spqn.sys ZwSetValueKey [0xBA6C719A]

INT 0x62 ? 89B5BBF8
INT 0x63 ? 89B5EBF8
INT 0x73 ? 89B5EBF8

---- Kernel code sections - GMER 1.0.14 ----

? spqn.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9D0A8AC 5 Bytes JMP 89A304E0
.text ax0ao6oi.SYS B98B6386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text ax0ao6oi.SYS B98B63AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ax0ao6oi.SYS B98B63C4 3 Bytes [ 00, 70, 02 ]
.text ax0ao6oi.SYS B98B63C9 1 Byte [ 2E ]
.text ax0ao6oi.SYS B98B63CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spqn.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spqn.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spqn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spqn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spqn.sys
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\ax0ao6oi.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89BCA1F8
Device \FileSystem\Fastfat \FatCdrom 880AF500
Device \Driver\usbohci \Device\USBPDO-0 89A2F1F8
Device \Driver\usbehci \Device\USBPDO-1 89A361F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89BCD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89BCD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89BCD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89BCD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 89B5C1F8
Device \Driver\Cdrom \Device\CdRom0 89A351F8
Device \Driver\sptd \Device\2056243928 spqn.sys
Device \Driver\Cdrom \Device\CdRom1 89A351F8
Device \Driver\Cdrom \Device\CdRom2 89A351F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 884C61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{53611ECE-AD42-48CC-804B-40B7C6830EB1} 884C61F8
Device \Driver\NetBT \Device\NetbiosSmb 884C61F8
Device \Driver\PCI_PNP8928 \Device\0000004d spqn.sys
Device \Driver\usbohci \Device\USBFDO-0 89A2F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A8F914E-CDA6-42B7-818D-89145703EE0E} 884C61F8
Device \Driver\usbehci \Device\USBFDO-1 89A361F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 884B2500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 884B2500
Device \Driver\Ftdisk \Device\FtControl 89B5C1F8
Device \Driver\ax0ao6oi \Device\Scsi\ax0ao6oi1Port5Path0Target0Lun0 89A011F8
Device \Driver\ax0ao6oi \Device\Scsi\ax0ao6oi1 89A011F8
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path1Target1Lun0 89BCB1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 89BCB1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 89BCB1F8
Device \Driver\nvgts \Device\Scsi\nvgts1Port3Path0Target0Lun0 89BCB1F8
Device \FileSystem\Fastfat \Fat 880AF500
Device \FileSystem\Cdfs \Cdfs 884871F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x3F 0x77 0x78 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0xC5 0xED 0x14 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x90 0x87 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x18 0x3F 0x77 0x78 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0xC5 0xED 0x14 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x90 0x87 0x5B ...

---- EOF - GMER 1.0.14 ----


I have installed Malwarebyte's Anti-Malaware and ran that. I also installed an old game, namely age of empies 2, that ran fairly smoothly. One thing I noticed is that after running that anti-malaware scan I had many random letter and number named .exe processes running in task manager on startup. For now they seem to not be showing for whatever reason though. Also I dont know if this is something completely unrelated, but when num lock is on now, and i type some particular letters, I get the letter typed plus some additonal adjacent letter coming up, additonally my letter "c" key does not usually work now for some reason, I am pasting in all of my c's currently. THANKS IMMENSELY FOR YOU TIME!

Edited by Michael63, 22 February 2009 - 05:59 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 22 February 2009 - 06:33 PM

Hello Michael.

Looks like ComboFix took care of that infection. Did you happen to run ComboFix twice?

I don't think the keyboard problem is related.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/202780/slow-computer-possible-trojan-csrsscexewinlognn/
    
    Suspect::[59]
    c:\windows\dog3.scr
    
    DirLook::
    c:\windows\dog3 dir
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b00e4602-f26f-11dd-9dc5-001731151393}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#5 Michael63

Michael63
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 February 2009 - 04:46 PM

The combo log sample was uploaded. Here is the kaspersky log. Thx again for your time!


KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 16:23:45
Records in database: 1848664
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
H:\
Scan statistics
Files scanned 36990
Threat name 3
Infected objects 3
Suspicious objects 0
Duration of the scan 00:30:32

File name Threat name Threats count
C:\Bit Torrents\regtools.reg.txt Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AZGPIJ4N\load1[1].exe Infected: Trojan-Downloader.Win32.Agent.bgjh 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U1UD2V83\us1[1].exe Infected: Trojan-Spy.Win32.Zbot.lxa 1
The selected area was scanned.

#6 Michael63

Michael63
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 February 2009 - 04:52 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 16:23:45
Records in database: 1848664
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
H:\

Scan statistics:
Files scanned: 36990
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:30:32


File name / Threat name / Threats count
C:\Bit Torrents\regtools.reg.txt Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AZGPIJ4N\load1[1].exe Infected: Trojan-Downloader.Win32.Agent.bgjh 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U1UD2V83\us1[1].exe Infected: Trojan-Spy.Win32.Zbot.lxa 1

The selected area was scanned.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 26 February 2009 - 05:45 PM

Hello.

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Please take a new HijackThis log.

Tell me of any problems that are still present.

With Regards,
The Panda

#8 Michael63

Michael63
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 03 March 2009 - 10:55 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:53:20 AM, on 3/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3073 bytes


Mostly everything seems to be working properly, except for whatever reason, pictures on websites do not show up in IE, they will in firefox though. THX so much again for your help!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 03 March 2009 - 11:53 AM

Hello.

Look like the malware is gone.

Would you considering upgrading to IE7? It would repair any problems.

Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.
Take a new HijackThis log after.

With Regards,
The Panda

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 18 March 2009 - 09:01 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users