Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Morphing malware attack


  • This topic is locked This topic is locked
9 replies to this topic

#1 cflowers

cflowers

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 27 February 2009 - 12:23 PM

Good morning. I'm an experienced computer support professional and I've run accross soemthing that iI am unable to clean from a computer. It started as the MS Antivirus 2009 malware. I've used Malwarebytes Anti-Malware and thought it was gone but it kept returning. I have most recently seen evidence in the Anti-Malware logs of rootkits. In my latest attept to combat this, Anti-Malware wouldn't start. I used the renaming trick to get it to run. The last time it found a "...Gaming" malware. There's always something it wants to remove upon reboot. When I disconnect from the Internet and clean the machine, Ant--Malware still will not start under it's own name. Once I connect back up, the infection is reborn. This one is beyond my skill set to handle myself. I could use some assistace.

The machine is not mine so it's loaded with various protection software products including McAfee, Spybot etc. The DDS log is below.

Thanks much.

-cf


DDS (Ver_09-02-01.01) - NTFSx86
Run by Fred at 11:04:53.89 on Fri 02/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1282 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\svchost.exe -sysrun
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MarketBrowser\lmt\mktbrws.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Fred\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\i386kd.exe,c:\windows\system32\vmware-ufad.exe,
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uExplorerRun: [services] c:\windows\services.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\market~1.lnk - c:\program files\marketbrowser\lmt\mktbrws.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk - c:\windows\system\xccef090131.exe
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186628817045
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-1-13 58048]
R2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 31744]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-1-13 122943]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 46080]
R2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 31744]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 65536]
S0 emebawtr;emebawtr;c:\windows\system32\drivers\emebawtr.sys --> c:\windows\system32\drivers\emebawtr.sys [?]
S1 ethrfrug;ethrfrug;c:\windows\system32\drivers\ethrfrug.sys [2009-2-5 137920]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-4 29744]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-1-13 108256]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-11 2176]
S3 qktjcpta;qktjcpta;\??\c:\windows\system32\drivers\qktjcpta.sys --> c:\windows\system32\drivers\qktjcpta.sys [?]
SUnknown afisicx;afisicx; [x]
SUnknown mabidwe;mabidwe; [x]

=============== Created Last 30 ================

2009-02-27 10:25 0 a------- c:\windows\mqcd.dbt
2009-02-27 10:24 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-27 10:24 32,768 a------- c:\windows\system32\odjan.wa
2009-02-27 10:24 32,768 a------- c:\windows\system32\kei1w.an
2009-02-27 10:24 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-27 10:24 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-27 10:23 51 a------- c:\windows\system32\work.ini
2009-02-27 10:23 227 a------- c:\windows\system32\hgset.ini
2009-02-27 10:23 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-02-27 10:23 <DIR> --d----- c:\windows\system32\3361
2009-02-27 10:23 90,112 a------- c:\windows\system32\200922311.dll
2009-02-27 10:23 77,824 a------- c:\windows\system32\u10276716.dll
2009-02-27 10:22 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-27 10:22 406,528 a------- c:\windows\system32\tmpxccacj0.exe
2009-02-27 10:22 203 a------- c:\windows\system32\xcchit32.ini
2009-02-27 10:21 617 a------- c:\windows\xccwinsys.ini
2009-02-27 10:21 <DIR> --d----- c:\windows\system32\inf
2009-02-27 10:21 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-15 17:00 276 a------- c:\windows\system32\MRT.INI
2009-02-13 10:26 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-13 10:26 616 a------- c:\windows\system32\3C.tmp
2009-02-10 09:34 6 a------- c:\windows\_id.dat
2009-02-10 09:34 130 a------- c:\windows\adobe.bat
2009-02-10 09:34 32,768 a---h--- c:\documents and settings\fred\ewtpe.exe
2009-02-10 09:34 162,756 a------- c:\windows\system32\3A.tmp
2009-02-10 09:34 128 a------- c:\windows\system32\33.tmp
2009-02-10 09:29 162,756 a------- c:\windows\system32\37.tmp
2009-02-10 09:29 32,768 a---h--- c:\documents and settings\fred\hubwf.exe
2009-02-10 09:29 24,577 a------- c:\windows\system32\34.tmp
2009-02-10 09:29 128 a------- c:\windows\system32\32.tmp
2009-02-09 21:46 0 a------- c:\windows\system32\31.tmp
2009-02-09 21:27 0 a------- c:\windows\system32\36.tmp
2009-02-09 21:27 163,364 a------- c:\windows\system32\30.tmp
2009-02-09 21:27 29,184 a------- c:\windows\system32\2F.tmp
2009-02-09 21:27 172 a------- c:\windows\system32\2E.tmp
2009-02-09 21:17 0 a------- c:\windows\system32\35.tmp
2009-02-09 21:14 163,364 a------- c:\windows\system32\2A.tmp
2009-02-09 21:14 29,184 a------- c:\windows\system32\29.tmp
2009-02-09 21:14 172 a------- c:\windows\system32\26.tmp
2009-02-09 21:12 0 a------- c:\windows\system32\2D.tmp
2009-02-09 21:10 163,364 a------- c:\windows\system32\24.tmp
2009-02-09 21:09 29,184 a------- c:\windows\system32\20.tmp
2009-02-09 21:09 172 a------- c:\windows\system32\1D.tmp
2009-02-09 20:49 0 a------- c:\windows\system32\1F.tmp
2009-02-09 20:23 0 a------- c:\windows\system32\2B.tmp
2009-02-09 20:23 163,716 a------- c:\windows\system32\25.tmp
2009-02-09 20:23 29,184 a------- c:\windows\system32\23.tmp
2009-02-09 20:23 172 a------- c:\windows\system32\1E.tmp
2009-02-05 20:59 163,716 a------- c:\windows\system32\28.tmp
2009-02-05 20:59 168 a------- c:\windows\system32\27.tmp
2009-02-05 20:29 163,716 a------- c:\windows\system32\22.tmp
2009-02-05 20:29 168 a------- c:\windows\system32\21.tmp
2009-02-05 19:50 32,768 a---h--- c:\documents and settings\fred\myy.exe
2009-02-05 19:50 163,364 a------- c:\windows\system32\13.tmp
2009-02-05 19:50 23,553 a------- c:\windows\system32\18.tmp
2009-02-05 19:50 168 a------- c:\windows\system32\12.tmp
2009-02-05 19:37 32,768 a---h--- c:\documents and settings\fred\kkotc.exe
2009-02-05 19:37 23,553 a------- c:\windows\system32\1C.tmp
2009-02-05 19:37 163,364 a------- c:\windows\system32\1B.tmp
2009-02-05 19:37 168 a------- c:\windows\system32\1A.tmp
2009-02-05 19:36 32,768 a---h--- c:\documents and settings\fred\sdemdma.exe
2009-02-05 19:36 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-05 19:36 137,920 a------- c:\windows\system32\drivers\ethrfrug.sys
2009-02-05 19:36 23,553 a------- c:\windows\system32\16.tmp
2009-02-05 19:33 163,364 a------- c:\windows\system32\15.tmp
2009-02-05 19:33 168 a------- c:\windows\system32\14.tmp
2009-02-05 19:11 <DIR> --d----- c:\docume~1\fred\applic~1\Malwarebytes
2009-02-05 19:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-05 19:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 19:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 20:29 124 a------- c:\windows\wininit.ini
2009-02-03 20:25 <DIR> --d-h--- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-02-27 10:21 578,560 a------- c:\windows\system32\user32.DLL
2009-02-13 10:26 182,656 a------- c:\windows\system32\drivers\ndis.sys
2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 11:05:36.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:20 AM

Posted 13 March 2009 - 08:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 cflowers

cflowers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 16 March 2009 - 10:41 AM

Thanks for taking the case. The computer is not connected to the Internet. I am using a thumb drive to move programs and scan results to/from it.

I haven't done anything to the computer. Passwords on Internet sites have all been changed as a precaution.

Here's the new log and the zipped attach.txt file.

-cf
Craig

DDS (Ver_09-02-01.01) - NTFSx86
Run by Fred at 11:04:53.89 on Fri 02/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1282 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\svchost.exe -sysrun
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MarketBrowser\lmt\mktbrws.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Fred\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\i386kd.exe,c:\windows\system32\vmware-ufad.exe,
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uExplorerRun: [services] c:\windows\services.exe
mExplorerRun: [services] c:\windows\services.exe
dExplorerRun: [services] c:\windows\services.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\market~1.lnk - c:\program files\marketbrowser\lmt\mktbrws.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\xccstart.lnk - c:\windows\system\xccef090131.exe
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186628817045
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2006-1-13 58048]
R2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 31744]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-1-13 122943]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 46080]
R2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 31744]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 65536]
S0 emebawtr;emebawtr;c:\windows\system32\drivers\emebawtr.sys --> c:\windows\system32\drivers\emebawtr.sys [?]
S1 ethrfrug;ethrfrug;c:\windows\system32\drivers\ethrfrug.sys [2009-2-5 137920]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-6-4 29744]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-1-13 108256]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-8-11 2176]
S3 qktjcpta;qktjcpta;\??\c:\windows\system32\drivers\qktjcpta.sys --> c:\windows\system32\drivers\qktjcpta.sys [?]
SUnknown afisicx;afisicx; [x]
SUnknown mabidwe;mabidwe; [x]

=============== Created Last 30 ================

2009-02-27 10:25 0 a------- c:\windows\mqcd.dbt
2009-02-27 10:24 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-27 10:24 32,768 a------- c:\windows\system32\odjan.wa
2009-02-27 10:24 32,768 a------- c:\windows\system32\kei1w.an
2009-02-27 10:24 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-27 10:24 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-27 10:23 51 a------- c:\windows\system32\work.ini
2009-02-27 10:23 227 a------- c:\windows\system32\hgset.ini
2009-02-27 10:23 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-02-27 10:23 <DIR> --d----- c:\windows\system32\3361
2009-02-27 10:23 90,112 a------- c:\windows\system32\200922311.dll
2009-02-27 10:23 77,824 a------- c:\windows\system32\u10276716.dll
2009-02-27 10:22 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-27 10:22 406,528 a------- c:\windows\system32\tmpxccacj0.exe
2009-02-27 10:22 203 a------- c:\windows\system32\xcchit32.ini
2009-02-27 10:21 617 a------- c:\windows\xccwinsys.ini
2009-02-27 10:21 <DIR> --d----- c:\windows\system32\inf
2009-02-27 10:21 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-02-15 17:00 276 a------- c:\windows\system32\MRT.INI
2009-02-13 10:26 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-13 10:26 616 a------- c:\windows\system32\3C.tmp
2009-02-10 09:34 6 a------- c:\windows\_id.dat
2009-02-10 09:34 130 a------- c:\windows\adobe.bat
2009-02-10 09:34 32,768 a---h--- c:\documents and settings\fred\ewtpe.exe
2009-02-10 09:34 162,756 a------- c:\windows\system32\3A.tmp
2009-02-10 09:34 128 a------- c:\windows\system32\33.tmp
2009-02-10 09:29 162,756 a------- c:\windows\system32\37.tmp
2009-02-10 09:29 32,768 a---h--- c:\documents and settings\fred\hubwf.exe
2009-02-10 09:29 24,577 a------- c:\windows\system32\34.tmp
2009-02-10 09:29 128 a------- c:\windows\system32\32.tmp
2009-02-09 21:46 0 a------- c:\windows\system32\31.tmp
2009-02-09 21:27 0 a------- c:\windows\system32\36.tmp
2009-02-09 21:27 163,364 a------- c:\windows\system32\30.tmp
2009-02-09 21:27 29,184 a------- c:\windows\system32\2F.tmp
2009-02-09 21:27 172 a------- c:\windows\system32\2E.tmp
2009-02-09 21:17 0 a------- c:\windows\system32\35.tmp
2009-02-09 21:14 163,364 a------- c:\windows\system32\2A.tmp
2009-02-09 21:14 29,184 a------- c:\windows\system32\29.tmp
2009-02-09 21:14 172 a------- c:\windows\system32\26.tmp
2009-02-09 21:12 0 a------- c:\windows\system32\2D.tmp
2009-02-09 21:10 163,364 a------- c:\windows\system32\24.tmp
2009-02-09 21:09 29,184 a------- c:\windows\system32\20.tmp
2009-02-09 21:09 172 a------- c:\windows\system32\1D.tmp
2009-02-09 20:49 0 a------- c:\windows\system32\1F.tmp
2009-02-09 20:23 0 a------- c:\windows\system32\2B.tmp
2009-02-09 20:23 163,716 a------- c:\windows\system32\25.tmp
2009-02-09 20:23 29,184 a------- c:\windows\system32\23.tmp
2009-02-09 20:23 172 a------- c:\windows\system32\1E.tmp
2009-02-05 20:59 163,716 a------- c:\windows\system32\28.tmp
2009-02-05 20:59 168 a------- c:\windows\system32\27.tmp
2009-02-05 20:29 163,716 a------- c:\windows\system32\22.tmp
2009-02-05 20:29 168 a------- c:\windows\system32\21.tmp
2009-02-05 19:50 32,768 a---h--- c:\documents and settings\fred\myy.exe
2009-02-05 19:50 163,364 a------- c:\windows\system32\13.tmp
2009-02-05 19:50 23,553 a------- c:\windows\system32\18.tmp
2009-02-05 19:50 168 a------- c:\windows\system32\12.tmp
2009-02-05 19:37 32,768 a---h--- c:\documents and settings\fred\kkotc.exe
2009-02-05 19:37 23,553 a------- c:\windows\system32\1C.tmp
2009-02-05 19:37 163,364 a------- c:\windows\system32\1B.tmp
2009-02-05 19:37 168 a------- c:\windows\system32\1A.tmp
2009-02-05 19:36 32,768 a---h--- c:\documents and settings\fred\sdemdma.exe
2009-02-05 19:36 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-05 19:36 137,920 a------- c:\windows\system32\drivers\ethrfrug.sys
2009-02-05 19:36 23,553 a------- c:\windows\system32\16.tmp
2009-02-05 19:33 163,364 a------- c:\windows\system32\15.tmp
2009-02-05 19:33 168 a------- c:\windows\system32\14.tmp
2009-02-05 19:11 <DIR> --d----- c:\docume~1\fred\applic~1\Malwarebytes
2009-02-05 19:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-05 19:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-05 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 19:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 20:29 124 a------- c:\windows\wininit.ini
2009-02-03 20:25 <DIR> --d-h--- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-02-27 10:21 578,560 a------- c:\windows\system32\user32.DLL
2009-02-13 10:26 182,656 a------- c:\windows\system32\drivers\ndis.sys
2008-12-13 00:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 11:05:36.43 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 18 March 2009 - 09:31 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 cflowers

cflowers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 March 2009 - 11:47 AM

I've made no changes to the computer since starting the topic. Following is the ComboFix log and then the GMER log.

-cf

ComboFix 09-03-15.01 - Fred 2009-03-18 10:10:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1649 [GMT -5:00]
Running from: c:\documents and settings\Fred\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\200922311.dll
c:\windows\system32\comsa32.sys
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\sopidkc.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tmpxccacj0.exe
c:\windows\system32\u10276716.dll
c:\windows\system32\xcchit32.ini
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_MABIDWE
-------\Legacy_PROTECT
-------\Legacy_SOFTYINFORWOW1
-------\Legacy_SOPIDKC
-------\Service_6to4
-------\Service_defaultlib
-------\Service_Passthru
-------\Service_softyinforwow1
-------\Service_sopidkc
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-18 to 2009-03-18 )))))))))))))))))))))))))))))))
.

2009-02-27 11:25 . 2009-02-27 11:25 0 --a------ c:\windows\mqcd.dbt
2009-02-27 11:24 . 2009-02-27 11:24 77,312 --a------ c:\windows\system32\rkoq.pxf
2009-02-27 11:24 . 2009-02-27 11:24 32,768 --a------ c:\windows\system32\odjan.wa
2009-02-27 11:24 . 2009-02-27 11:24 32,768 --a------ c:\windows\system32\kei1w.an
2009-02-27 11:24 . 2009-02-27 11:24 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-02-27 11:24 . 2009-02-27 11:24 28,672 --a------ c:\windows\system32\doqkm.zt
2009-02-27 11:23 . 2009-02-27 11:23 <DIR> d-------- c:\windows\system32\3361
2009-02-27 11:23 . 2009-02-27 11:23 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-02-27 11:23 . 2009-02-27 11:23 227 --a------ c:\windows\system32\hgset.ini
2009-02-27 11:23 . 2009-02-27 11:24 51 --a------ c:\windows\system32\work.ini
2009-02-27 11:22 . 2002-02-15 15:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-27 11:21 . 2009-02-27 12:02 <DIR> d-------- c:\windows\system32\inf
2009-02-27 11:21 . 2009-02-27 11:21 578,560 --a------ c:\windows\system32\dllcache\user32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-27 16:08 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-26 21:12 --------- d-----w c:\documents and settings\Fred\Application Data\Lavasoft
2009-02-13 16:26 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-02-13 16:26 137,920 ----a-w c:\windows\system32\drivers\ethrfrug.sys
2009-02-11 16:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-10 15:34 32,768 ---ha-w c:\documents and settings\Fred\ewtpe.exe
2009-02-10 15:29 32,768 ---ha-w c:\documents and settings\Fred\hubwf.exe
2009-02-06 01:50 32,768 ---ha-w c:\documents and settings\Fred\myy.exe
2009-02-06 01:37 32,768 ---ha-w c:\documents and settings\Fred\kkotc.exe
2009-02-06 01:36 32,768 ---ha-w c:\documents and settings\Fred\sdemdma.exe
2009-02-06 01:11 --------- d-----w c:\documents and settings\Fred\Application Data\Malwarebytes
2009-02-06 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-04 02:34 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-04 02:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-08-14 02:34 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
c:\windows\system32\user32.dll ... is infected !!
577,024 2005-03-02 18:19:56 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
577,536 2007-03-08 15:36:28 c:\windows\$NtServicePackUninstall$\user32.dll
577,024 2004-08-04 11:00:00 c:\windows\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 c:\windows\$NtUninstallKB925902$\user32.dll
578,560 2008-04-14 00:12:08 c:\windows\ServicePackFiles\i386\user32.dll
578,560 2009-02-27 16:21:33 c:\windows\system32\user32.DLL
578,560 2009-02-27 16:21:33 c:\windows\system32\dllcache\user32.dll


------- Sigcheck -------

2004-08-04 06:00 31744 32e593cb8948d58713788a42c55515af c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 31744 dea0b38489eed019d62b16c3abce5ce5 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 19:12 31744 20e71ca2ba98b32682637cb69e16fad9 c:\windows\system32\svchost.exe
2009-02-27 11:23 139264 1e66eea06d65ee6acc9935a21a8cfad5 c:\windows\system32\3361\SVCHOST.EXE

2005-03-02 13:19 577024 1800f293bccc8ede8a70e12b88d80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 10:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 10:36 577536 b409909f6e2e8a7067076ed748abf1e7 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-04 06:00 577024 c72661f8552ace7c5c85e16a3cf505c4 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 13:09 577024 de2db164bbb35db061af0997e4499054 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-13 19:12 578560 b26b135ff1b9f60c9388b4a7d16f600b c:\windows\ServicePackFiles\i386\user32.dll
2009-02-27 11:21 578560 97cb6273a56fc952a594f28c630768a6 c:\windows\system32\user32.DLL
2009-02-27 11:21 578560 97cb6273a56fc952a594f28c630768a6 c:\windows\system32\dllcache\user32.dll

2004-08-04 06:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 14:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2009-02-13 11:26 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-02-13 11:26 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-13 19:12 1051136 5a91dfba5a2528e9d538bb32bac270dd c:\windows\explorer.exe
2007-06-13 06:26 1050624 e1988ba2f8c5dcd39e0ec2b48c9dfcf0 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 03faf1b7ddc9d7dbd7bc6a3a76562e67 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 06:00 1049600 ec0a707f38e6a9eec44b12d49b12e656 c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-13 19:12 1051136 e3fafb098d2bbf11384a650b97d08bf3 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 06:00 32768 a0206e10315646167155a488e6889b3c c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 32768 9cc3446f13769f3e84be9820183e9ab1 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 19:12 32768 80eaf065942584b8d23e0c79ad17fa31 c:\windows\system32\ctfmon.exe

2005-06-10 19:17 75264 7079d19b347f49f5ec4607a5d14b801a c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 75264 833d1c113a06618083482ddfa02fc3e7 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 19:12 75264 cff132da4244935920b7e9a4aeb17719 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 19:12 75264 7a0b9e529ffb3f40a1d780038b5961e7 c:\windows\system32\spoolsv.exe

2004-08-04 06:00 41984 531617b1539ee6c0a8a2b43ca37c27a9 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 43520 fd5743641e590ae7c651f2926bbb7d44 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 19:12 43520 4f58248572f565b2688d3c5c9f232690 c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1712640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1425408]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 364544]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 73728]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 69632]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-13 29744]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"svchost.exe"="c:\windows\system32\3361\svchost.exe" [2009-02-27 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 303104]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 94208]
MarketBrowser.lnk - c:\program files\MarketBrowser\lmt\mktbrws.exe [2007-08-27 2985472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\emebawtr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\WINDOWS\\system32\\3361\\svchost.exe"=

S0 emebawtr;emebawtr;c:\windows\system32\Drivers\emebawtr.sys --> c:\windows\system32\Drivers\emebawtr.sys [?]
S1 ethrfrug;ethrfrug;c:\windows\system32\drivers\ethrfrug.sys [2009-02-05 137920]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-06-04 29744]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-02-05 38496]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2004-08-11 2176]
S3 qktjcpta;qktjcpta;\??\c:\windows\System32\Drivers\qktjcpta.sys --> c:\windows\System32\Drivers\qktjcpta.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Explorer_Run-services - c:\windows\services.exe
HKCU-Explorer_Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
SafeBoot-ekvpcdzd.sys
SafeBoot-rlohyfrc.sys
SafeBoot-sgsuebrl.sys


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 10:23:15
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-03-18 10:25:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-18 15:25:34

Pre-Run: 144,357,273,600 bytes free
Post-Run: 144,326,762,496 bytes free

226 --- E O F --- 2009-02-27 17:08:38



GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-18 11:41:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8A6A8480 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x8A5D4200, 0x32E2A, 0xE0000060]
? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[212] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[212] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[212] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[212] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[212] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\System32\alg.exe[408] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\System32\alg.exe[408] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\System32\alg.exe[408] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\System32\alg.exe[408] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\System32\alg.exe[408] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF93F81
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF94010
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF9401D
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF94006
.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF9405E
.text C:\WINDOWS\system32\svchost.exe[1048] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1048] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\svchost.exe[1128] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1128] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\System32\svchost.exe[1168] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1168] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1252] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1284] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\svchost.exe[1284] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\spoolsv.exe[1424] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\spoolsv.exe[1424] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\spoolsv.exe[1424] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\spoolsv.exe[1424] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\spoolsv.exe[1424] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1572] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1572] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1572] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1572] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1572] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1592] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1592] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1592] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1592] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1592] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\svchost.exe[1732] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1732] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\explorer.exe[1908] explorer.exe 0101A57C 4 Bytes [FF, 15, 1C, 11]
.text C:\WINDOWS\explorer.exe[1908] C:\WINDOWS\explorer.exe section is writeable [0x01001000, 0x44E00, 0xE0000060]
.reloc C:\WINDOWS\explorer.exe[1908] C:\WINDOWS\explorer.exe section is executable [0x010FB000, 0x8800, 0xE2000060]
.text C:\WINDOWS\explorer.exe[1908] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\explorer.exe[1908] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\explorer.exe[1908] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\explorer.exe[1908] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\explorer.exe[1908] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2040] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2040] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2040] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2040] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2040] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2156] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2156] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2156] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2156] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe[2156] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.rsrc C:\WINDOWS\system32\3361\svchost.exe[3144] C:\WINDOWS\system32\3361\svchost.exe section is executable [0x0041D000, 0x6000, 0xE0000060]
.text C:\WINDOWS\system32\3361\svchost.exe[3144] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\3361\svchost.exe[3144] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\3361\svchost.exe[3144] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\3361\svchost.exe[3144] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\3361\svchost.exe[3144] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Documents and Settings\Fred\Desktop\gmer\gmer.exe[3176] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Documents and Settings\Fred\Desktop\gmer\gmer.exe[3176] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Documents and Settings\Fred\Desktop\gmer\gmer.exe[3176] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Documents and Settings\Fred\Desktop\gmer\gmer.exe[3176] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Documents and Settings\Fred\Desktop\gmer\gmer.exe[3176] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3468] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3468] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3468] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3468] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3468] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3484] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3484] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3484] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3484] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe[3484] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[3556] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[3556] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[3556] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[3556] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[3556] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3568] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3568] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3568] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3568] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3568] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\WINDOWS\system32\ctfmon.exe[3832] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\WINDOWS\system32\ctfmon.exe[3832] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\WINDOWS\system32\ctfmon.exe[3832] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\WINDOWS\system32\ctfmon.exe[3832] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\WINDOWS\system32\ctfmon.exe[3832] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3888] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3F81
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3888] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA4010
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3888] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA401D
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3888] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA4006
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3888] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA405E

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8A5DB984] NDIS.sys[.reloc]
Device \Driver\Tcpip \Device\Ip 89F0F626
Device \Driver\Tcpip \Device\Tcp 89F0F626
Device \Driver\Tcpip \Device\Udp 89F0F626
Device \Driver\Tcpip \Device\RawIp 89F0F626
Device \Driver\Tcpip \Device\IPMULTICAST 89F0F626

---- Threads - GMER 1.0.15 ----

Thread System [4:480] 89F07FEB
Thread System [4:484] 89F07FEB
Thread System [4:488] 89F07FEB
Thread System [4:492] 89F07FEB
Thread System [4:496] 89F07FEB
Thread System [4:500] 89F07FEB
Thread System [4:504] 89F07FEB
Thread System [4:508] 89F07FEB
Thread System [4:512] 89F07FEB
Thread System [4:516] 89F07FEB
Thread System [4:520] 89F07FEB
Thread System [4:524] 89F07FEB
Thread System [4:528] 89F07FEB
Thread System [4:532] 89F07FEB
Thread System [4:536] 89F07FEB
Thread System [4:540] 89F07FEB
Thread System [4:544] 89F07FEB
Thread System [4:548] 89F07FEB
Thread System [4:552] 89F07FEB
Thread System [4:556] 89F07FEB
Thread System [4:560] 89F07FEB
Thread System [4:564] 89F07FEB
Thread System [4:568] 89F07FEB
Thread System [4:572] 89F07FEB
Thread System [4:576] 89F07FEB
Thread System [4:580] 89F07FEB
Thread System [4:584] 89F07FEB
Thread System [4:588] 89F07FEB
Thread System [4:592] 89F07FEB
Thread System [4:596] 89F07FEB
Thread System [4:600] 89F07FEB
Thread System [4:604] 89F07FEB
Thread System [4:608] 89F07FEB
Thread System [4:612] 89F07FEB
Thread System [4:616] 89F07FEB
Thread System [4:620] 89F07FEB
Thread System [4:624] 89F07FEB
Thread System [4:628] 89F07FEB
Thread System [4:632] 89F07FEB
Thread System [4:636] 89F07FEB
Thread System [4:640] 89F07FEB
Thread System [4:644] 89F07FEB
Thread System [4:648] 89F07FEB
Thread System [4:652] 89F07FEB
Thread System [4:656] 89F07FEB
Thread System [4:660] 89F07FEB
Thread System [4:664] 89F07FEB
Thread System [4:668] 89F07FEB
Thread System [4:672] 89F07FEB
Thread System [4:676] 89F07FEB
Thread System [4:680] 89F07FEB
Thread System [4:684] 89F07FEB
Thread System [4:688] 89F07FEB
Thread System [4:692] 89F07FEB
Thread System [4:696] 89F07FEB
Thread System [4:700] 89F07FEB

---- Files - GMER 1.0.15 ----

File C:\i386\ndis.sys (size mismatch) 182912/182656 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 18 March 2009 - 12:14 PM

Hello.

The infection has replaced several of your system files. If a reinstall is an option, I highly suggest that you do that.

We can try to disinfect, though there is a chance that is not possible.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/206966/morphing-malware-attack/
    
    Suspect::[59]
    c:\windows\system32\svchost.exe
    c:\windows\ServicePackFiles\i386\user32.dll
    c:\windows\system32\drivers\ndis.sys
    c:\windows\explorer.exe
    c:\windows\system32\ctfmon.exe
    c:\windows\system32\spoolsv.exe
    c:\windows\system32\userinit.exe
    
    File::
    c:\windows\system32\rkoq.pxf
    c:\windows\system32\odjan.wa
    c:\windows\system32\kei1w.an
    c:\windows\system32\kdoqmn.sr
    c:\windows\system32\doqkm.zt
    c:\documents and settings\Fred\ewtpe.exe
    c:\documents and settings\Fred\hubwf.exe
    c:\documents and settings\Fred\myy.exe
    c:\documents and settings\Fred\kkotc.exe
    c:\documents and settings\Fred\sdemdma.exe
    c:\windows\system32\pcistub.sys
    c:\windows\System32\Drivers\qktjcpta.sys
    c:\windows\system32\drivers\ethrfrug.sys
    
    Folder::
    c:\windows\system32\3361
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "svchost.exe"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\drivers\\svchost.exe"=-
    "c:\\WINDOWS\\system32\\3361\\svchost.exe"=-
    
    Driver::
    emebawtr
    ethrfrug
    pcistub
    qktjcpta
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

With Regards,
The Panda

#7 cflowers

cflowers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 March 2009 - 01:41 PM

I will reinstall the OS. Thank you for your assistance.

Can you explain a little about how you can determine the backdoor threat? Can you tell which threat it is? I'm just trying to learn a little at this point.

-cf
Craig

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 18 March 2009 - 02:24 PM

Hello.

ComboFix had removed, already, several infections that allow remote access to your machine.

I'm just pointing out a couple here.

For instance:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\WINDOWS\\system32\\3361\\svchost.exe"=

These two have added themselves to the filewall exceptions list.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\windows\system32\sopidkc.exe

With Regards,
The Panda

#9 cflowers

cflowers
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 18 March 2009 - 02:32 PM

Good information. Thanks.

You can close this thread.

-cf
Craig

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 18 March 2009 - 03:41 PM

Welcome.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users