Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serious Malware Infection, started with MS Antivirus 2009, Spyware Protect 2009, nfr.dll


  • Please log in to reply
6 replies to this topic

#1 thefactualopinion

thefactualopinion

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 08 March 2009 - 10:04 PM

The volunteer helping me on the "Am I infected" forum recommended I move my problem over here to this part of the site. I'm not sure if I'm at the point where I should reformat my computer, hope someone can help.

Here's my original problems and the logs and help I've received so far: http://www.bleepingcomputer.com/forums/t/208885/ms-antivirus-2009-which-turned-into-another-one-and-now-its-that-nfrdll-error-and-malarebytes-and-superantispy-got-their-butts-kicked/

I assume that you'll probably get a better explanation from my problems there, but here's the quick and dirty:
Dell Laptop, currently disconnected from the Internet. (It was unable to access the bleeping computer forum anyway--just this site specifically, sites like Google, blogs, those kinds of things worked fine.)

The problems started with the MS Antivirus 2009 fake spyware stuff, than the browser hijacks (I shut off proxy servers before coming to the forums), and then I got the Spyware Protect 2009 version of malware, and was only able to get Malwarebyte's to run by changing the extension to .bat after reading it here. Since I started working on these forums with DaChew, I've only followed his instructions.

Currently working off my wife's computer, a Mac. Using a USB flash drive that DaChew had me immunize so that I can download the programs on this Mac and transfer them over to the infected Dell. Than I copy the logs onto the flash and move them here.

Here's my DDS file, i've changed my name on it to USER.


DDS (Ver_09-02-01.01) - NTFSx86
Run by USER at 22:51:31.47 on Sun 03/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.668 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {5CDCD788-275F-4580-AB07-E947CE6E48A4} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DadApp] c:\program files\dell\accessdirect\dadapp.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tucker~1\applic~1\mozilla\firefox\profiles\op5w5vfi.default user\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: XUL Cache: {954344C9-A024-43E4-8048-6B69AC05A899} - c:\documents and settings\USER\local settings\application data\{954344C9-A024-43E4-8048-6B69AC05A899}

============= SERVICES / DRIVERS ===============

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-18 24652]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-03-08 00:16 --d----- c:\documents and settings\tucker stone\DoctorWeb
2009-03-08 00:06 a-dshr-- C:\autorun.inf
2009-03-07 16:42 105,326 a------- c:\windows\system32\drivers\92ef5b4d.sys
2009-03-07 16:42 2 a------- C:\-195875952
2009-03-07 14:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-07 14:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 14:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 13:53 --d----- c:\windows\system32\CatRoot_bak
2009-03-07 00:13 --d----- C:\AutoRuns
2009-03-06 16:27 --d----- c:\program files\AVG
2009-03-06 16:27 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-06 12:06 12,800 a------- c:\windows\system32\dll32.dll
2009-03-06 08:58 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-06 01:47 0 a------- c:\windows\system32\nfr.assembly
2009-03-06 01:13 --d----- c:\program files\SUPERAntiSpyware
2009-03-06 01:13 --d----- c:\docume~1\tucker~1\applic~1\SUPERAntiSpyware.com
2009-03-06 00:51 24,576 a------- c:\windows\system32\stu2.exe
2009-03-05 21:42 0 a------- c:\windows\system32\nfr.gpref
2009-03-05 21:24 1 a------- c:\windows\9gdfgjf23
2009-03-05 21:24 1 ----h--- c:\windows\t55ft3518f44.dat
2009-02-19 20:04 1,400,832 a------- c:\windows\system32\CNQ2412C.DLL
2009-02-19 20:04 1,155,072 a------- c:\windows\system32\CNQ2412L.DLL
2009-02-19 20:04 188,416 a------- c:\windows\system32\CNQ2412O.DLL
2009-02-19 20:04 98,304 a------- c:\windows\system32\CNQ2412I.DLL

==================== Find3M ====================

2009-03-06 08:41 187,394 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-06 00:50 8,704 a------- c:\windows\system32\userinit.exe
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-03 16:25 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 05:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 07:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-09-01 02:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 22:51:40.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:11 PM

Posted 12 March 2009 - 05:37 PM

Hello Thefactualopinion and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 12 March 2009 - 07:08 PM

Thanks thunder. I'm in the process of running the ComboFix log. I don't have an active internet connection on the computer--not sure why, it stopped working at some point during the period while the computer was purposely disconnected--so I wasn't able to install the windows recovery console, and the instructions I found on the MIcrosoft site to install off disk didn't work. (The error message at the D: prompt was that I wasn't using a valid command.)

However, there's been a bit of a major development with this particular computer, and I'm not sure if you'll want to continue on with helping me or if it's a waste of your time: the computer had shut down due to overheating--happens sometimes with this model--and when I attempted to reboot it, it wouldn't start Windows. After the inital password entry, both on my User name as well as the Administrator function, Windows would start and immediately end, as if I had just used the Log Out or Reset function. It stayed in this loop consistently. What I did to get it back up and running as a functioning computer was to use the Windows Repair program (which basically installed a fresh copy of Windows XP without deleting all my personal files) off the Windows XP cd that came with the computer. Now Windows starts up fine, although it's now back on Service Pack 1 and the Internet doesn't work at all.

I apologize for doing something this drastic on my own--i know it makes it hard to help me--but in my defense, I hadn't finished backing up my personal data off the computer and was just trying to find a way to get the computer to let me on long enough to do so.

#4 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 12 March 2009 - 09:07 PM

Goored Log:

G

Edited by thefactualopinion, 12 March 2009 - 09:10 PM.


#5 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 12 March 2009 - 09:08 PM

COMBOFIX LOG

ComboFix 09-03-10.03 - Administrator 2009-03-12 19:39:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.718 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-11 19:21 . 2009-03-11 19:21 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\GTek
2009-03-11 19:05 . 2003-07-16 11:38 2,178,131 --a--c--- c:\windows\SYSTEM32\DLLCACHE\shvlres.dll
2009-03-11 19:04 . 2003-07-16 11:17 1,875,968 --a--c--- c:\windows\SYSTEM32\DLLCACHE\msir3jp.lex
2009-03-11 19:03 . 2003-07-16 11:16 13,463,552 --a--c--- c:\windows\SYSTEM32\DLLCACHE\hwxjpn.dll
2009-03-11 19:02 . 2003-07-16 11:18 1,817,687 --a--c--- c:\windows\SYSTEM32\DLLCACHE\bckgres.dll
2009-03-11 19:01 . 2002-05-14 11:08 872,557 --a--c--- c:\windows\SYSTEM32\DLLCACHE\fp4awel.dll
2009-03-11 18:49 . 2001-08-17 21:36 176,640 --a------ c:\windows\SYSTEM32\LXSYSUI.DLL
2009-03-11 18:48 . 2009-03-11 18:48 488 -rah----- c:\windows\SYSTEM32\logonui.exe.manifest
2009-03-11 18:46 . 2003-07-16 11:29 487,424 --a--c--- c:\windows\SYSTEM32\DLLCACHE\msado15.dll
2009-03-11 18:45 . 2003-07-16 11:19 1,267,712 --a--c--- c:\windows\SYSTEM32\DLLCACHE\cimwin32.dll
2009-03-11 18:44 . 2001-08-17 12:59 50,048 --a------ c:\windows\SYSTEM32\DRIVERS\DMusic.sys
2009-03-11 18:43 . 2002-08-29 00:27 56,576 --a------ c:\windows\SYSTEM32\DRIVERS\redbook.sys
2009-03-11 18:43 . 2002-08-29 00:32 5,888 --a------ c:\windows\SYSTEM32\DRIVERS\splitter.sys
2009-03-11 18:42 . 2001-08-17 21:37 117,248 --a------ c:\windows\SYSTEM32\ksproxy.ax
2009-03-11 18:42 . 2001-08-17 21:36 4,096 --a------ c:\windows\SYSTEM32\ksuser.dll
2009-03-11 18:41 . 2002-08-29 00:06 182,400 --a------ c:\windows\SYSTEM32\DRIVERS\rdpdr.sys
2009-03-11 18:41 . 2002-08-29 02:46 38,024 --a------ c:\windows\SYSTEM32\DRIVERS\termdd.sys
2009-03-11 18:39 . 2003-07-16 11:37 696,320 --a--c--- c:\windows\SYSTEM32\DLLCACHE\sapi.dll
2009-03-11 18:39 . 2003-07-16 11:37 147,456 --a--c--- c:\windows\SYSTEM32\DLLCACHE\sapi.cpl
2009-03-11 18:39 . 2003-07-16 11:45 132,096 --a------ c:\windows\SYSTEM\WINSPOOL.DRV
2009-03-11 18:39 . 2003-07-16 11:40 24,661 --a------ c:\windows\SYSTEM32\spxcoins.dll
2009-03-11 18:39 . 2003-07-16 11:40 24,661 --a--c--- c:\windows\SYSTEM32\DLLCACHE\spxcoins.dll
2009-03-11 18:39 . 2003-07-16 11:25 13,312 --a------ c:\windows\SYSTEM32\irclass.dll
2009-03-11 18:39 . 2003-07-16 11:25 13,312 --a--c--- c:\windows\SYSTEM32\DLLCACHE\irclass.dll
2009-03-11 18:39 . 2003-07-16 11:25 10,496 --a------ c:\windows\SYSTEM32\DRIVERS\irenum.sys
2009-03-11 18:39 . 2003-07-16 11:25 10,496 --a--c--- c:\windows\SYSTEM32\DLLCACHE\irenum.sys
2009-03-11 14:23 . 2009-03-11 14:23 <DIR> d-------- c:\windows\java
2009-03-09 21:53 . 2009-03-09 21:53 <DIR> d-------- c:\program files\microsoft frontpage
2009-03-07 23:16 . 2009-03-07 23:17 <DIR> d-------- c:\documents and settings\USER\DoctorWeb
2009-03-07 15:42 . 2009-03-12 19:46 105,326 --a------ c:\windows\SYSTEM32\DRIVERS\92ef5b4d.sys
2009-03-07 15:42 . 2009-03-07 15:42 2 --a------ C:\-195875952
2009-03-07 13:32 . 2009-03-08 20:30 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 13:32 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-07 13:32 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-07 12:53 . 2009-03-07 14:00 <DIR> d-------- c:\windows\SYSTEM32\CatRoot_bak
2009-03-06 23:13 . 2009-03-06 23:13 <DIR> d-------- C:\AutoRuns
2009-03-06 15:27 . 2009-03-07 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-06 11:06 . 2009-03-06 11:06 12,800 --a------ c:\windows\SYSTEM32\dll32.dll
2009-03-06 07:58 . 2009-03-06 07:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-06 00:47 . 2009-03-06 00:47 0 --a------ c:\windows\SYSTEM32\nfr.assembly
2009-03-06 00:13 . 2009-03-06 15:03 <DIR> d-------- c:\documents and settings\USER\Application Data\SUPERAntiSpyware.com
2009-03-05 23:51 . 2004-08-04 02:56 24,576 --a------ c:\windows\SYSTEM32\stu2.exe
2009-03-05 20:42 . 2009-03-05 20:42 0 --a------ c:\windows\SYSTEM32\nfr.gpref
2009-03-05 20:24 . 2009-03-05 20:24 1 ---h----- c:\windows\t55ft3518f44.dat
2009-03-05 20:24 . 2009-03-05 20:24 1 --a------ c:\windows\9gdfgjf23
2009-02-19 19:04 . 2009-02-19 19:04 <DIR> d--h----- c:\windows\SYSTEM32\CanonIJ Uninstaller Information
2009-02-19 19:04 . 2009-02-19 19:04 <DIR> d--h----- c:\program files\CanonBJ
2009-02-19 19:04 . 2007-03-23 16:30 1,400,832 --a------ c:\windows\SYSTEM32\CNQ2412C.DLL
2009-02-19 19:04 . 2007-04-17 09:16 1,155,072 --a------ c:\windows\SYSTEM32\CNQ2412L.DLL
2009-02-19 19:04 . 2007-03-15 14:12 188,416 --a------ c:\windows\SYSTEM32\CNQ2412O.DLL
2009-02-19 19:04 . 2007-03-23 16:29 98,304 --a------ c:\windows\SYSTEM32\CNQ2412I.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 23:56 --------- d-----w c:\documents and settings\USER\Application Data\DNA
2009-03-12 23:55 --------- d-----w c:\program files\DNA
2009-03-12 00:26 45,056 -c--a-w c:\windows\NCUNINST.EXE
2009-03-10 02:41 --------- d-----w c:\program files\BitTorrent
2009-03-09 03:21 --------- d-----w c:\program files\Common Files\Real
2009-03-06 18:55 --------- d-----w c:\program files\Java
2009-03-06 15:53 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-02-20 00:18 --------- d-----w c:\program files\Common Files\Adobe
2009-02-20 00:18 --------- d-----w c:\documents and settings\Tucker Stone\Application Data\AdobeUM
2009-01-25 21:57 --------- d-----w c:\program files\Soulseek
.

------- Sigcheck -------

2008-04-13 13:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ip6fw.sys
2004-08-04 01:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\SYSTEM32\DRIVERS\ip6fw.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-12_19.21.42.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-13 00:46:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-07-16 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-06-24 77914]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-05-22 327680]
"DadApp"="c:\program files\Dell\AccessDirect\dadapp.exe" [2002-11-01 208560]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-09-23 204800]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-27 323584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-28 c:\windows\SYSTEM32\Ati2mdxx.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-18 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://xtoff/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 19:46:34
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???h???????x???x???????????x???h???????x???x???????????????????????`??????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\92ef5b4d]
"ImagePath"="\SystemRoot\System32\drivers\92ef5b4d.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(900)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\WgaTray.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\windows\SYSTEM32\WBEM\wmiapsrv.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-12 19:49:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 00:49:06
ComboFix2.txt 2009-03-13 00:22:24

Pre-Run: 19,920,158,720 bytes free
Post-Run: 19,899,801,600 bytes free

Current=4 Default=4 Failed=0 LastKnownGood=3 Sets=1,2,3,4,5
184 --- E O F --- 2009-03-06 13:37:03

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:11 PM

Posted 13 March 2009 - 06:45 PM

Hello Thefactualopinion,

Did you check if you network adapter software is still properly installed ?
If it is, try this :

Download and Run WinsockFix
  • Download WinsockXPFix and save it to your desktop.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot afterwards.
Please go to http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Copy next line and paste it in the Upload window :c:\windows\SYSTEM32\DRIVERS\92ef5b4d.sys
Then click on 'Send File'.
Post the results into your next reply.
Repeat the procedure with :c:\windows\SYSTEM32\stu2.exe
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 thefactualopinion

thefactualopinion
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 16 March 2009 - 06:51 PM

Thunder, sorry I'm taking so long to respond here. I've been trying to figure out the internet connection problem. I haven't been able too. I did manage to use the flash usb and my wife's computer to download and run winsockfix, but i can't get online to run the other program.

I'm not sure what it is i'm doing wrong, the internet software and drivers seem to be the same as they were, and the internet connection is working fine on my wife's computer. Is there another step I should take?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users