Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gaopdxcounter infection


  • Please log in to reply
12 replies to this topic

#1 Shakeydeal

Shakeydeal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 April 2009 - 06:10 AM

Hello:

I've got a recurring gaopdxcounter infection, and from what I've read about rootkits, I'm prepared to reformat and reinstall, just to be safe. My main concern at this point is whether my external hard drives also may be infected, and whether it's safe to back up data to them.

Some background: This intially showed up as a RECYCLER infection in my C drive, as well as my externals. Here's the original Malwarebytes log from a scan of the C drive:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/23/2009 4:37:14 AM
mbam-log-2009-03-23 (04-37-01).txt

Scan type: Quick Scan
Objects scanned: 74983
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 13
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f0fff07b-497e-4889-a20e-d2e49ffb1b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f0fff07b-497e-4889-a20e-d2e49ffb1b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{9d6b0bea-dcdd-4145-b21c-95a302295a36}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f0fff07b-497e-4889-a20e-d2e49ffb1b0d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.233,85.255.112.19 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-3-3-24-100027914-100005775-100016831-5949.com (Trojan.Agent) -> No action taken.


I then ran Autorun Eater, which said that it cleaned up infected autorun.inf files on all drives. I did another Malwarebytes scan of all drives after that, with this result:

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 2

3/28/2009 7:44:59 AM
mbam-log-2009-03-28 (07-44-59).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 186300
Time elapsed: 1 hour(s), 32 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.


Though Malwarebytes claims to delete the infection, it always comes back when I reboot. I've done separate scans of the externals, and they come back clean for those letter drives, but the C:\WINDOWS\system32\gaopdxcounter always shows up in those scans as well. (For what it's worth, I've noticed than when I scan the C drive without the externals attached, the infection does not show up - though it's still there, as my Google search results still are redirected.)

I'm ready to back up data off my C drive and proceed to reformat/reinstallation, but my concerns include:
- Could backing up data from the infected C drive infect my externals?
- Might they still be infected from the original intrusion? If so, could they be cleaned up? (I've heard about Flash Disinfector, but not sure if it would be appropriate in this case.) Would it be safe to plug them into a clean computer, and/or back up data from them to clean externals?
- Where can I find a reliable tutorial for the reformat/reinstall process?

Here's my DDS.txt log. Thanks much for any advice you can provide, and keep up the good work.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Ellasdad at 3:36:26.08 on Sat 04/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.190 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Ellasdad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Compaq
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XBTBPos00: {a50b6e91-4081-4b37-bea1-ad98a3cd51ba} - XBTBPos00 Class
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [c:\program files\netmeter\netmeter.exe] c:\program files\netmeter\NetMeter.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\compaq\eab\EabServr.exe /Start
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instan~1.lnk - c:\program files\linksys\wpc11 config utility\WPC11Cfg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129670123054
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131444448316
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3503.cab
TCP: {F0FFF07B-497E-4889-A20E-D2E49FFB1B0D} = 68.87.69.146,68.87.85.98

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-27 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-10-24 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [2002-7-8 84788]
R3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2007-6-15 54083]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-27 38496]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [2002-6-5 26624]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-11 33752]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-8 1252232]

=============== Created Last 30 ================

2009-03-27 07:19 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-27 05:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-27 05:29 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-27 05:29 <DIR> --d----- c:\program files\Lavasoft
2009-03-27 02:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-27 02:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-27 02:11 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 00:21 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-03-27 00:20 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-03-27 00:19 <DIR> --d----- c:\windows\Internet Logs
2009-03-25 06:10 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 05:58 <DIR> --d----- C:\delcwssk
2009-03-25 05:53 <DIR> --d----- C:\resetsettings
2009-03-25 05:52 220,027 a------- C:\resetsettings.zip
2009-03-25 05:06 5,154,304 a------- C:\WindowsDefender.msi
2009-03-25 04:57 532,480 a------- C:\cwshredder.exe
2009-03-25 04:13 37,452,296 a------- C:\Ad-AwareAE.exe
2009-03-23 04:17 <DIR> --d----- c:\docume~1\ellasdad\applic~1\Malwarebytes
2009-03-23 03:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-23 03:25 2,876,720 a------- C:\mbam-setup.exe
2009-03-23 00:23 <DIR> --d----- c:\program files\Autorun Eater
2009-03-23 00:23 <DIR> --d----- C:\aesetup2.3
2009-03-23 00:22 1,302,891 a------- C:\aesetup2.3.zip

==================== Find3M ====================

2009-03-23 03:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-01 05:22 615,355 a------- C:\NetMeter_v113.exe

============= FINISH: 3:36:49.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:42 PM

Posted 24 April 2009 - 03:32 PM

Hello Shakeydeal,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 24 April 2009 - 09:37 PM

Hi, Tea - yes, I'm still wondering whether to try to fix this or reformat/reinstall, and whether my external drives are safe. Here's a fresh HijackThis log - I'll be offline for a couple of days, but would really appreciate any feedback - thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:14 PM, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Ellasdad\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XBTBPos00 - {A50B6E91-4081-4B37-BEA1-AD98A3CD51BA} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129670123054
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131444448316
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3503.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FFF07B-497E-4889-A20E-D2E49FFB1B0D}: NameServer = 68.87.69.146,68.87.85.98
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9269 bytes

Edited by Shakeydeal, 24 April 2009 - 09:38 PM.


#4 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 27 April 2009 - 12:49 PM

One further development: I had moved some small amounts of data from the infected computer to a second computer using a thumb drive. I ran Flash Disinfector on the thumb drive each time I plugged it into the second computer, then did a Malwarebytes scan of both the C drive and the thumb drive after that, and everything was clean. Then, when I turned my computer on over the weekend (a few days after the latest data transfer), a Symantec autoscan said it detected a Trojan in FlashDisinfector.exe, as well as in a related file in System Restore. It said it successfully quarantined them, and further scans have been clean. Could this have been a result of my thumb drive becoming infected through contact with the infected computer? Is there a safe way to transfer data to the second computer using drives that have been in contact with the infected computer? In addition to Symantec antivirus on the second computer, I'm running Spyware Blaster and Windows Defender, but was thinking about switching to the paid version of Malwarebytes for real-time protection instead of Defender.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:42 PM

Posted 29 April 2009 - 11:58 AM

Hello,

Plug your flash drive in when you run this tool. Heh.....you ran FlashDisinfector.exe, so naturally Norton is going to find the quarantined infection there. We'll take care of System Restore when the system is clean.

Also...are you suing Norton or Eset? You can't run both. You'll overload the system to the point of instability.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to Shakeydeal.exe and try it again. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 30 April 2009 - 05:52 AM

Hi, Tea:

Thanks for the reply, and hope you're feeling better. Below are my ComboFix and fresh HijackThis logs. FYI, when running ComboFix, I attached the two external drives and two thumb drives that had been exposed to the infected computer. As for your question regarding antivirus programs, I'm running Eset on the computer that has been infected, Norton on a second computer where I had moved some data, as previously described. (If you're seeing something in the logs relating to Norton running on the infected computer, I was using it before Eset but uninstalled it, which I understand doesn't always work completely.) Thanks again for all of your help, and looking forward to any further guidance (including anything you might be able to tell me about the health of those external drives) -

Shakes


ComboFix 09-04-29.03 - Ellasdad 04/30/2009 2:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.495.207 [GMT -7:00]
Running from: c:\documents and settings\Ellasdad\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxoruhborswawamujbimxdqboliltowkdc.sys
c:\windows\system32\drivers\gaopdxqvrdqgvmqfuirvaswwptilixgywkqidu.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxepavnnhklyxpsxyiqxrrwglrpmvvbnio.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-24 08:56 . 2009-04-24 09:03 -------- d-----w C:\nyv1986-07-04 Farm Aid (upgrade)
2009-04-24 07:07 . 2009-04-24 07:17 -------- d-----w C:\R.E.M. 1982-10-06 New Haven
2009-04-24 06:55 . 2009-04-24 07:11 -------- d-----w C:\R.E.M. 1982-04-14 New Haven
2009-04-22 11:28 . 2009-04-22 12:05 -------- d-----w C:\R.E.M. 1981-09-22 Athens
2009-04-18 18:14 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 18:14 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-18 18:14 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 18:14 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 18:14 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 18:14 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 18:14 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 18:14 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 18:14 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 18:14 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 18:13 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-18 18:00 . 2009-04-18 18:11 -------- d-----w C:\ny2009-04-13 Kingston
2009-04-16 04:06 . 2009-04-16 04:27 -------- d-----w C:\ny2009-04-11 Saint John, NB
2009-04-14 06:33 . 2009-04-14 07:10 -------- d-----w C:\ny1978-05-25 SF (early)
2009-04-14 06:30 . 2009-04-14 06:37 -------- d-----w C:\ny1978-05-26 SF (early)
2009-04-14 06:28 . 2009-04-14 06:50 -------- d-----w C:\ny1978-05-27 SF (late)
2009-04-14 06:26 . 2009-04-14 06:26 -------- d-----w C:\ny1978-05-28 SF (late - incomplete)
2009-04-14 06:00 . 2009-04-14 07:36 -------- d-----w C:\ny1983-09-27 Atlanta
2009-04-14 04:51 . 2009-04-14 04:56 -------- d-----w C:\nyv1986-07-04 Farm Aid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 09:27 . 2005-12-28 11:17 -------- d-----w c:\program files\Furthur
2009-04-11 09:27 . 2005-11-20 00:43 -------- d-----w c:\program files\Common Files\Adaptec Shared
2009-04-10 15:20 . 2009-03-23 07:23 -------- d-----w c:\program files\Autorun Eater
2009-04-07 06:16 . 2006-03-07 07:00 -------- d-----w c:\program files\SmartFTP Client 2.0 Setup Files
2009-04-07 06:14 . 2006-03-04 09:00 -------- d-----w c:\program files\vso
2009-04-07 06:13 . 2006-10-31 06:19 -------- d-----w c:\program files\01-mp3search
2009-03-27 12:29 . 2009-03-27 12:29 -------- d-----w c:\program files\Lavasoft
2009-03-27 11:48 . 2009-03-27 09:11 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-27 09:21 . 2009-03-27 07:21 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-03-27 06:19 . 2002-06-06 03:38 -------- d-----w c:\program files\COMPAQ
2009-03-27 06:01 . 2009-03-27 06:01 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-27 05:52 . 2002-06-06 03:38 -------- d-----w c:\program files\Common Files\Adobe
2009-03-27 05:30 . 2007-02-07 13:58 -------- d-----w c:\program files\XoftSpySE
2009-03-26 23:49 . 2009-03-27 09:11 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-03-27 09:11 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-26 10:01 . 2007-02-06 07:52 -------- d-----w c:\program files\RegCure
2009-03-25 13:10 . 2009-03-25 13:10 -------- d-----w c:\program files\Trend Micro
2009-03-25 12:53 . 2009-03-25 12:52 220027 ----a-w C:\resetsettings.zip
2009-03-25 12:10 . 2005-10-19 18:03 60040 ----a-w c:\documents and settings\Ellasdad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 11:57 . 2009-03-25 11:57 532480 ----a-w C:\cwshredder.exe
2009-03-25 11:14 . 2009-03-25 11:13 37452296 ----a-w C:\Ad-AwareAE.exe
2009-03-23 10:24 . 2009-03-23 10:25 2876720 ----a-w C:\mbam-setup.exe
2009-03-23 10:05 . 2008-12-05 17:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-23 10:05 . 2005-12-28 11:12 -------- d-----w c:\program files\Java
2009-03-23 07:22 . 2009-03-23 07:22 1302891 ----a-w C:\aesetup2.3.zip
2009-03-09 19:06 . 2009-03-27 14:19 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-09 19:06 . 2009-03-27 12:31 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-06 14:44 . 2001-08-18 13:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 13:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-10-18 19:52 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2001-08-18 13:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2001-08-18 13:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2001-08-18 13:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2001-08-18 13:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2001-08-18 13:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2001-08-18 13:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2001-08-18 13:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-08-18 13:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2001-08-18 13:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2001-08-18 13:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-01 12:22 . 2009-02-01 12:22 615355 ----a-w C:\NetMeter_v113.exe
2006-10-04 15:58 . 2006-10-04 15:58 60526 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-04 15:58 . 2006-10-04 15:58 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-04 15:58 . 2006-10-04 15:58 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"eabconfg.cpl"="c:\program files\Compaq\EAB\EabServr.exe" [2002-04-09 69632]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 172101]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-01-30 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-26 155648]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2002-04-08 28672]
"AtiPTA"="atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2002-04-08 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2006-12-10 124912]
Instant Wireless Configuration Utility.lnk - c:\program files\Linksys\WPC11 Config Utility\WPC11Cfg.exe [2007-6-15 180224]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-7-13 24633]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI2"= SYNCOR11.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:127.0.0.1
"54701:TCP"= 54701:TCP:Port
"37477:TCP"= 37477:TCP:Port

R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\DRIVERS\alifir.sys [2001-08-17 26624]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-06 33752]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-10-25 34824]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-25 468224]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 C4C_BSC2;C4C_BSC2;c:\windows\system32\DRIVERS\C4C_BSC2.sys [2002-07-09 84788]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\DRIVERS\LSWLNDS.sys [2002-05-16 54083]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1487efec-dcd0-11dd-8630-000625153cb6}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2007-02-07 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]

2005-10-23 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 07:56]

2005-10-28 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 07:56]

2005-10-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-08-18 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {F0FFF07B-497E-4889-A20E-D2E49FFB1B0D} = 68.87.69.146,68.87.85.98
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 03:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-04-30 3:05
ComboFix-quarantined-files.txt 2009-04-30 10:04

Pre-Run: 4,814,331,904 bytes free
Post-Run: 5,394,100,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

212 --- E O F --- 2009-04-18 18:23



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:21 AM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Ellasdad\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XBTBPos00 - {A50B6E91-4081-4B37-BEA1-AD98A3CD51BA} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1129670123054
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131444448316
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax3503.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0FFF07B-497E-4889-A20E-D2E49FFB1B0D}: NameServer = 68.87.69.146,68.87.85.98
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9266 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:42 PM

Posted 30 April 2009 - 01:34 PM

Hi there,

.....and thanks. :)

Okay....so we got the rootkit that time. :thumbup2: Looks like all the files, so it should not come back.

For Norton it never uninstalls cleanly, so run this tool :

The Norton uninstall tool uninstalls ALL Norton 2004/2005/2006/2007/2008/2009 products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Are you still being redirected? You shouldn't be, but better to ask. :step4:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: XBTBPos00 - {A50B6E91-4081-4B37-BEA1-AD98A3CD51BA} - (no file)
O3 - Toolbar: (no name) - {F8CC9B08-C14F-4A5C-B73B-518AFECC067A} - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Looking pretty good at this end....how is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 30 April 2009 - 01:49 PM

Tea:

Thanks for the speedy response. Everything seems OK on this end - my browser no longer is redirected, and I ran a full Malwarebytes scan of all drives, including the attached externals, and everything came back clean. Are there any further precautions I should take if I want to connect those external drives to my other, clean computer?

Thanks also for the Norton link - I think I might already have that tool installed (am at work now so can't check), but I'll try it again. And I'll run that HijackThis scan when I get home, too.

Really appreciate everything you folks do - take care -

Shakes

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:42 PM

Posted 30 April 2009 - 02:05 PM

Hi,

You're welcome. :)

My advice would be to reformat the thumb drives.....easiest and safest way for those. I don't know how big, or how important, the external drives are. I have to assume by the way you speak of them, that they carry some pretty important data so I can't tell you to reformat them. Personally I think they're all right now that the rootkit is gone. Just be sure to scan them just like you would your main hard drive to be sure they're infection free. :thumbup2:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 03 May 2009 - 07:15 PM

Hello, Tea:

Just wanted to follow up on a couple of things my antivirus (Eset) found since my last post - I think I pretty much know what's going on, but wanted to be sure.

On Thursday night, a message popped up from an Eset autoscan that said there was a potential threat in a system restore file, and asked me to submit it for analysis. I clicked OK, and didn't hear any more about it.

I ran a full Eset system scan overnight, and when I went to the log file this morning, I found the following:

On Thursday, Eset had quarantined the system restore file, along with C:\DOCUME(tilde)1\Ellasdad\LOCALS(tilde)1\Temp\Av-test.txt, which it identified as an Eicar test file. A Google search showed me that this is simply a test file that's generated to make sure an antivirus program is working correctly - is that something that would have happened as part of the process we went through?

The log also showed that Eset this morning had quarantined C:Qoobox\Quarantine\C\WINDOWS\System 32\gaopdxepavnnhklyxpsxyigxrrwglrpmvvbnio.dll.vir. More Googling revealed that Qoobox is where ComboFix quarantines infected files, so it makes sense my antivirus would pick that up. In several posts I read, users were advised to unintstall ComboFix using the combofix \u command - is that something I should do?

Otherwise, everything's running great and my Malwarebytes scans are clean. Thanks again -

Shakes

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:42 PM

Posted 04 May 2009 - 03:24 PM

Hello,

Yes, that's all normal behavior, and now that I know all seems well we'll take care of it. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Now see if Eset comes out squeaky clean. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 07 May 2009 - 01:26 PM

Tea:

OK, did all that and Eset is happy indeed.

One final question: I've been scanning my other computer a fair amount lately to make sure it didn't pick up any infections from externals etc., and the one thing that always shows up in Malwarebytes is that under Alert Settings in the XP Security Center, the "Virus Protection - Alert me if my computer might be at risk because of my virus protection software settings" is unticked. Even if I activate it, it's always unticked when I start up again. Thought I may have read somewhere that this is a Norton thing (I'm running Symantec Corporate as the AV on that one) - is it anything I should be concerned about?

Big thanks again for all of your help, and keep up the good work -

Shakes

#13 Shakeydeal

Shakeydeal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 13 May 2009 - 03:24 AM

A postscript, in case anyone in a similar situation might be reading this: Although everything seemed to be running fine, I had promised myself not to make any credit card purchases or other financial transactions using the "previously" infected computer, just to be safe. In a weak, hurried moment, I broke that rule on Sunday afternoon and bought some concert tickets by entering a card number; on Monday morning, I got a call from the fraud department of my credit card company, saying someone in India had just tried to use a forged card with my number to buy $800 in clothing. I don't know if credit card forgers can work that fast (though I understand it's pretty simple if you have the right equipment), and I realize the number may have gotten out in some other way, but the coincidence is just too striking.

The computer still scans clean with Malwarebytes/Eset/Ad-Aware/Windows Defender, as well as more specialized rootkit detectors like GMER and F-Secure BlackLight. At the moment, I'm debating whether to continue using it (a secondary laptop at home) for simple Web surfing etc. - realizing that anything I do of a more sensitive nature may be monitored by hackers - or bite the bullet and do a complete reformat/reinstall. Either way, I'm starting to wonder if those folks who argue that you can never really get rid of a rootkit infection without reformatting/reinstalling are right.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users