Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Connection Problem


  • This topic is locked This topic is locked
25 replies to this topic

#1 Backward Galaxy

Backward Galaxy

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 17 April 2009 - 01:24 PM

Hi all,

I'm new to this forum, and out of options. I'm decent with computers, but not a genius by any stretch of the imagination.

I think many of the problems that I am facing now come from the fact that I ran Windows Update with the option of updating drivers on my Dell machine. Since then, I get 5 boxes at startup saying that a new unknown hardware device is found, but without any way of identifying them or installing the correct drivers. Regardless, if I cancel through all of these boxes, I can still get the computer to function... that is I could until yesterday when it stopped connecting to the internet and network. It gives me the infamous Winsock catalogue error problem, but running the reset and restarting doesn't help. I searched the internet for possible fixes and found these forums. I am hopeful you guys can help. I am attaching the Hijack This reports. Please let me know if you need more information.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 17 April 2009 - 03:53 PM

Hi Backward Galaxy,

Welcome to BC HijackThis . I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

You need to download mbam-setup.exe, rules.ref and HiJackThis.exe and transfer it to the infected computer as instructed.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • to the working computer and save it.
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Close the application.
    • Please make sure that you can view all system and hidden files. Instructions on how to do this can be found here:
      How to see hidden files in Windows
    • Copy the file in bold and place to place it the exact location on another computer:

      In Windows XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-malware\rules.ref
      In Windows Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\\rules.ref
    • Save both mbam-setup.ex and rules on a flash drive.
    • Transfer mbam-setup.exe to another computer and double Click mbam-setup.exe to install the application.
    • Put rules.ref from the working computer to the exact location of infected computer to replace its rules.ref
    • Run MBAM. Select the "quick scan".
    • Make sure that everything is checked, and click Remove Selected.
    • Let reboot if needed and copy/paste the log to your reply.
    Note: The logs are saved by default under the Logs tab. If the log did not automatically open after reboot you can obtain the latest log from there.

  • Please download HiJackThis.exe and save it to C: drive of the infected computer. This application doesn't need installation. Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#3 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 17 April 2009 - 05:16 PM

Hi farbar,

I did what you said to the letter, but there is a glitch. When I save the mbam-setup.exe file to the problem computer, it will not allow me to execute the file. I double click it and nothing happens. In the task manager, I can sometimes see the file running as a process, even multiple instances, but the setup never runs on the infected machine.

The contents of the HiJackThis log file are as follows:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:12:22 PM, on 04/17/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\System32\wbem\wmiprvse.exeC:\WINDOWS\system32\wuauclt.exeC:\HiJackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.dellnet.com"]http://www.dellnet.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html"]http://red.clientapps.yahoo.com/customize/.../search/ie.html[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://yahoo.sbc.com/dsl"]http://yahoo.sbc.com/dsl[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html"]http://red.clientapps.yahoo.com/customize/.../search/ie.html[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com"]http://red.clientapps.yahoo.com/customize/...//www.yahoo.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url="http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com"]http://red.clientapps.yahoo.com/customize/...//www.yahoo.com[/url]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exeO4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [url="http://support.dell.com/systemprofiler/SysPro.CAB"]http://support.dell.com/systemprofiler/SysPro.CAB[/url]O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - [url="https://support.microsoft.com/oas/ActiveX/MSDcode.cab"]https://support.microsoft.com/oas/ActiveX/MSDcode.cab[/url]O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url="http://www2.snapfish.com/SnapfishActivia.cab"]http://www2.snapfish.com/SnapfishActivia.cab[/url]O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - [url="http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab"]http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab[/url]O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223656809921"]http://www.update.microsoft.com/windowsupd...b?1223656809921[/url]O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [url="https://webdl.symantec.com/activex/symdlmgr.cab"]https://webdl.symantec.com/activex/symdlmgr.cab[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223665693546"]http://update.microsoft.com/microsoftupdat...b?1223665693546[/url]O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - [url="http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab"]http://picture.vzw.com/activex/VerizonWire...loadControl.cab[/url]O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url="http://www.crucial.com/controls/cpcScanner.cab"]http://www.crucial.com/controls/cpcScanner.cab[/url]O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - [url="http://xscanner.spyshredderscanner.com/a/install1199.cab"]http://xscanner.spyshredderscanner.com/a/install1199.cab[/url]O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - [url="http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab"]http://webpdp.gator.com/v3/download/pdpplu...ptdmgainads.cab[/url]O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - [url="http://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe"]http://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe[/url]O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe--End of file - 7142 bytes

Any assistance you can offer on this topic would be greatly appreciated. I have also attached a copy of the HiJackThis log file to this post.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 17 April 2009 - 05:38 PM

Please copy and paste the logs, no need to put them in the code box or attaching them until mentioned. Thanks.

The moment you get connected please stop using the computer until we have installed an antivirus on it.
  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
    HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://xscanner.spyshredderscanner.com/a/install1199.cab
    O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplu...ptdmgainads.cab


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Important: First reboot the computer. Install MBAM but this time as instructed per Personal Massage I'm going to send.


#5 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 17 April 2009 - 06:54 PM

Thank you for your help.

I did as you requested with the HiJackThis files, fixing only the ones you highlighted.

The instructions from the private message helped me open the setup file, but during the installation process, it gets stuck at "Finishing installation...". It just hangs there and doesn't allow me to cancel out. I am also unable to uninstall the program to try again.

What should I do now?

EDIT: I let it sit for about 10 minutes, and eventually, it was able to finish the installation. However, I am unable to open the program. Same problem as before, just now with the program file.

Edited by Backward Galaxy, 17 April 2009 - 06:57 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 18 April 2009 - 02:02 AM

I have sent you a PM.

#7 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 18 April 2009 - 08:17 AM

The scan completed. Here is the log file:

Malwarebytes' Anti-Malware 1.36
Database version: 1995
Windows 5.1.2600 Service Pack 3

04/18/2009 9:10:19 AM
mbam-log-2009-04-18 (09-10-19).txt

Scan type: Quick Scan
Objects scanned: 81434
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 15
Files Infected: 69

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\SYSTEM32\UACmevdlmxewqoenqo.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{014da6c4-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6c6-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6ca-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareRemover (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twex.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (2) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Quarantine (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Registry Backups (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Program Files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Carie Turk\Application Data\m\shared (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:
\\?\globalroot\systemroot\SYSTEM32\UACmevdlmxewqoenqo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSScfub.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7bce.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS918a.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log\log_2008_02_12_03_00_01.log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log\log_2008_02_12_18_24_14.log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log\log_2008_02_12_18_24_49.log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log\log_2008_02_12_19_07_00.log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Log\log_2008_02_12_19_07_11.log (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\CustomScan.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\IgnoreList.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\ScanInfo.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\ScanResults.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\SelectedFolders.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\SpywareRemover\Settings\Settings.stg (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\muk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\mzuek.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus PLATINUM - Para siempre actualiza gratis sin crack x riojalinks.com.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Platinum 2006+carck.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Platinum v7.04.00 Crack Keygen Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Titanium 2005 + serials.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Titanium 2006 - Crack - Serial(1).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Titanium 2006 - Crack - Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Antivirus Titanium 2006.5.02.01 crack.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum 2005 Internet Security v9.00.00 Final - English.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum 2006 Internet Security v10.00.00 Crack - Keygen - Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security 2005 09.02.01 Serial(3).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security 2005 09.02.01 Serial.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security 2005 Trupevent (Crack) Hasta El (30-12-2020) Funciona.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security 2005(Crack Serial)(1).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security 9.02.01 con Crack y funcionando 09-07-05.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Platinum Internet Security(with TruPrevent)8.05.01(Esp.Eng)+crack(so).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Titanium 2006 Antivirus Antispyware In Italiano Crakkato Da Omissam74.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Titanium 2006 Antivirus + Antispyware (Espanol-Spanish) Crackeado By MenMac Software.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Titanium Antivirus 2006 5.00.83 Keygen(1).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Titanium Antivirus 2006 5.00.83 keygen(2).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Titanium Antivirus 2006 5.00.83 Keygen.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda Truprevent Personal v1.50.00 Ror.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda-Titanium_2006_Antivirus-Antispyware_Crackeado_por chinomoyano.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Antivirus.Platinum7.05.03.Retail-F4CG.ShareConnector.com.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Antivirus.Titanium.2005.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Internet.Security.2006.Multi-BSy.GEAR.forwwoldesel.to.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.2006.Internet.Security10.00.00.WinALL.RETAIL-ARN.ShareVirus.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.2006.Internet.Security10.02.01.GERMAN.WinALL.RETAIL.NFO.DIZIX-ARN.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.2006.Internet.Security10.02.01.WinALL.RETAIL-ARN.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.2006.Internet.Security10.German.RETAIL-ARNy.GEAR.forwwoldesel.to.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.2006.Internet.Securityinal.WinAll.Crack.Keygen GEAR.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Platinum.Internet.Security.[8.0].MULTILANGUAGE-ETD.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.2004.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.20054.00.00.Multilingual.Retail.WinALL-F4CG.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.Antispyware.2006.Multi-BSy.GEAR.forwwoldesel.to.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.Plus.Antispyware.20065.02.00.Multilanguage.3.WinALL.RETAIL-ARN.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.Plus.Antispyware.20065.02.01.Multilanguage.1.WinALL.RETAIL-ARN.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.Plus.Antispyware.20065.02.01.Multilanguage.3.WinALL.RETAIL-ARN.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda.Titanium.Antivirus.Plus.Antispyware.20065.German.RETAIL-ARNy.GEAR.forwwoldesel.to.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda_Platinum_v.9.01.00_2005_Internet_Security+Crack_Garantizado_Por_Luismi(1).zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\Panda_Platinum_v.9.01.00_2005_Internet_Security+Crack_Garantizado_Por_Luismi.zip (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carie Turk\Application Data\m\shared\swat 3 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090228015011281.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\TDSS917a.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\SpywareRemover Scheduled Scan.job (Rogue.Spyware.Remover) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\TDSSfxmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 18 April 2009 - 11:44 AM

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions

Please don't use the computer after running ComboFix until we install an antivirus the next round.
  • Because some files were to delete after reboot you have to reboot. Run mbam again until you get a clean log. If the log is clean you don't need to post the log.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You don't need to install Recovery Console as you don't have internet connection.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The Combofix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went and the current condition of your computer.

Edited by farbar, 18 April 2009 - 11:51 AM.


#9 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 18 April 2009 - 01:48 PM

My report:

You asked me to disconnect the infected computer from the internet, but part of the problem is that this computer does not connect to the internet anymore since it became infected. It typically connects through a router, which is connected to our server. It connects via the ethernet jack, not wireless. However, the infected computer no longer connects to the network or the internet because of the many problems we are having with it.

Either way, I have disconnected the ethernet cable per your instructions.

When Windows XP loads, it indicates 5 instances of New Hardware being found, but it cannot identify the hardware to tell me what it is or what drivers it requires to operate correctly. In Device Manager, under "Other Devices" there are 6 listings of "Unkown Device" with an exclamation point in a yellow circle next to it.

When I ran MBAM the first time, it yielded one infected object. The following is the log file:

Malwarebytes' Anti-Malware 1.36
Database version: 1995
Windows 5.1.2600 Service Pack 3

04/18/2009 2:13:41 PM
mbam-log-2009-04-18 (14-13-41).txt

Scan type: Quick Scan
Objects scanned: 81063
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I allowed MBAM to fix the problem, then scanned again. At the end of this scan, it found 0 infected objects.

I copied ComboFix to the desktop and ran it. Here is the log file:

ComboFix 09-04-19.01 - Carie Turk 04/18/2009 14:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.251 [GMT -4:00]
Running from: c:\documents and settings\Carie Turk\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carie Turk\Application Data\hidn
c:\documents and settings\Carie Turk\Application Data\hidn\hidn2.exe
c:\documents and settings\Carie Turk\Application Data\hidn\hldrrr.exe
C:\temp.zip
C:\test.txt
c:\windows\121927656.exe
c:\windows\130885203.exe
c:\windows\167028187.exe
c:\windows\184751968.exe
c:\windows\185541734.exe
c:\windows\189061593.exe
c:\windows\208931328.exe
c:\windows\225919656.exe
c:\windows\22613203.exe
c:\windows\241242531.exe
c:\windows\252147140.exe
c:\windows\265842843.exe
c:\windows\277562718.exe
c:\windows\295105562.exe
c:\windows\307521406.exe
c:\windows\317074796.exe
c:\windows\329489203.exe
c:\windows\347170468.exe
c:\windows\351476875.exe
c:\windows\376736265.exe
c:\windows\399570968.exe
c:\windows\40212375.exe
c:\windows\404578.exe
c:\windows\421545734.exe
c:\windows\443550687.exe
c:\windows\443671812.exe
c:\windows\443984.exe
c:\windows\44583734.exe
c:\windows\464656.exe
c:\windows\465573281.exe
c:\windows\465648625.exe
c:\windows\494957031.exe
c:\windows\516969640.exe
c:\windows\538947859.exe
c:\windows\540090296.exe
c:\windows\576163125.exe
c:\windows\601667875.exe
c:\windows\623728781.exe
c:\windows\62431875.exe
c:\windows\664187796.exe
c:\windows\66623968.exe
c:\windows\66719796.exe
c:\windows\689051687.exe
c:\windows\752339843.exe
c:\windows\784102718.exe
c:\windows\84468750.exe
c:\windows\857487046.exe
c:\windows\879618328.exe
c:\windows\88603593.exe
c:\windows\88784890.exe
c:\windows\89391078.exe
c:\windows\927306562.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\patch.exe
c:\windows\sview.exe
c:\windows\system32\drivers\UACiqjlqgiuxjdlrsm.sys
c:\windows\system32\drivers\UACpskbmqhb.sys
c:\windows\system32\UACbrxeybao.dat
c:\windows\system32\UACdwqjntiq.log
c:\windows\system32\UACexteolirsnvpyri.dat
c:\windows\system32\UACfrqlxmqa.dll
c:\windows\system32\UACgoenntmw.dat
c:\windows\system32\UACkdekjded.dll
c:\windows\system32\UACkvpphwmt.dll
c:\windows\system32\UAClqfuiuwq.dll
c:\windows\system32\UACltnilxyu.dll
c:\windows\system32\UACmevdlmxewqoenqo.dll
c:\windows\system32\UACmpxuwqjn.dll
c:\windows\system32\UACmqqmwsrj.dll
c:\windows\system32\UACmupxfuba.dll
c:\windows\system32\UACnpodisbt.dat
c:\windows\system32\UAComqskdab.dll
c:\windows\system32\UACovsapuom.dll
c:\windows\system32\UACplxumvtbckhbqkn.dll
c:\windows\system32\UACpstskdpg.dll
c:\windows\system32\UACqltrippw.dll
c:\windows\system32\UACswvbloyq.dat
c:\windows\system32\UACsyxujrjh.log
c:\windows\system32\UACuhnnjnka.dll
c:\windows\system32\UACulvbocud.dll
c:\windows\system32\UACvuorlgkq.dll
c:\windows\system32\UACwmvwyhlr.dll
c:\windows\system32\UACxgwpkpqb.dll
c:\windows\system32\UACxubrrpuhyegettv.log
c:\windows\system32\UACyphrepoh.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_TDSSSERV.SYS
-------\Legacy_M_HOOK
-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 13:00 . 2009-04-18 13:00 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Malwarebytes
2009-04-17 23:32 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 23:32 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 23:32 . 2009-04-17 23:32 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 23:32 . 2009-04-18 13:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 22:12 . 2009-04-17 22:10 2967800 ----a-w C:\mbam-setup.exe
2009-04-17 22:11 . 2009-04-17 21:48 401720 ----a-w C:\HiJackThis.exe
2009-04-17 18:11 . 2009-04-17 21:54 -------- d-----w c:\documents and settings\Carie Turk\Application Data\U3
2009-04-17 14:44 . 2009-04-17 14:47 -------- d-----w C:\New Folder
2009-04-16 22:00 . 2009-04-16 22:00 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-04-16 21:16 . 2009-04-16 21:16 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 22:12 . 2009-04-17 22:12 7143 ----a-w C:\hijackthis.log
2009-04-17 17:13 . 2009-04-17 17:13 10301 ----a-w C:\lsp.txt
2009-04-16 21:52 . 2003-05-26 19:50 84320 -c--a-w c:\documents and settings\Carie Turk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 21:43 . 2007-08-24 12:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 21:36 . 2006-09-29 14:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-16 21:34 . 2004-02-06 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\Visual Networks
2009-04-16 21:27 . 2003-05-26 19:55 -------- d-----w c:\program files\Hewlett-Packard
2009-04-16 21:24 . 2008-12-21 19:50 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Move Networks
2009-04-16 21:19 . 2003-05-20 06:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-16 21:18 . 2008-10-24 18:26 -------- d-----w c:\program files\CoffeeCup Software
2009-04-16 21:16 . 2009-04-16 21:16 55 ----a-w C:\mmcInst.log
2009-04-16 21:15 . 2003-10-17 02:16 -------- d-----w c:\program files\Britannica
2009-04-16 21:15 . 2003-10-28 01:13 -------- d-----w c:\program files\ArcSoft
2009-04-16 17:10 . 2008-10-10 17:28 597482 ----a-w C:\hpfr5100.log
2009-04-06 17:49 . 2003-10-28 01:38 495 ----a-w C:\stub.log
2009-03-13 20:19 . 2003-05-20 06:54 -------- d-----w c:\program files\Dell
2009-03-13 19:54 . 2009-03-07 14:56 16 ----a-w C:\h.txt
2009-03-13 15:38 . 2009-03-12 15:38 65536 ----a-w c:\windows\SYSTEM32\UACjbitlidp.dll
2009-03-02 22:23 . 2009-03-02 22:25 69144 ----a-w C:\Fotolia_726843_XS.jpg
2009-02-28 18:35 . 2009-02-28 18:35 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 18:28 . 2009-02-28 18:28 -------- d-----w c:\program files\MSBuild
2009-02-28 18:27 . 2009-02-28 18:27 -------- d-----w c:\program files\Reference Assemblies
2009-02-28 18:16 . 2003-05-20 06:43 -------- d-----w c:\program files\CONEXANT
2009-02-09 11:13 . 2008-10-14 21:54 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-01-29 23:33 . 2009-01-29 23:33 164 ----a-w C:\install.dat
2009-01-09 19:17 . 2009-01-09 19:17 126976 ----a-w c:\documents and settings\Carie Turk\istarsupport.dll
2008-11-08 20:13 . 2007-10-28 19:56 99320 ----a-w c:\documents and settings\Carie Turk\Application Data\GDIPFONTCACHEV1.DAT
2005-03-21 15:07 . 2005-03-21 15:07 98 -c-ha-w c:\documents and settings\Carie Turk\Application Data\srfvdo.dat
2004-12-18 21:30 . 2004-12-18 21:30 133 -c--a-w c:\documents and settings\Carie Turk\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2008-12-04 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2008-12-4 65536]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2008-12-2 31744]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Carie Turk^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\Carie Turk\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Carie Turk^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=c:\documents and settings\Carie Turk\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=c:\windows\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"iPod Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Setup.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASKUTIL;SASKUTIL; [x]
R3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\DRIVERS\hp4200c.sys [2001-02-19 9312]
R3 RapFile;RapFile;c:\windows\System32\drivers\RapFile.sys [2003-02-25 36644]
R3 RapNet;RapNet;c:\windows\System32\drivers\RapNet.sys [2003-02-25 24344]
R3 SASENUM;SASENUM; [x]
R3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [2005-05-04 323584]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2008-12-18 9158656]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-06 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\CLEANMGR.EXE [2002-08-29 00:12]

2009-04-07 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2002-09-03 18:16]

2009-04-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 14:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet006\Services\Packet]
"ImagePath"="System32\DRIVERS\packet.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet006\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACiqjlqgiuxjdlrsm.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\snmp.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-18 14:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 18:39

Pre-Run: 97,491,984,384 bytes free
Post-Run: 98,096,840,704 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
291 --- E O F --- 2009-04-13 20:16

Finally, here is the HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:05 PM, on 04/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Carie Turk\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/oas/ActiveX/MSDcode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1223656809921
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223665693546
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbcyahoo/TrueInstallSBC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 6288 bytes

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 18 April 2009 - 04:57 PM

Thanks for the reminder about internet connection. That is just a precaution. There are cases where intenet connection looks to be broken while it is not the case. As you might have noticed the computer was heavily infected. Both MBAM and ComboFix removed a lot of nasty backdoor and rootkit stuff. And it is not surprising as there is no any kind of antivirus protection. I don't want you to get infected before I have seen the logs to make sure we can move to the next round.
  • Go to start > Run copy and paste or type the following lines one by one in the run box and click OK after each line.

    cmd /c del /a /f /q "c:\windows\SYSTEM32\UACjbitlidp.dll"
    sc delete vet-filt
    sc delete vet-rec
    sc delete vetefile
    sc delete vetmonnt
    sc delete vetmsgnt
    sc delete sasenum
    Ssc dekete saskutil


  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • First go to start => Control Panel => Windows Firewall and make sure it is truned on. Then connect the ethernet cable, reboot the computer and check if you have connection, if not proceed with the next step.

  • To check if all devices are working properly:
    • Go to start > right-click My computer and select Properties.
    • Under Hardware tab select Device Manger.
    • Expand Network Adapters.
    • Note the device name or names listed.
    • Check if there is any ? or ! sign next to the listed devices. If yes tell me about that and:
      • Double-click on the listed device with ? or !
      • Under General tab note the writing in the Device Status section and post it to your reply.
    • If you expand Network Adapters and there is no ? or ! sign:
      • Double-click on the listed device(s).
      • Under General tab note the writing in the Device Status section and post it to your reply.
    • In case everything is working proceed with the next step.
  • Make sure the following setting is set as it is supposed to be set:
    • Go to Start -> Control Panel -> Double click on Network Connections.
    • Right click on your default connection (usually Local Area Connection) and select Properties.
    • Select the General tab.
    • Double click on Internet Protocol (TCP/IP).
      Under General tab:
      • Select "Obtain an IP address automatically".
      • Select "Obtain DNS server address automatically".
    • Click OK twice to save the settings.
    • Reboot if you had to change any setting.
  • Go to Start > Run and type in cmd
    A command window pops up.Type in the command window the following lines and press Enter after each line (note the spaces):

    netsh int ip reset
    netsh winsock reset


    Now reboot and see if you have connection.


#11 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 20 April 2009 - 10:46 AM

Success!

The infected computer can now connect to the network AND internet! That's awesome! Thank you SOO much!

Now, I know you can't guarantee that this computer is completely safe, but at the moment I am going to continue using it. Are there precautions I can take to make it safer and ensure that this won't happen again? Is there anything else I should do?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 20 April 2009 - 11:23 AM

Great news and you are most welcome. :thumbup2:

Please tell me at which stage/step the internet connection was restored.

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. I recommend this good free antivirus:


Avira
  • Download the installer. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.

Edited by farbar, 20 April 2009 - 02:31 PM.


#13 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 20 April 2009 - 02:07 PM

I was able to connect to the internet after Step 3. I still have the problem of the unidentified devices, but they don't seem to be related to the connection problems.

The Avira Scan log follows:



Avira AntiVir Personal
Report file date: Monday, April 20, 2009 13:59

Scanning for 1358616 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : POS3

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.3.63 1588224 Bytes 4/16/2009 17:59:07
ANTIVIR3.VDF : 7.1.3.79 58880 Bytes 4/20/2009 17:59:07
Engineversion : 8.2.0.148
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.75 373113 Bytes 4/20/2009 17:59:11
AESCN.DLL : 8.1.1.10 127348 Bytes 4/20/2009 17:59:11
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.14 397685 Bytes 4/20/2009 17:59:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.119 1724791 Bytes 4/20/2009 17:59:10
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.36 340341 Bytes 4/20/2009 17:59:08
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.9 176500 Bytes 4/20/2009 17:59:07
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, April 20, 2009 13:59

Starting search for hidden objects.
'49001' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'diagent.exe' - '1' Module(s) have been scanned
Scan process 'WSTDMessaging.exe' - '1' Module(s) have been scanned
Scan process 'sqlmangr.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'UPSNA1Msgr.exe' - '1' Module(s) have been scanned
Scan process 'hpotdd01.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb09.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'hnm_svc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Avenger\swat 3 : close quarters battle deutsch by dbc.zip
[0] Archive type: ZIP
--> swat 3 : close quarters battle deutsch by dbc.exe
[DETECTION] Is the TR/Bagle.Gen.B Trojan
C:\Qoobox\Quarantine\C\temp.zip.vir
[0] Archive type: PWDZIP
--> Object
[DETECTION] Contains recognition pattern of the WORM/Bagle.GL.1 worm
C:\Qoobox\Quarantine\C\Documents and Settings\Carie Turk\Application Data\hidn\hidn2.exe.vir
[DETECTION] Is the TR/Bagle.Gen.B Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Carie Turk\Application Data\hidn\hldrrr.exe.vir
[DETECTION] Is the TR/Bagle.Gen.B Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfrqlxmqa.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkdekjded.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkvpphwmt.dll.vir
[DETECTION] Is the TR/TDss.ror Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClqfuiuwq.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACltnilxyu.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmevdlmxewqoenqo.dll.vir
[DETECTION] Is the TR/Alureon.BF Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmpxuwqjn.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmqqmwsrj.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmupxfuba.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAComqskdab.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACovsapuom.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACplxumvtbckhbqkn.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpstskdpg.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqltrippw.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuhnnjnka.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACulvbocud.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvuorlgkq.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwmvwyhlr.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxgwpkpqb.dll.vir
[DETECTION] Is the TR/Alureon.BF Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACpskbmqhb.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1787\A0076438.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1807\A0079949.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082227.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082228.dll
[DETECTION] Is the TR/Alureon.BF Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082247.exe
[DETECTION] Is the TR/Bagle.Gen.B Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082248.exe
[DETECTION] Is the TR/Bagle.Gen.B Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082301.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082302.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082303.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082304.dll
[DETECTION] Is the TR/TDss.ror Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082305.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082306.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082307.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082308.dll
[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082309.dll
[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082310.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082311.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082312.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082313.dll
[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082314.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082315.dll
[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082316.dll
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082317.dll
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082318.dll
[DETECTION] Is the TR/Alureon.BF Trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1866\A0082396.dll
[DETECTION] Is the TR/TDss.roq Trojan

Beginning disinfection:
C:\Avenger\swat 3 : close quarters battle deutsch by dbc.zip
[NOTE] The file was moved to '4a4dc7eb.qua'!
C:\Qoobox\Quarantine\C\temp.zip.vir
[NOTE] The file was moved to '4a59c7da.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Carie Turk\Application Data\hidn\hidn2.exe.vir
[DETECTION] Is the TR/Bagle.Gen.B Trojan
[NOTE] The file was moved to '4a50c7de.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Carie Turk\Application Data\hidn\hldrrr.exe.vir
[DETECTION] Is the TR/Bagle.Gen.B Trojan
[NOTE] The file was moved to '4a50c7e1.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACfrqlxmqa.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a2fc7b6.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkdekjded.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '4bacd447.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkvpphwmt.dll.vir
[DETECTION] Is the TR/TDss.ror Trojan
[NOTE] The file was moved to '4ba8f4a7.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClqfuiuwq.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '490b8fbf.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACltnilxyu.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490a8867.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmevdlmxewqoenqo.dll.vir
[DETECTION] Is the TR/Alureon.BF Trojan
[NOTE] The file was moved to '4909902f.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmpxuwqjn.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '490898d7.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmqqmwsrj.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan
[NOTE] The file was moved to '4a2fc7b7.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmupxfuba.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan
[NOTE] The file was moved to '4906a948.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAComqskdab.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '4905b100.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACovsapuom.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '4904b938.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACplxumvtbckhbqkn.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490341f0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpstskdpg.dll.vir
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '490249a8.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqltrippw.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan
[NOTE] The file was moved to '49015260.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuhnnjnka.dll.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49005a18.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACulvbocud.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan
[NOTE] The file was moved to '491f62d0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvuorlgkq.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
[NOTE] The file was moved to '491e6a88.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwmvwyhlr.dll.vir
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
[NOTE] The file was moved to '491d7340.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxgwpkpqb.dll.vir
[DETECTION] Is the TR/Alureon.BF Trojan
[NOTE] The file was moved to '491c7b78.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACpskbmqhb.sys.vir
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '491a0be8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1787\A0076438.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '4a1cc7a6.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1807\A0079949.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b688faf.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082227.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4928032f.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082228.dll
[DETECTION] Is the TR/Alureon.BF Trojan
[NOTE] The file was moved to '492a13bf.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082247.exe
[DETECTION] Is the TR/Bagle.Gen.B Trojan
[NOTE] The file was moved to '492b1c47.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082248.exe
[DETECTION] Is the TR/Bagle.Gen.B Trojan
[NOTE] The file was moved to '4a1cc7a7.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082301.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '49252cd8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082302.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49263490.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082303.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '49273ca8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082304.dll
[DETECTION] Is the TR/TDss.ror Trojan
[NOTE] The file was moved to '4921c560.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082305.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '4922cd38.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082306.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4923d5f0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082307.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '495cdd88.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082308.dll
[DETECTION] Is the TR/PCK.Tdss.F.2060 Trojan
[NOTE] The file was moved to '495de640.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082309.dll
[DETECTION] Is the TR/PCK.Tdss.F.2061 Trojan
[NOTE] The file was moved to '495eee18.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082310.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '495ff6d0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082311.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '4958fee8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082312.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '495986a0.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082313.dll
[DETECTION] Is the TR/PCK.Tdss.F.2164 Trojan
[NOTE] The file was moved to '495a8f78.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082314.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '495b9730.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082315.dll
[DETECTION] Is the TR/PCK.Tdss.F.2062 Trojan
[NOTE] The file was moved to '49549fc8.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082316.dll
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
[NOTE] The file was moved to '4955a780.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082317.dll
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
[NOTE] The file was moved to '4956a058.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1864\A0082318.dll
[DETECTION] Is the TR/Alureon.BF Trojan
[NOTE] The file was moved to '4957a810.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1866\A0082396.dll
[DETECTION] Is the TR/TDss.roq Trojan
[NOTE] The file was moved to '4950b028.qua'!


End of the scan: Monday, April 20, 2009 15:05
Used time: 45:55 Minute(s)

The scan has been done completely.

7832 Scanned directories
278823 Files were scanned
49 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
49 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
278773 Files not concerned
3713 Archives were scanned
1 Warnings
50 Notes
49001 Objects were scanned with rootkit scan
0 Hidden objects were found

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:53 AM

Posted 20 April 2009 - 02:46 PM

Thanks for the feedback. Avira found nothing but the malware files already removed by Combofix and those saved in System Volume Information where the restore points are kept. We will empty those folders at the end.


Close any open browsers.

Open notepad and copy/paste the text in the code box below into it:

FixCSet::

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#15 Backward Galaxy

Backward Galaxy
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 20 April 2009 - 03:16 PM

I did as you requested. You should be made aware of the fact that ComboFix didn't like the fact that Avira was enabled when I originally ran it. I don't know if that makes a difference or not, but I wanted you to have all possible information.

Here is the log:

ComboFix 09-04-19.01 - Carie Turk 04/20/2009 16:00.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]
Running from: c:\documents and settings\Carie Turk\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Carie Turk\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_M_HOOK


((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 17:55 . 2009-02-13 15:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-20 17:55 . 2009-04-20 17:55 -------- d-----w c:\program files\Avira
2009-04-20 17:55 . 2009-04-20 17:55 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-18 13:00 . 2009-04-18 13:00 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Malwarebytes
2009-04-17 23:32 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 23:32 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 23:32 . 2009-04-17 23:32 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 23:32 . 2009-04-18 13:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 22:12 . 2009-04-17 22:10 2967800 ----a-w C:\mbam-setup.exe
2009-04-17 22:11 . 2009-04-17 21:48 401720 ----a-w C:\HiJackThis.exe
2009-04-17 18:11 . 2009-04-17 21:54 -------- d-----w c:\documents and settings\Carie Turk\Application Data\U3
2009-04-17 14:44 . 2009-04-17 14:47 -------- d-----w C:\New Folder
2009-04-16 22:00 . 2009-04-16 22:00 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-04-16 21:16 . 2009-04-16 21:16 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Leadertech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 19:56 . 2008-10-10 17:28 599030 ----a-w C:\hpfr5100.log
2009-04-17 22:12 . 2009-04-17 22:12 7143 ----a-w C:\hijackthis.log
2009-04-17 17:13 . 2009-04-17 17:13 10301 ----a-w C:\lsp.txt
2009-04-16 21:52 . 2003-05-26 19:50 84320 -c--a-w c:\documents and settings\Carie Turk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 21:43 . 2007-08-24 12:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 21:36 . 2006-09-29 14:48 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-16 21:34 . 2004-02-06 18:12 -------- d-----w c:\documents and settings\All Users\Application Data\Visual Networks
2009-04-16 21:27 . 2003-05-26 19:55 -------- d-----w c:\program files\Hewlett-Packard
2009-04-16 21:24 . 2008-12-21 19:50 -------- d-----w c:\documents and settings\Carie Turk\Application Data\Move Networks
2009-04-16 21:19 . 2003-05-20 06:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-16 21:18 . 2008-10-24 18:26 -------- d-----w c:\program files\CoffeeCup Software
2009-04-16 21:16 . 2009-04-16 21:16 55 ----a-w C:\mmcInst.log
2009-04-16 21:15 . 2003-10-17 02:16 -------- d-----w c:\program files\Britannica
2009-04-16 21:15 . 2003-10-28 01:13 -------- d-----w c:\program files\ArcSoft
2009-04-06 17:49 . 2003-10-28 01:38 495 ----a-w C:\stub.log
2009-03-13 20:19 . 2003-05-20 06:54 -------- d-----w c:\program files\Dell
2009-03-13 19:54 . 2009-03-07 14:56 16 ----a-w C:\h.txt
2009-03-02 22:23 . 2009-03-02 22:25 69144 ----a-w C:\Fotolia_726843_XS.jpg
2009-02-28 18:35 . 2009-02-28 18:35 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-28 18:28 . 2009-02-28 18:28 -------- d-----w c:\program files\MSBuild
2009-02-28 18:27 . 2009-02-28 18:27 -------- d-----w c:\program files\Reference Assemblies
2009-02-28 18:16 . 2003-05-20 06:43 -------- d-----w c:\program files\CONEXANT
2009-02-09 11:13 . 2008-10-14 21:54 1846784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-01-29 23:33 . 2009-01-29 23:33 164 ----a-w C:\install.dat
2009-01-09 19:17 . 2009-01-09 19:17 126976 ----a-w c:\documents and settings\Carie Turk\istarsupport.dll
2008-11-08 20:13 . 2007-10-28 19:56 99320 ----a-w c:\documents and settings\Carie Turk\Application Data\GDIPFONTCACHEV1.DAT
2005-03-21 15:07 . 2005-03-21 15:07 98 -c-ha-w c:\documents and settings\Carie Turk\Application Data\srfvdo.dat
2004-12-18 21:30 . 2004-12-18 21:30 133 -c--a-w c:\documents and settings\Carie Turk\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.35.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-04-20 20:06 . 2009-04-20 20:06 16384 c:\windows\Temp\Perflib_Perfdata_b0.dat
+ 2009-04-20 16:15 . 2009-04-20 16:15 16384 c:\windows\Temp\Perflib_Perfdata_74c.dat
+ 2009-04-20 16:15 . 2009-04-20 16:15 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
+ 2009-04-20 17:55 . 2009-02-13 15:50 28376 c:\windows\SYSTEM32\DRIVERS\ssmdrv.sys
+ 2009-04-20 17:55 . 2009-02-13 18:22 95576 c:\windows\SYSTEM32\DRIVERS\avipbb.sys
+ 2009-04-20 17:55 . 2009-02-13 15:29 22360 c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys
+ 2009-04-20 17:55 . 2009-02-13 15:17 45416 c:\windows\SYSTEM32\DRIVERS\avgntdd.sys
+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2008-12-04 24576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-15 286720]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2008-12-4 65536]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2008-12-2 31744]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll
"wave2"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Carie Turk^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\Carie Turk\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Carie Turk^Start Menu^Programs^Startup^HotSync Manager.LNK]
path=c:\documents and settings\Carie Turk\Start Menu\Programs\Startup\HotSync Manager.LNK
backup=c:\windows\pss\HotSync Manager.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"iPod Service"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Setup.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\DRIVERS\hp4200c.sys [2001-02-19 9312]
R3 RapFile;RapFile;c:\windows\System32\drivers\RapFile.sys [2003-02-25 36644]
R3 RapNet;RapNet;c:\windows\System32\drivers\RapNet.sys [2003-02-25 24344]
R3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [2005-05-04 323584]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2008-12-18 9158656]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-04-06 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\SYSTEM32\CLEANMGR.EXE [2002-08-29 00:12]

2009-04-07 c:\windows\Tasks\Disk Defragmenter.job
- c:\documents and settings\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk [2002-09-03 18:16]

2009-04-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\SYSTEM32\snmp.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-20 16:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 20:12
ComboFix2.txt 2009-04-18 18:40

Pre-Run: 97,593,430,016 bytes free
Post-Run: 97,607,712,768 bytes free

224 --- E O F --- 2009-04-13 20:16




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users