Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help! XP computer problem - at wit's end


  • This topic is locked This topic is locked
45 replies to this topic

#1 poidogger

poidogger

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 10 May 2009 - 01:31 PM

Hello,
I have been having such problems with my gateway GT5238E Windows XP Media Center Edition Version 2002 Service Pack 3. It started last year with a trojan which I finally found in my userinit.exe file. I renamed it, obtained a new copy of the file, and was all ready to go, and restarted my computer before I ran the new copy! Ugh, so I just did a complete recovery using my XP disks, etc. Computer was working fine, until March.

I have scanned with Trend Micro and removed a few more trojans. Last scan revealed some files that were quarantined but when I went to delete them, I get message indicating "unable to delete file, computer locked or lack sufficient privileges". They are:
UACeodvppa.sys in system32\drivers
UACgthiomgu.dll in system32
UACmarlcylt.dll in system32
UACufyiniwy.dll in system32
UACxncfijmw.dll in system32

also, a trojan was found in 2 files. It attempted to fix, but couldn't so quarantined and I was able to delete them:
UACba6e.tmp in owner.desktop\local settings\temp
wJQs.exe - can't remember where that was located.

For awhile, I couldn't access the internet, so I tried defraging, and cleaning, and this, and that, and finally shut my computer down for a long time(before I smashed it to pieces!). Decided to try again yesterday and when it came on, message popped up that microsoft had detected another trojan! and removed it and now I am able to get on the internet. However now when I go to the internet it will not open any links from Google, I have to type in the address on address bar. Also, my computer will lock up after awhile.
One other thing, when I turn my computer on, sometimes it tries and then just peters out. I try again, holding the button for a few seconds and then it turns on. Can this computer be fixed???

Here is DDS Hijack log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:21:29.68 on Sun 05/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.383 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.desktop\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: BHO: {abc42510-9b22-41c1-9dcd-8182a2d07c63} -
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} -
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: : {e87b5601-44ea-4e08-9da8-1020d5e4fa7c} - c:\windows\system32\xnozheq.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [CHotkey] zHotkey.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [iRiver AutoDB] c:\program files\iriver\service\MLService.exe
mRun: [iRiver Updater] c:\program files\iriver\service\Updater.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\owner~1.des\startm~1\programs\startup\palmre~1.lnk - c:\program files\palm\register.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: ytchvzmn - xnozheq.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 bcifvlli;bcifvlli;c:\windows\system32\drivers\bcifvlli.sys [2008-11-11 23424]
R2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-7-27 163840]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 pspuqclm;Software Bus Controller;c:\windows\system32\svchost.exe -k netsvcs [2008-11-11 14336]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-11-11 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-15 36368]
R3 MLFILEM;MLFILEM;c:\windows\system32\drivers\MLFILEM.SYS [2009-3-10 28160]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-15 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-11-11 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-11-11 648456]

=============== Created Last 30 ================

2009-05-09 14:54 <DIR> --d----- c:\docume~1\owner~1.des\applic~1\lwbcvore
2009-04-25 10:43 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-25 10:43 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-25 10:43 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-25 10:43 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-25 10:43 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-25 10:43 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-25 10:43 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-25 10:43 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-25 10:43 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-25 10:43 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-25 03:01 118 a------- c:\windows\system32\MRT.INI
2009-04-18 17:22 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-18 17:22 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 17:22 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-11 10:32 16,384 a------- c:\windows\DCEBoot.exe
2009-04-02 16:00 52,752 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 16:00 52,624 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 16:00 142,864 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-08 09:30 53,248 a------- c:\windows\PalmDevC.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-11-15 11:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111520081116\index.dat

============= FINISH: 13:22:40.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 25 May 2009 - 04:25 AM

Hi poidogger,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • This is a preinstalled program on the Dell computers. I recommend to uninstall it from Add/Remove programs:

    Browser Address Error Redirector

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 28 May 2009 - 11:30 AM

Are you still there?

#4 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 29 May 2009 - 09:17 PM

Yes, sorry. Had been awhile since I posted. I will follow your instructions and post a followup

#5 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 29 May 2009 - 09:50 PM

Hello Farbar,
and THANK YOU for your assistance!!
I've followed your instructions, removed Browser Redirector and have posted MBAM & Hijack logs below....


MBAM log is below

Malwarebytes' Anti-Malware 1.37
Database version: 2195
Windows 5.1.2600 Service Pack 3
5/29/2009 9:36:41 PM
mbam-log-2009-05-29 (21-36-41).txt
Scan type: Quick Scan
Objects scanned: 100080
Time elapsed: 6 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\xnozheq.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e87b5601-44ea-4e08-9da8-1020d5e4fa7c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ytchvzmn (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e87b5601-44ea-4e08-9da8-1020d5e4fa7c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pspuqclm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pspuqclm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pspuqclm (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e87b5601-44ea-4e08-9da8-1020d5e4fa7c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bcifvlli (Rootkit.Sentinel) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abc42510-9b22-41c1-9dcd-8182a2d07c63} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abc42510-9b22-41c1-9dcd-8182a2d07c63} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\xnozheq.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\izvrdin.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\bcifvlli.sys (Rootkit.Sentinel) -> Delete on reboot.
c:\WINDOWS\system32\UACdataghot.log (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrbfnsdou.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACrspqowqj.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACufyiniwy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\UACeodvpppa.sys (Trojan.Agent) -> Quarantined and deleted successfully.


HIJACK LOG is below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:15 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iRiver\Service\MLService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GT5238E
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...P&M=GT5238E
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch...P&M=GT5238E
O1 - Hosts: ::1 localhost
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 spyware-protector-2009.com
O1 - Hosts: 195.245.119.131 www.spyware-protector-2009.com
O1 - Hosts: 195.245.119.131 secure.spyware-protector-2009.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 8960 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 30 May 2009 - 01:18 AM

Good job. :thumbup2:

Malwarebytes' Anti-Malware took them out. I would like to take a deeper look at the system with Combofix and make sure the infection will not come back.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 30 May 2009 - 02:40 PM

Okay, when I ran combofix it kept hanging at installing the Windows Console Recovery System but when I rebooted it did a CHKDSK so I figured it must have been installed? I have my Operating System Disc if I can install it from there if it's not on there. Also, I did disable my AV but it kept saying it was active, I also exited from it on the system tray task bar.... should I make it active again? I also turned my firewalls off. Again I can't tell you enough of my appreciation for your help!!

Here's the log

ComboFix 09-05-30.02 - Owner 05/30/2009 14:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.484 [GMT -5:00]
Running from: c:\documents and settings\Owner.desktop\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\lwbcvore
c:\documents and settings\NetworkService\Application Data\lwbcvore\profiles.ini
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\cert8.db
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\key3.db
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\prefs.js
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\secmod.db
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\lwbcvore\Profiles\0x8mulcx.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\lwbcvore
c:\documents and settings\NetworkService\Local Settings\Application Data\lwbcvore\Profiles\0x8mulcx.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\lwbcvore\Profiles\0x8mulcx.default\XPC.mfl
c:\documents and settings\Owner.desktop\Application Data\lwbcvore
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\profiles.ini
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\cert8.db
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\compatibility.ini
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\compreg.dat
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\cookies.sqlite
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\formhistory.sqlite
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\key3.db
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\localstore.rdf
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\parent.lock
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\permissions.sqlite
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\places.sqlite-journal
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\places.sqlite-stmtjrnl
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\places.sqlite
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\pluginreg.dat
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\prefs.js
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\secmod.db
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\webappsstore.sqlite
c:\documents and settings\Owner.desktop\Application Data\lwbcvore\Profiles\muahzidk.default\xpti.dat
c:\documents and settings\Owner.desktop\Local Settings\Application Data\lwbcvore
c:\documents and settings\Owner.desktop\Local Settings\Application Data\lwbcvore\Profiles\muahzidk.default\urlclassifier3.sqlite
c:\documents and settings\Owner.desktop\Local Settings\Application Data\lwbcvore\Profiles\muahzidk.default\XPC.mfl
c:\windows\system32\drivers\evefpdap.sys
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-30 02:27 . 2009-05-30 02:27 -------- d-----w c:\documents and settings\Owner.desktop\Application Data\Malwarebytes
2009-05-30 02:27 . 2009-05-26 18:20 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 02:27 . 2009-05-30 02:27 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 02:27 . 2009-05-26 18:19 19096 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-30 02:27 . 2009-05-30 02:27 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 00:58 . 2009-03-30 00:28 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-11 03:25 . 2008-11-11 16:01 -------- d--h--w c:\documents and settings\Owner.desktop\Application Data\GTek
2009-05-10 17:30 . 2008-11-11 16:11 -------- d-----w c:\program files\Trend Micro
2009-04-11 15:32 . 2009-03-23 13:58 16384 ----a-w c:\windows\DCEBoot.exe
2009-04-02 21:00 . 2008-11-11 16:19 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 21:00 . 2008-11-11 16:19 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 21:00 . 2008-11-11 16:19 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-01 03:11 . 2009-04-01 03:08 -------- d-----w c:\documents and settings\All Users\Application Data\PhotoStitch
2009-04-01 03:11 . 2009-04-01 03:11 -------- d-----w c:\documents and settings\Owner.desktop\Application Data\Canon
2009-03-08 14:34 . 2009-03-08 14:34 8854 ----a-r c:\documents and settings\Owner.desktop\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut7_4B691FC6F103435EA1F6339BD6C78617.exe
2009-03-08 14:34 . 2009-03-08 14:34 8854 ----a-r c:\documents and settings\Owner.desktop\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut15_4B691FC6F103435EA1F6339BD6C78617.exe
2009-03-08 14:34 . 2009-03-08 14:34 8854 ----a-r c:\documents and settings\Owner.desktop\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut14_4B691FC6F103435EA1F6339BD6C78617.exe
2009-03-08 14:34 . 2009-03-08 14:34 8854 ----a-r c:\documents and settings\Owner.desktop\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut13_4B691FC6F103435EA1F6339BD6C78617.exe
2009-03-08 14:34 . 2009-03-08 14:34 8854 ----a-r c:\documents and settings\Owner.desktop\Application Data\Microsoft\Installer\{0030188A-533E-42EE-9837-E044F10E4369}\NewShortcut12_4B691FC6F103435EA1F6339BD6C78617.exe
2009-03-08 14:30 . 2009-03-08 14:35 53248 ----a-w c:\windows\PalmDevC.dll
2009-03-06 14:22 . 2008-11-11 05:05 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-17 09:23 826368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-11 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-07-27 303104]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"iRiver AutoDB"="c:\program files\iRiver\Service\MLService.exe" [2004-09-10 1040384]
"iRiver Updater"="c:\program files\iRiver\Service\Updater.exe" [2004-09-07 212992]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-11-11 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/11/2008 11:19 AM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/15/2008 9:37 AM 36368]
R3 MLFILEM;MLFILEM;c:\windows\system32\drivers\MLFILEM.SYS [3/10/2009 7:00 PM 28160]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/15/2008 9:37 AM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [11/11/2008 11:19 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [11/11/2008 11:19 AM 648456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
pspuqclm
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 14:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\BigFix\bigfix.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rsvp.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-05-30 14:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 19:32

Pre-Run: 224,099,897,344 bytes free
Post-Run: 224,222,011,392 bytes free

193 --- E O F --- 2009-05-16 21:23

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 30 May 2009 - 04:01 PM

You did a good job and you are welcome.
Please turn on both your antivirus and firewall immediately. I'll post a fix after looking it over.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 30 May 2009 - 04:31 PM

Please turn on your security programs after running ComboFix.
In case ComboFix needed to update or install the recovery console please allow it. Not that we need the Recovery Console, as we can always use your Windows CD for that purpose, but ComboFix does more things if the Recovery Console installed than when it is not installed. But I don't see in this case it is essential.
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Driver::
    pspuqclm
    NetSvc::
    pspuqclm
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Please copy and paste a fresh Hijackthis log to your reply. Also tell me how is your computer running.


#10 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 31 May 2009 - 07:05 PM

Hello farbar,
I am running into some problems:

1. I tried what you said. I cannot get combofix to install the Windows Recovery console. Everytime it tries, it just hangs as "connecting to microsoft.com...100%" and does nothing. additionally my computer locks up and I cannot do anything except a hard shutdown.

2. So I tried doing the combofix without getting the Recovery Console and the program hangs after the completion of stage 3.

3. When I run combofix, it tells me there is an update...I have updated each time, is that correct?

4. I dragged the CFScript.txt into combofix and ran it, and had the above problems. If I try running combofix multiple times do I have to drag the document back into the combofix application or is it in there?

5. Also it is still saying that Trend micro is actively scanning even when I disable it acc: the instructions on the links you provided. My Windows Security Center reports that it is active as well.

6. Not sure if this is applicable, but when my computer starts up Trend Micro takes a few minutes to get active and I cannot connect to the internet until it becomes red in color (active).

I haven't done anything else with my computer so I can't comment on how it's running since I'm not getting too far with the combofix...

many thanks in advance again,
poidogger

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 31 May 2009 - 07:29 PM

Thanks for the detailed feedback.
We will do this step by step. Updating ComboFix is normal.
Trend Micro or something else is interfering. We download and install the Recovery console manually. After you installed the Recovery Console and when ComboFix asked if you want to scan the computer press NO.
Then apply the CFScript with the fresh one I provide here.
  • Delete your copy of ComboFix and download ComboFix from one of these locations. Make sure Trend Micro does not remove anything as it might be something ComboFix needs.

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System


    Posted Image


    Download the file & save it as it's originally named, next to ComboFix.exe.



    Posted Image


    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
    • At the next prompt, click 'No' stop ComboFix from scanning.

      Posted Image
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    KillAll::
    Driver::
    pspuqclm
    NetSvc::
    pspuqclm
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Now proceed with the step 2 from the previous post.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 31 May 2009 - 07:34 PM

Please don't miss my previous post. Did you consulted this to disable TM real-time protection? http://esupport.trendmicro.com/Pages/How-d...-Micro-Int.aspx

#13 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 31 May 2009 - 08:36 PM

I did follow those instructions regarding the disabling of A/V. I unchecked the real time protection and it does not have the check by it when I right click on the icon in the system tray taskbar. My Windows security center however is saying "Trend Micro Internet Security reports that it is up to date and virus scanning is on" and Combofix keeps saying it's active too. Ugh! I'd be willing to uninstall Trend Micro and reinstall after this whole process if you think it would help?

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:35 AM

Posted 01 June 2009 - 02:31 AM

No need to uninstall TM, please proceed with the new set of instructions.

#15 poidogger

poidogger
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 June 2009 - 08:29 PM

Oh farbar what a mess.
I could not get the combofix to do anything due to Trend Micro & I followed the instructions on those links provided. I tried multiple times to do the combofix and it wouldn't run. So....I uninstalled Trend Micro, installed the Windows Recovery Console System from my Operating System Disk and then followed your last post with the
CODE
KillAll::
Driver::
pspuqclm
NetSvc::
pspuqclm
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]


dragged the CFScript.txt into combofix and ran it. When it rebooted and was making the log file, the screen just hung...I had to do a hard shutdown and here is the text from the Combofix.txt

ComboFix 09-06-01.03 - Owner 06/02/2009 19:06:05.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.620 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.desktop\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.desktop\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PSPUQCLM


((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-05-30 02:27:23 . 2009-05-30 02:27:23 0 d-----w- C:\Documents and Settings\Owner.desktop\Application Data\Malwarebytes
2009-05-30 02:27:17 . 2009-05-26 18:20:08 40160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-05-30 02:27:16 . 2009-05-30 02:27:16 0 d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-30 02:27:16 . 2009-05-26 18:19:56 19096 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-05-30 02:27:15 . 2009-05-30 02:27:22 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.


I will now work on the Java update and remove the Viewpoint Media Player.

Looking forward to your response,
poidogger




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users