Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC freezes after internet connection is disconnected


  • This topic is locked This topic is locked
33 replies to this topic

#1 penerjemah06

penerjemah06

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 08 June 2009 - 12:13 AM

Dear All,

I am currently having problem with my company pc. Every time I disconnect it from internet connection, it then responds extremely slowly and immediately freezes afterwards. This then makes me have to restart it manually by pressing the reset button.

I am connected via Sierra Wireless Modem which are plugged into a USB Hub and use the GSM mobile card as the ISP. And sometimes also I use other connection, phone dial up connection.

Could somebody review the log of DDS and help me out with this issue?

O yeah, is it okay to restart pc (many times) in a day by pressing the reset button? Would it cause any bad effect?

FYI, this is a multi-user machine, with the same user account, not password protected.

Here is the dds log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Bowo at 12:02:39,11 on 08/06/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.197 [GMT 7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\TheSage\TheSage.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bowo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus C79 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibgp.exe /fu "c:\windows\temp\E_S16.tmp" /EF "HKLM"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe
StartupFolder: c:\docume~1\bowo\userdata\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\bowo\userdata\startm~1\programs\startup\thesage.lnk - c:\program files\thesage\TheSage.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: mszsrn32 - c:\windows\system32\mszsrn32.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bowo\applic~1\mozilla\firefox\profiles\6htknuqg.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-5-8 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-5-8 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-8 185089]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-20 210216]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]
S2 bgzxli;Universal Driver;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]

=============== Created Last 30 ================

2009-06-05 15:10 <DIR> --d----- c:\program files\SpywareGuard
2009-06-05 08:56 23,040 a------- c:\windows\system32\mszsrn32.dll
2009-06-04 16:29 167,936 -------- c:\windows\system32\Tracker.exe
2009-06-02 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 08:51 32,768 a------- c:\windows\notepad16.exe
2009-05-27 08:50 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-27 08:50 53 a------- c:\windows\system32\g.ftp
2009-05-27 08:50 24 a------- c:\windows\system32\g.bat

==================== Find3M ====================

2009-05-27 08:51 61,440 a------- c:\windows\help\svchost32.exe
2009-05-27 08:50 32,768 a------- c:\windows\help\p.exe
2002-08-29 10:41 1,406,842 a--shr-- c:\windows\system32\eecodn.dll

============= FINISH: 12:03:35,04 ===============


Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 PM

Posted 18 June 2009 - 04:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 19 June 2009 - 05:04 AM

Hello there,

The steps I have taken into action:

1. Download ComboFix
2. Run it a few times; install Microsoft Recovery Console: once I ran it with the name "ComboFix", the last time I ran it by re-naming "ComFix" with the command "kill all".
3. Turn Off System Restore and Turn it back on.

The issue of freezing after disconected seems to disappear; however, occasionally it might occur and very difficult to get it connected.

Here is the fresh dds.txt:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bowo at 16:36:46,51 on 19/06/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.310 [GMT 7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat\acrobat_sl.exe
C:\WINDOWS\System32\logon.exe
C:\Program Files\TheSage\TheSage.exe
C:\Documents and Settings\Bowo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\distillr\Acrotray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Background Intelligent Transfer Service] c:\windows\help\rundll32.exe
mRun: [Windows Logon Application] c:\windows\system32\logon.exe
dRun: [Microsoft Msn Messenger] c:\windows\system32\msmsgs.exe
StartupFolder: c:\docume~1\bowo\userdata\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\bowo\userdata\startm~1\programs\startup\thesage.lnk - c:\program files\thesage\TheSage.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bowo\applic~1\mozilla\firefox\profiles\6htknuqg.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-5-8 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-5-8 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-8 185089]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-20 210216]
S2 bgzxli;Universal Driver;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 12800]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2007-9-18 109080]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2007-6-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2007-6-27 73856]

=============== Created Last 30 ================

2009-06-18 12:05 0 a------- c:\windows\system32\Tracker.exe
2009-06-18 09:31 10,735,624 -------- c:\windows\ESPT11~7.CAB
2009-06-17 16:50 <DIR> --d----- c:\program files\eSPT 1107 PUT
2009-06-16 09:15 0 a----r-- c:\windows\system32\TFTP1968
2009-06-15 09:43 0 a----r-- c:\windows\system32\TFTP2384
2009-06-15 09:37 0 a----r-- c:\windows\system32\TFTP2268
2009-06-15 09:28 32,768 a------- c:\windows\notepad16.exe
2009-06-15 09:22 0 a----r-- c:\windows\system32\TFTP3536
2009-06-12 13:30 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-12 13:30 1,409 a------- c:\windows\QTFont.for
2009-06-11 09:38 <DIR> a-dshr-- C:\cmdcons
2009-06-11 09:37 <DIR> --ds---- C:\ComboFix
2009-06-10 16:58 161,792 a------- c:\windows\SWREG.exe
2009-06-10 16:58 155,136 a------- c:\windows\PEV.exe
2009-06-10 16:58 98,816 a------- c:\windows\sed.exe
2009-06-10 09:00 23,040 a------- c:\windows\system32\mszsrn32.dll
2009-06-05 15:10 <DIR> --d----- c:\program files\SpywareGuard
2009-06-02 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-05-27 08:50 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-27 08:50 53 a------- c:\windows\system32\g.ftp
2009-05-27 08:50 24 a------- c:\windows\system32\g.bat

==================== Find3M ====================

2009-06-18 09:33 286,720 -------- c:\windows\Setup1.exe
2009-06-15 09:28 45,056 a------- c:\windows\help\rundll32.exe
2009-06-15 09:27 61,440 a------- c:\windows\help\svchost32.exe
2009-05-19 11:44 1,773,568 a------- c:\program files\Motul013686779073.mdb
2008-08-15 20:01 888,832 a------- c:\program files\eSPT1107.mdb
2002-08-29 10:41 1,406,842 a--shr-- c:\windows\system32\eecodn.dll

============= FINISH: 16:37:25,60 ===============


I also attach the latest Log file of ComboFix scan and the quarantined files in case you might need them.


Remarks:
As tomorrow is already weekend, I won't be able to access the office pc. Should there be any reply that needs action to be taken with the machine, it will have to wait till Monday. I am really sorry for this. :thumbup2:




Thanks,
Bo.

ComboFix 09-06-08.05 - Bowo 11/06/2009 12:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.335 [GMT 7:00]
Running from: c:\documents and settings\Bowo\desktop\comfix.exe
Command switches used :: killall
.

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-10 08:52 . 2009-06-10 10:36 21504 ----a-w- c:\windows\system32\Tracker.exe
2009-06-10 02:00 . 2009-06-10 02:00 23040 ------w- c:\windows\system32\mszsrn32.dll
2009-06-05 08:10 . 2009-06-11 01:58 -------- d-----w- c:\program files\SpywareGuard
2009-06-02 05:57 . 2009-06-02 05:57 -------- d-----w- c:\program files\Trend Micro
2009-05-27 01:50 . 2009-05-27 01:50 24 ----a-w- c:\windows\system32\g.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 05:12 . 2009-05-08 09:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-11 05:12 . 2009-05-08 09:50 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 02:01 . 2009-02-23 02:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-05-08 10:26 . 2009-05-08 09:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-05-08 10:14 . 2009-05-08 10:14 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-08 10:01 . 2009-05-08 09:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\program files\Avira
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-05-08 06:27 . 2009-05-08 06:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-03-30 03:33 . 2009-05-08 06:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2002-08-29 03:41 . 2002-08-29 03:41 1406842 --sha-r- c:\windows\system32\eecodn.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.17.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-08 04:59 . 2009-06-11 05:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-11 05:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-11 05:34 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [BU]

c:\documents and settings\Bowo\UserData\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-9-26 159744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-7-2 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [08/05/2009 13:28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [08/05/2009 13:28 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/05/2009 13:28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/03/2009 9:21 210216]
S2 bgzxli;Universal Driver;c:\windows\system32\svchost.exe -k netsvcs [23/08/2001 19:00 12800]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [18/09/2007 6:56 109080]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [27/06/2007 10:41 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [27/06/2007 10:42 73856]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bgzxli
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bowo\Application Data\Mozilla\Firefox\Profiles\6htknuqg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-11 12:51
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bgzxli]
"ServiceDll"="c:\windows\System32\eecodn.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\System32\ODBC32.dll
c:\windows\system32\mszsrn32.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(1836)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msi.dll
.
Completion time: 2009-06-11 12:53
ComboFix-quarantined-files.txt 2009-06-11 05:53
ComboFix2.txt 2009-06-11 03:20
ComboFix3.txt 2009-06-11 02:45

Pre-Run: 11.029.028.864 bytes free
Post-Run: 11.019.640.832 bytes free

128

Attached Files


Edited by PropagandaPanda, 19 June 2009 - 06:48 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 19 June 2009 - 06:52 PM

Hello Bo.

Don't worry about having to wait.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/232379/pc-freezes-after-internet-connection-is-disconnected/
    Collect::[59]
    c:\windows\system32\g.bat
    
    Suspect::[59]
    c:\windows\system32\Tracker.exe
    
    File::
    c:\windows\system32\mszsrn32.dll
    c:\windows\system32\eecodn.dll
    
    Driver::
    bgzxli
    
    NetSvc::
    bgzxli
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Upload Samples Collected by ComboFix
The script above had included directives to upload file samples. Ensure you are connected to the internet before clicking "OK" on the message box. After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#5 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 21 June 2009 - 10:58 AM

Hello The Panda,

Thanks for responding...

Looking back carefully at the office pc, I can find ComboFix3 and ComboFix4.txt files.
Should I post them here?
or Should I just continue with your previous instructions?
or Should I run ComboFix once again and submit the txt file for you to review before carrying on your previous instructions?

My apology to you for not being careful when attaching the ComboFix2 txt file, and also double attaching that file; it should have been the ComboFix quarantined file (let me know if you need the quarantined file).


Bo.

Edited by penerjemah06, 21 June 2009 - 11:02 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 21 June 2009 - 11:26 AM

Hello Bo.

Please continue with my previous instructions.

ComboFix includes the previous logs in its upload.

With Regards,
The Panda

#7 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 22 June 2009 - 02:33 AM

Hi The Panda,

ComboFix did not ask to upload any file after finishing the scan. Instead, it reboot-ed the machine and popped up the log once completed. However, I manually uploaded the file to this link: BC submit-malware

Link to topic where this file was requested: http://www.bleepingcomputer.com/forums/ind...=232379&st=

Browse to the file you want to submit: C:\Qoobox\Quarantine\[59]-Submit_2009-06-22_12.38.55

I am not sure whether or not this is correct. Please advise.


GMER made the machine freeze after finishing the scan. When Clicking "Save", I then saw no other active activity on the pc; it completely froze. I had to manually power off the pc, re-scan with gmer and this time it succeeded sucessfully.


Here is the ComboFix.txt:
ComboFix 09-06-08.05 - Bowo 22/06/2009 12:39.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.319 [GMT 7:00]
Running from: c:\documents and settings\Bowo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bowo\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\eecodn.dll"
"c:\windows\system32\mszsrn32.dll"

file zipped: c:\windows\system32\g.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bowo\Bowo.exe
c:\windows\Help\COMCTL6.CNT
c:\windows\Help\p.exe
c:\windows\Help\rundll32.exe
c:\windows\Help\svchost32.exe
c:\windows\notepad16.exe
c:\windows\system32\drivers\systemntmi.sys
c:\windows\system32\eecodn.dll
c:\windows\system32\g.bat
c:\windows\system32\logon.exe
c:\windows\system32\mszsrn32.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-17 09:50 . 2009-06-18 03:45 -------- d-----w- c:\program files\eSPT 1107 PUT
2009-06-05 08:10 . 2009-06-11 01:58 -------- d-----w- c:\program files\SpywareGuard
2009-06-02 05:57 . 2009-06-02 05:57 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 02:33 . 2007-06-19 07:36 286720 ------w- c:\windows\Setup1.exe
2009-06-11 05:12 . 2009-05-08 09:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-11 05:12 . 2009-05-08 09:50 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 02:01 . 2009-02-23 02:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-05-19 04:44 . 2009-06-18 02:08 1773568 ----a-w- c:\program files\Motul013686779073.mdb
2009-05-08 10:26 . 2009-05-08 09:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-05-08 10:14 . 2009-05-08 10:14 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-08 10:01 . 2009-05-08 09:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\program files\Avira
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-05-08 06:27 . 2009-05-08 06:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-03-30 03:33 . 2009-05-08 06:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2008-08-15 13:01 . 2009-06-17 10:38 888832 ----a-w- c:\program files\eSPT1107.mdb
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.17.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 05:39 . 2009-06-22 05:39 16384 c:\windows\Temp\Perflib_Perfdata_a10.dat
+ 2007-06-08 04:59 . 2009-06-22 05:27 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-22 05:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-06-08 04:59 . 2009-06-22 05:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-02 04:28 . 2006-08-02 04:28 36864 c:\windows\system32\CBuilderV06.dll
- 2008-11-05 06:12 . 2009-06-10 10:03 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2008-11-05 06:12 . 2009-06-22 05:38 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2006-10-20 08:00 . 2006-10-20 08:00 126976 c:\windows\system32\CLib1107PUT.dll
+ 2002-06-05 04:41 . 2002-06-05 04:41 480904 c:\windows\system32\Capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [BU]

c:\documents and settings\Bowo\UserData\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-9-26 159744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-7-2 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [08/05/2009 13:28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [08/05/2009 13:28 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/05/2009 13:28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/03/2009 9:21 210216]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [27/06/2007 10:41 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [27/06/2007 10:42 73856]
S2 acpi32;acpi32;\??\c:\windows\system32\drivers\acpi32.sys --> c:\windows\system32\drivers\acpi32.sys [?]
S2 ati64si;ati64si;\??\c:\windows\system32\drivers\ati64si.sys --> c:\windows\system32\drivers\ati64si.sys [?]
S2 bgzxli;Universal Driver;c:\windows\system32\svchost.exe -k netsvcs [23/08/2001 19:00 12800]
S2 fips32cup;fips32cup;\??\c:\windows\system32\drivers\fips32cup.sys --> c:\windows\system32\drivers\fips32cup.sys [?]
S2 i386si;i386si;\??\c:\windows\system32\drivers\i386si.sys --> c:\windows\system32\drivers\i386si.sys [?]
S2 netsik;netsik;\??\c:\windows\system32\drivers\netsik.sys --> c:\windows\system32\drivers\netsik.sys [?]
S2 nicsk32;nicsk32;\??\c:\windows\system32\drivers\nicsk32.sys --> c:\windows\system32\drivers\nicsk32.sys [?]
S2 securentm;securentm;\??\c:\windows\system32\drivers\securentm.sys --> c:\windows\system32\drivers\securentm.sys [?]
S2 systemntmi;systemntmi;\??\c:\windows\system32\drivers\systemntmi.sys --> c:\windows\system32\drivers\systemntmi.sys [?]
S2 ws2_32sik;ws2_32sik;\??\c:\windows\system32\drivers\ws2_32sik.sys --> c:\windows\system32\drivers\ws2_32sik.sys [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [18/09/2007 6:56 109080]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Bowo - c:\documents and settings\Bowo\Bowo.exe
HKLM-Run-Background Intelligent Transfer Service - c:\windows\help\rundll32.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bowo\Application Data\Mozilla\Firefox\Profiles\6htknuqg.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 12:41
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bgzxli]
"ServiceDll"="c:\windows\System32\eecodn.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(696)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Adobe\Acrobat\acrobat_sl.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2009-06-22 12:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-22 05:44
ComboFix2.txt 2009-06-11 06:33
ComboFix3.txt 2009-06-11 05:53
ComboFix4.txt 2009-06-11 03:20
ComboFix5.txt 2009-06-22 05:38

Pre-Run: 10.746.597.376 bytes free
Post-Run: 10.739.257.344 bytes free

173



Here is the gmer log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-22 14:13:24
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT F8C25EEE ZwCreateKey
SSDT F8C25EE4 ZwCreateThread
SSDT F8C25EF3 ZwDeleteKey
SSDT F8C25EFD ZwDeleteValueKey
SSDT F8C25F02 ZwLoadKey
SSDT F8C25ED0 ZwOpenProcess
SSDT F8C25ED5 ZwOpenThread
SSDT F8C25F0C ZwReplaceKey
SSDT F8C25F07 ZwRestoreKey
SSDT F8C25EF8 ZwSetValueKey
SSDT F8C25EDF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [EE, 5E, C2, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [E4, 5E, C2, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 80502684 4 Bytes [F3, 5E, C2, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 8050268C 4 Bytes [FD, 5E, C2, F8]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 294 80502710 4 Bytes [02, 5F, C2, F8] {ADD BL, [EDI-0x3e]; CLC }
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] bgzxli <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@DisplayName Universal Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli@Description Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\bgzxli\Parameters@ServiceDll C:\WINDOWS\System32\eecodn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@DisplayName Universal Driver
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli@Description Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\bgzxli\Parameters@ServiceDll C:\WINDOWS\System32\eecodn.dll

---- EOF - GMER 1.0.15 ----



Bo.

Edited by penerjemah06, 22 June 2009 - 02:36 AM.


#8 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 22 June 2009 - 03:48 AM

Update of system behaviour:

- The machine tends to freeze after being disconnected, and even before being disconnected (it's getting worse?)
- Antivir AV, at times, detects various viruses and pops up message. I often choose "Deny Access" as I am afraid that it might clash with the fixing instructions.

Any suggestion on how to prevent the 'freeze' from happening, temporarily?

Thanks,
Bo.

Edited by penerjemah06, 22 June 2009 - 06:36 AM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 22 June 2009 - 07:05 AM

Hello.

That looks like everything went right.

There are still some infections remaining.

Run ComboFix with CFScript
Delete your current copy of ComboFix. Then, download a new copy from any of the links below.
Link 1, Link 2, Link 3

We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Driver::
    acpi32
    ati64si
    bgzxli
    fips32cup
    i386si
    netsik
    nicsk32
    securentm
    systemntmi
    ws2_32sik
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall
With Regards,
The Panda

#10 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 22 June 2009 - 09:41 PM

Hello The Panda,

First attempt of running CF with the Script ended up with pc froze--I manually powered it off.
After a restart, I tried running CF with the script again, and this time it succeeded, reboot-ed, and popped up the log file. However, the wallpaper seems to be blank after the reboot.

Here is the ComboFix.txt:
ComboFix 09-06-21.01 - Bowo 23/06/2009 9:28.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.315 [GMT 7:00]
Running from: c:\documents and settings\Bowo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bowo\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BGZXLI
-------\Legacy_SYSTEMNTMI
-------\Service_acpi32
-------\Service_ati64si
-------\Service_bgzxli
-------\Service_fips32cup
-------\Service_i386si
-------\Service_netsik
-------\Service_nicsk32
-------\Service_securentm
-------\Service_systemntmi
-------\Service_ws2_32sik


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-23 02:05 . 2009-06-23 02:05 348533 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aegen.dll
2009-06-22 07:47 . 2009-06-22 07:47 23040 ----a-w- c:\windows\system32\mszsrn32.dll
2009-06-17 09:50 . 2009-06-18 03:45 -------- d-----w- c:\program files\eSPT 1107 PUT
2009-06-05 08:10 . 2009-06-11 01:58 -------- d-----w- c:\program files\SpywareGuard
2009-06-02 05:57 . 2009-06-02 05:57 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 02:33 . 2007-06-19 07:36 286720 ------w- c:\windows\Setup1.exe
2009-06-11 05:12 . 2009-05-08 09:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-11 05:12 . 2009-05-08 09:50 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 02:01 . 2009-02-23 02:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-05-19 04:44 . 2009-06-18 02:08 1773568 ----a-w- c:\program files\Motul013686779073.mdb
2009-05-08 10:26 . 2009-05-08 09:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-05-08 10:14 . 2009-05-08 10:14 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-08 10:01 . 2009-05-08 09:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\program files\Avira
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-05-08 06:27 . 2009-05-08 06:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-03-30 03:33 . 2009-05-08 06:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2008-08-15 13:01 . 2009-06-17 10:38 888832 ----a-w- c:\program files\eSPT1107.mdb
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.17.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 07:47 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-02 04:28 . 2006-08-02 04:28 36864 c:\windows\system32\CBuilderV06.dll
- 2008-11-05 06:12 . 2009-06-10 10:03 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2008-11-05 06:12 . 2009-06-23 02:27 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2006-10-20 08:00 . 2006-10-20 08:00 126976 c:\windows\system32\CLib1107PUT.dll
+ 2002-06-05 04:41 . 2002-06-05 04:41 480904 c:\windows\system32\Capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Msn Messenger"="c:\windows\System32\msmsgs.exe" [BU]

c:\documents and settings\Bowo\UserData\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-9-26 159744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-7-2 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [08/05/2009 13:28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [08/05/2009 13:28 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/05/2009 13:28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/03/2009 9:21 210216]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [27/06/2007 10:41 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [27/06/2007 10:42 73856]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [18/09/2007 6:56 109080]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-23 09:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(4048)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Adobe\Acrobat\acrobat_sl.exe
c:\program files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2009-06-23 9:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-23 02:36
ComboFix2.txt 2009-06-22 05:44
ComboFix3.txt 2009-06-11 06:33
ComboFix4.txt 2009-06-11 05:53
ComboFix5.txt 2009-06-23 02:27

Pre-Run: 10.761.445.376 bytes free
Post-Run: 10.754.154.496 bytes free

151


Thanks,
Bo.


The machine is now back with the original symptoms; it freezes as soon as the internet connection is disabled.

Edited by penerjemah06, 22 June 2009 - 11:24 PM.


#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 23 June 2009 - 10:25 AM

Hello.

You are infected with a mass emailing worm.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\System32\msmsgs.exe
    c:\windows\system32\mszsrn32.dll
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft Msn Messenger"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @ECHO OFF
    IF EXIST Report.txt DEL /Q Report.txt
    FOR %%a in (
    "c:\windows\System32\msmsgs.exe"
    "c:\windows\system32\mszsrn32.dll"
    ) DO (
    	IF NOT EXIST "%%~a" (
    		MKDIR "%%~a" >nul 2>&1
    		IF EXIST "%%~a" (
    			ECHO NOTHING>"\\?\%%~a\lpt3.dummy"
    			IF EXIST "\\?\%%~a\lpt3.dummy" (
    				ECHO "%%~a" dummy folder created.>>Report.txt
    				ATTRIB.EXE +R +H +S "\\?\%%~a\lpt3.dummy" >nul 2>&1
    			) ELSE (
    				ECHO "%%~a" failed to create dummy file>>Report.txt
    			)
    		) ELSE (
    			ECHO "%%~a" failed to create folder.>>Report.txt
    		)
    	) ELSE (
    	ECHO "%%~a" already exists.>>Report.txt
    )
    
    )
    START NOTEPAD.EXE Report
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input dummy.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click dummy.bat. A log will open shortly. Post back with that as well.

With Regards,
The Panda

#12 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 June 2009 - 09:22 PM

Hello The Panda,


Today the machine is getting worse. One or two second after it was connected, it froze. I couldn't copy the CF script and batch script directly from the infected machine; I used another pc and transferred the scripts and the log report by a removable media (Is the other pc going to be infected by this?)

Here is the CF.txt:
ComboFix 09-06-21.01 - Bowo 24/06/2009 9:02.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.311 [GMT 7:00]
Running from: c:\documents and settings\Bowo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bowo\Desktop\CFScript.txt

FILE ::
"c:\windows\System32\msmsgs.exe"
"c:\windows\system32\mszsrn32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mszsrn32.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-17 09:50 . 2009-06-18 03:45 -------- d-----w- c:\program files\eSPT 1107 PUT
2009-06-05 08:10 . 2009-06-11 01:58 -------- d-----w- c:\program files\SpywareGuard
2009-06-02 05:57 . 2009-06-02 05:57 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 02:33 . 2007-06-19 07:36 286720 ------w- c:\windows\Setup1.exe
2009-06-11 05:12 . 2009-05-08 09:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-11 05:12 . 2009-05-08 09:50 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 02:01 . 2009-02-23 02:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-05-19 04:44 . 2009-06-18 02:08 1773568 ----a-w- c:\program files\Motul013686779073.mdb
2009-05-08 10:26 . 2009-05-08 09:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-05-08 10:14 . 2009-05-08 10:14 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-08 10:01 . 2009-05-08 09:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\program files\Avira
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-05-08 06:27 . 2009-05-08 06:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-03-30 03:33 . 2009-05-08 06:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2008-08-15 13:01 . 2009-06-17 10:38 888832 ----a-w- c:\program files\eSPT1107.mdb
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.17.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 07:47 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-02 04:28 . 2006-08-02 04:28 36864 c:\windows\system32\CBuilderV06.dll
- 2008-11-05 06:12 . 2009-06-10 10:03 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2008-11-05 06:12 . 2009-06-23 02:27 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2006-10-20 08:00 . 2006-10-20 08:00 126976 c:\windows\system32\CLib1107PUT.dll
+ 2002-06-05 04:41 . 2002-06-05 04:41 480904 c:\windows\system32\Capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Bowo\UserData\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-9-26 159744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-7-2 25214]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [08/05/2009 13:28 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [08/05/2009 13:28 45416]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/05/2009 13:28 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/03/2009 9:21 210216]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [18/09/2007 6:56 109080]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [27/06/2007 10:41 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [27/06/2007 10:42 73856]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 09:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(628)
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll
.
Completion time: 2009-06-24 9:08
ComboFix-quarantined-files.txt 2009-06-24 02:08
ComboFix2.txt 2009-06-23 02:36
ComboFix3.txt 2009-06-22 05:44
ComboFix4.txt 2009-06-11 06:33
ComboFix5.txt 2009-06-24 02:01

Pre-Run: 10.736.111.616 bytes free
Post-Run: 10.726.653.952 bytes free

123



Here is the report.txt:
"c:\windows\System32\msmsgs.exe" dummy folder created.
"c:\windows\system32\mszsrn32.dll" dummy folder created.



Bo.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 24 June 2009 - 08:00 AM

Hello Bo.

That looks good.

Just wanted to leave it for awhile to see if the infection returns. Please now run ComboFix again simply be clicking it and post back the log.

We really need to update your Windows software after.

With Regards,
The Panda

#14 penerjemah06

penerjemah06
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 25 June 2009 - 12:48 AM

Hi The Panda,

The Symptoms seem to be gone. Don't know if it is already clear?
But after running CF by double-clicking, CF ran very slowly (almost 30 minutes) and ended up with no log 'popped up' and Windows popped up an error window with the title of "The System has recovered from a serious error."

Anyway I can find the log in C:\
Here is the CF.txt:
ComboFix 09-06-21.01 - Bowo 25/06/2009 12:08.9 - NTFSx86
Running from: c:\documents and settings\Bowo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-24 03:32 . 2009-06-24 03:35 57810 ----a-w- c:\windows\system32\Win15763.exe
2009-06-24 02:09 . 2009-06-24 02:09 -------- d-----w- c:\windows\system32\mszsrn32.dll
2009-06-24 02:09 . 2009-06-24 02:09 -------- d-----w- c:\windows\system32\msmsgs.exe
2009-06-17 09:50 . 2009-06-18 03:45 -------- d-----w- c:\program files\eSPT 1107 PUT
2009-06-05 08:10 . 2009-06-11 01:58 -------- d-----w- c:\program files\SpywareGuard
2009-06-02 05:57 . 2009-06-02 05:57 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 02:33 . 2007-06-19 07:36 286720 ------w- c:\windows\Setup1.exe
2009-06-11 05:12 . 2009-05-08 09:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-06-11 05:12 . 2009-05-08 09:50 -------- d-----w- c:\program files\SpywareBlaster
2009-06-10 02:01 . 2009-02-23 02:33 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\SACore
2009-05-19 04:44 . 2009-06-18 02:08 1773568 ----a-w- c:\program files\Motul013686779073.mdb
2009-05-08 10:26 . 2009-05-08 09:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-05-08 10:14 . 2009-05-08 10:14 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-08 10:01 . 2009-05-08 09:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\program files\Avira
2009-05-08 06:28 . 2009-05-08 06:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-05-08 06:27 . 2009-05-08 06:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avg7
2009-03-30 03:33 . 2009-05-08 06:28 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2008-08-15 13:01 . 2009-06-17 10:38 888832 ----a-w- c:\program files\eSPT1107.mdb
.

((((((((((((((((((((((((((((( SnapShot@2009-06-10_10.17.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-22 07:47 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-08 04:59 . 2009-06-10 10:17 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2007-06-08 04:59 . 2009-06-22 07:47 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-08-02 04:28 . 2006-08-02 04:28 36864 c:\windows\system32\CBuilderV06.dll
- 2008-11-05 06:12 . 2009-06-10 10:03 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2008-11-05 06:12 . 2009-06-23 02:27 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2006-10-20 08:00 . 2006-10-20 08:00 126976 c:\windows\system32\CLib1107PUT.dll
+ 2002-06-05 04:41 . 2002-06-05 04:41 480904 c:\windows\system32\Capicom.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-12 483328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Bowo\UserData\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]
TheSage.lnk - c:\program files\TheSage\TheSage.exe [2006-9-26 159744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2008-7-2 25214]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

R3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2007-09-17 109080]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2009-02-13 22360]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2009-02-13 45416]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: bmnet.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 12:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\bmnet.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(4076)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msi.dll
.
Completion time: 2009-06-25 12:30
ComboFix-quarantined-files.txt 2009-06-25 05:30
ComboFix2.txt 2009-06-24 02:08
ComboFix3.txt 2009-06-23 02:36
ComboFix4.txt 2009-06-22 05:44
ComboFix5.txt 2009-06-25 05:06

Pre-Run: 10.705.268.736 bytes free
Post-Run: 10.701.221.888 bytes free

120


Thanks,
Bo.

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 25 June 2009 - 07:31 AM

Hello.

Please run GMER again. Leave the Files section unchecked.

Something is bringing back the infection.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users