Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop with rootkit invasions, transferred from infected forum


  • This topic is locked This topic is locked
14 replies to this topic

#1 drunkpunk000

drunkpunk000

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 11 June 2009 - 03:16 PM

i have spent the last week on the "am i infected?" forum trying to solve a coldware virus problem with a moderator there and am not getting to the root of the problem. He told me to start a new topic over here and it should help out alot. I have recent copies of logs from MalwareByte, ATF, SUPERantispy, and Micro Antivirus if needed for reference. here is my Hijack This log i was instructed to post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:23 PM, on 6/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThstoo.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13920&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERA.S. free.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6582 bytes


this was done in safe mode due to lack of internet connection during normal mode

BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 12 June 2009 - 12:00 AM

Hi, and Welcome. :thumbup2:

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 12 June 2009 - 08:57 AM

thank you in advance for your help.

here is the combofix log: (after running this i am now able to use IE in normal mode)

ComboFix 09-06-11.06 - My Toshiba 06/12/2009 9:48.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2941.2175 [GMT -4:00]
Running from: c:\users\My Toshiba\Desktop\Combo-Fix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Windows\Start Menu\PAV
c:\programdata\Microsoft\Windows\Start Menu\PAV\Uninstall.lnk
.
---- Previous Run -------
.

.
((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 13:52 . 2009-06-12 13:52 -------- d-----w- c:\users\My Toshiba\AppData\Local\temp
2009-06-12 07:20 . 2009-06-12 07:20 -------- d-----w- c:\windows\Sun
2009-06-09 11:49 . 2009-06-09 11:49 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\ImgBurn
2009-06-09 03:47 . 2009-06-09 03:47 3371383 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-09 02:41 . 2009-06-12 13:46 117760 ----a-w- c:\users\My Toshiba\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-09 02:40 . 2009-06-09 02:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-06-09 02:35 . 2009-06-09 02:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-09 02:35 . 2009-06-09 02:35 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\SUPERAntiSpyware.com
2009-06-09 02:31 . 2009-06-09 02:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-08 21:19 . 2009-06-08 21:19 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-08 17:01 . 2009-06-08 17:01 758088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-06-08 16:48 . 2009-06-08 16:48 0 ----a-w- c:\windows\nsreg.dat
2009-06-08 15:26 . 2009-06-08 15:26 -------- d-----w- c:\program files\Alex Feinman
2009-06-06 21:18 . 2009-06-06 21:18 -------- d-----w- c:\program files\uTorrent
2009-06-06 21:17 . 2009-06-08 15:21 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\uTorrent
2009-05-25 21:44 . 2009-05-25 21:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-25 21:44 . 2009-05-25 21:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-05-16 07:51 . 2009-05-26 15:48 1 ----a-w- c:\users\My Toshiba\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-16 07:51 . 2009-05-16 07:51 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\OpenOffice.org
2009-05-16 07:49 . 2009-05-29 13:53 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-16 07:48 . 2009-05-16 07:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-16 06:04 . 2009-05-16 06:04 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-09 11:43 . 2008-12-20 08:24 -------- d-----w- c:\program files\Games
2009-06-09 03:47 . 2009-05-06 04:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 02:54 . 2009-01-13 19:22 7944 ----a-w- c:\users\My Toshiba\AppData\Local\d3d9caps.dat
2009-05-26 17:20 . 2009-05-06 04:11 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-05-06 04:11 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 21:51 . 2008-11-24 20:43 -------- d-----w- c:\program files\Trend Micro
2009-05-24 16:22 . 2008-12-03 20:42 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2009-05-24 16:21 . 2008-02-13 02:15 -------- d-----w- c:\program files\Java
2009-05-17 01:13 . 2008-10-19 12:39 116584 ----a-w- c:\users\My Toshiba\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-13 07:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-06 04:11 . 2009-05-06 04:11 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\Malwarebytes
2009-05-06 04:11 . 2009-05-06 04:11 -------- d-----w- c:\programdata\Malwarebytes
2009-05-05 00:25 . 2009-05-05 00:25 -------- d-----w- c:\program files\Common Files\Uninstall
2009-05-04 16:06 . 2008-02-13 02:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-04 14:51 . 2009-01-24 01:27 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\WildTangent
2009-05-04 14:51 . 2008-02-13 02:27 -------- d-----w- c:\programdata\WildTangent
2009-05-04 14:50 . 2008-02-13 01:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-25 15:41 . 2009-04-25 15:41 -------- d-----w- c:\users\My Toshiba\AppData\Roaming\LimeWire
2009-04-22 04:30 . 2009-04-22 04:30 -------- d-----w- c:\program files\Philips
2009-04-02 20:00 . 2008-02-15 15:06 52752 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 20:00 . 2008-02-15 15:06 52624 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 20:00 . 2008-02-15 15:06 142864 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-03-23 02:27 . 2009-03-23 02:27 34062 ----a-w- c:\users\My Toshiba\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
2009-03-23 02:25 . 2009-03-23 02:24 1915520 ----a-w- c:\users\My Toshiba\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-03-17 03:38 . 2009-04-14 18:23 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-14 18:23 24064 ----a-w- c:\windows\system32\amxread.dll
2008-10-19 12:38 . 2008-10-19 12:38 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2008-10-19 12:38 . 2008-10-19 12:38 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERA.S. free.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-30 4911104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{75C26CB4-8CBF-4DCC-9152-5FAAEE9E9E27}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B3C8CC8C-8027-4F13-BAE8-850F73C66656}"= UDP:c:\users\My Toshiba\AppData\Local\Temp\7zS9868.tmp\SymNRT.exe:Norton Removal Tool
"{CF52D198-7599-4BBB-8113-A3288CED44B6}"= TCP:c:\users\My Toshiba\AppData\Local\Temp\7zS9868.tmp\SymNRT.exe:Norton Removal Tool
"TCP Query User{E540EB56-606F-4D23-8359-A0A1B315E140}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{721757E9-C65D-4687-A9E2-166C64B5BB1F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{2FCE7951-8162-4B80-8396-45FAA9443212}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F0EFC346-0525-40B6-BD44-FB1C099796A4}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F84CE577-A844-48DE-88E1-7276B222FFD2}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{1464D6FE-6BAC-455A-A4B8-B2D4F204CF00}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{619398E4-D84F-4BE0-9B0B-F88F9ADD6C23}c:\\program files\\mirc\\mirc.exe"= UDP:c:\program files\mirc\mirc.exe:mIRC
"UDP Query User{9330B4FD-6944-4068-90B6-C1B778539D60}c:\\program files\\mirc\\mirc.exe"= TCP:c:\program files\mirc\mirc.exe:mIRC
"{69A83037-B23D-417E-AC1C-B6FE79C4CA80}"= UDP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"{02328A23-A1C6-4CB7-8C9F-AAF298D9FBCE}"= TCP:c:\program files\V CAST Music with Rhapsody\rhapsody.exe:Rhapsody Media Player
"TCP Query User{2B8BEEA0-A36C-4263-A97E-EC5B5FA0BC26}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{32BD2535-86D6-4836-91E1-7D0380E2362F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{990F3201-AB3A-4C5E-82AF-7382B54A66A0}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{16927000-EAF8-4AA9-9B0B-21749821F118}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [8/28/2008 12:29 AM 20352]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [12/25/2007 5:07 PM 40960]
R2 tmpreflt;tmpreflt;c:\windows\System32\drivers\tmpreflt.sys [2/15/2008 11:06 AM 36368]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [12/3/2007 8:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [2/12/2008 9:55 PM 7168]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S2 tmevtmgr;tmevtmgr;c:\windows\System32\drivers\tmevtmgr.sys [2/15/2008 11:06 AM 52624]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [8/28/2008 12:29 AM 937984]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [11/24/2008 4:45 PM 648456]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\My Toshiba\AppData\Roaming\Mozilla\Firefox\Profiles\64cgh1j0.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 09:52
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085965913-235832656-310955751-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0b,67,73,76,4c,e1,66,fd,d5,34,c6,d4,ec,96,41,41,68,27,17,ff,27,48,c8,
a2,d3,f6,6e,89,cf,9a,79,69,f3,96,88,1f,43,88,af,b4,41,c5,4c,be,9d,56,6a,60,\
"??"=hex:f9,3c,4c,01,e5,1e,f9,46,76,91,6e,b9,de,50,8d,8b

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-06-12 9:54
ComboFix-quarantined-files.txt 2009-06-12 13:54

Pre-Run: 167,484,686,336 bytes free
Post-Run: 167,419,551,744 bytes free

175 --- E O F --- 2009-05-16 07:00

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 12 June 2009 - 09:40 AM

Hi, drunkpunk000 :thumbup2:

Seems Combofix was previously ran.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 13 June 2009 - 12:23 AM

heres my log from ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 13 June 2009 - 11:55 AM

Hi, drunkpunk000 :thumbup2:

The report is incomplete. Lets check for rootkits.

Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 13 June 2009 - 01:34 PM

hey i ran this program and it stops at \device\harddiskvolumecopy1 and windows prompts that :" a problem has caused this program to stop working" and then has a blue crash screen if i try to run it again. I tried starting it in safe mode and also renaming the file and it all results in the same problem

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 13 June 2009 - 03:15 PM

Lets try this one:

Please download GMER Rootkit detector and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program. (If running Vista, right click on GMER and select "Run as an Administrator")
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Also this one:

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t


The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 13 June 2009 - 07:24 PM

ok the first program ran and has a report. The command prompt didnt respond after i typed in the command MBR.exe -t.
IT did however produce this log when opened as the administrator.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

and the other program:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-13 20:14:13
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 14 June 2009 - 03:28 PM

There is no rootkit. Disable your protection while performing the following scan.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 15 June 2009 - 06:49 PM

ok here is the webscan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 15, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 15, 2009 12:27:39
Records in database: 2345167
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 124545
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:38:42


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\135E.tmp Infected: Trojan.Win32.Monder.aied 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\form43810aas[1].htm Infected: Trojan.JS.Agent.ja 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\pdf[1].pdf Infected: Exploit.Win32.Pidief.atq 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\pdf[1]_f1c.VIR Infected: Exploit.Win32.Pidief.atq 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\winwebsecurity_v2.01[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.vfgz 1

The selected area was scanned.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 15 June 2009 - 06:58 PM

All seems quarantined. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 drunkpunk000

drunkpunk000
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 15 June 2009 - 07:22 PM

its running good annd all of the programs that didnt work before seem to be doing just fine now. Do i need to leave the trojans in the quarantine files or is there a way to completely remove them?

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 15 June 2009 - 11:01 PM

Hi, drunkpunk000 :thumbup2:

Opening Trend Micro Internet Security there should be an option to remove (Delete) the infected files from Quarantine.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,840 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:39 AM

Posted 22 June 2009 - 02:33 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users