Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJ.SMALL.AJM, TROJ.TDSS.AET


  • This topic is locked This topic is locked
10 replies to this topic

#1 oasyssupport

oasyssupport

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 16 June 2009 - 01:35 PM

Hi,

I've been working on trying to get these viruses off of my computer for a week now. We use TrendMicro for our Anti-virus and every morning it's reporting that there are viruses on this computer and the files cannot be moved to the quarantined folder on the server. When I do a manual scan on the computer it comes up with nothing until I reboot. After rebooting it will find more viruses and successfully quarantine them but once the computer is rebooted they are back.

Also, yesterday there was a different kind of malware on this computer that disabled everything including task manager and changed the background on the desk top to say that the computer was infected. The only things you could do is click on the balloon in the task tray which told you to buy the software because your computer was at risk. I was able to get rid of that one by booting into Safe Mode and running Malwarebytes. However, the two viruses are still being reported after every reboot. TROJ.SMALL.AJM reappears everytime. Today TROJ.TDSS.AET is a new one. I appreciate any help I can get on this as it's driving me insane!

Below is the contents of the DDS.txt file:


DDS (Ver_09-05-14.01) - NTFSx86
Run by marty at 13:18:32.29 on Tue 06/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.80 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {C5703462-95EE-4A31-9387-77F9EBDA5696}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\2X\ApplicationServer Client\TUXCredProv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
O:\support\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [EZ Scheduler] c:\program files\american systems\ez scheduler\ezscheduler.exe /m
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [Webroot Spy Sweeper, Enterprise Edition] c:\program files\webroot\enterprise\spy sweeper\SpySweeperTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/setup.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED3C} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://manage.janesville.k12.wi.us/inc/kaxRemote.dll
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {743968CF-21EF-4F23-BB0B-7D611CFCEA7C} = 192.168.254.5,192.168.254.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\ahxzwqma.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\aw_host5.sys [2002-6-10 30398]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\awlegacy.sys [2002-6-10 10816]
R2 2X SSO Service;2X SSO Service;c:\program files\2x\applicationserver client\TUXCredProv.exe [2008-7-16 260600]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2009-3-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-3-27 36368]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-21 334352]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2008-11-5 492888]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2008-11-5 677128]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]
S3 ASANYs_GTTEST;Adaptive Server Anywhere - GTTEST;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_gttest --> c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_GTTEST [?]
S3 ASANYs_test;Adaptive Server Anywhere - test;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_test --> c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_test [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2001-11-13 281856]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2002-6-10 77880]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S3 WebrootCommAgentService;Webroot CommAgent Service;c:\program files\webroot\enterprise\commagent\CommAgent.exe [2005-6-3 1867264]
S3 WebrootSpySweeperService;Webroot SpySweeper Service;c:\program files\webroot\enterprise\spy sweeper\SpySweeper.exe [2005-6-3 1805824]
S4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]

=============== Created Last 30 ================

2009-06-12 08:49 <DIR> --d----- C:\Logs
2009-06-11 15:25 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\marty\applic~1\Malwarebytes
2009-06-11 13:19 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 13:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\scripting
2009-06-11 11:26 <DIR> --d----- c:\windows\l2schemas
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\en
2009-06-10 12:26 158,720 a------- C:\0809 MEDICATION.xls
2009-06-01 13:12 <DIR> --d----- C:\HEIDI

==================== Find3M ====================

2009-06-11 11:37 90,127 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 23:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 23:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 23:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 23:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 23:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 23:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 23:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 23:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 23:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-28 04:05 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-28 04:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 00:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 00:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2008-06-11 19:54 56,912 a------- c:\documents and settings\marty\g2mdlhlpx.exe
2007-09-14 10:04 49,152 a------- c:\documents and settings\marty\IDHWTSS1.dll
2007-08-18 09:50 60,968 a------- c:\documents and settings\marty\GoToAssistDownloadHelper.exe
2007-04-05 11:36 69,168 a------- c:\docume~1\marty\applic~1\GDIPFONTCACHEV1.DAT
2005-01-25 15:06 65,536 a------- c:\documents and settings\marty\hobjni.dll
2005-01-25 15:06 36,867 a------- c:\documents and settings\marty\PrtDLL.dll

============= FINISH: 13:22:03.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 22 June 2009 - 08:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 oasyssupport

oasyssupport
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 23 June 2009 - 07:27 AM

Thank you for your help with this issue!

Here is a little more info on what's happening: The anti-virus software is still picking up the same TROJ.SMALL.AJM and TROJ.TDSS.AET viruses along with a new one - TROJ_MONDER.ADM. All of the files that the AV is picking up start with SKYNET followed by 8-11 letters with an extension of either .tmp, .dll, or .sys. Before this started happening my boss said that he opened a .chm file he got in an email after he clicked to open it he realized that after the chm there was about 25 spaces followed by a .exe and by that time it was too late. The computer had issues with spyware where it was redirecting all searches through IE and would not allow the home page to be changed. There was also one that changed the desktop background to say warning your computer is infected and nothing would work because it claimed it was infected. To resolve this I rebooted into safe mode and ran Malwarebytes which took care of that issue. However, the AV software is still picking up these files every day and it says they cannot be moved to the quarantine server. Below is the new DDS log.


DDS (Ver_09-05-14.01) - NTFSx86
Run by marty at 7:22:02.79 on Tue 06/23/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.127 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {C5703462-95EE-4A31-9387-77F9EBDA5696}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\2X\ApplicationServer Client\TUXCredProv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
O:\support\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [EZ Scheduler] c:\program files\american systems\ez scheduler\ezscheduler.exe /m
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/setup.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED3C} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://manage.janesville.k12.wi.us/inc/kaxRemote.dll
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {743968CF-21EF-4F23-BB0B-7D611CFCEA7C} = 192.168.254.5,192.168.254.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\ahxzwqma.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\aw_host5.sys [2002-6-10 30398]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\awlegacy.sys [2002-6-10 10816]
R2 2X SSO Service;2X SSO Service;c:\program files\2x\applicationserver client\TUXCredProv.exe [2008-7-16 260600]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2009-3-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-3-27 36368]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-21 334352]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe

[2008-11-5 492888]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe

[2008-11-5 677128]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]
S3 ASANYs_GTTEST;Adaptive Server Anywhere - GTTEST;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_gttest --> c:\program

files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_GTTEST [?]
S3 ASANYs_test;Adaptive Server Anywhere - test;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_test --> c:\program

files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_test [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2001-11-13 281856]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2002-6-10 77880]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-11 38160]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S3 WebrootCommAgentService;Webroot CommAgent Service;c:\program files\webroot\enterprise\commagent\CommAgent.exe [2005-6-3 1867264]
S3 WebrootSpySweeperService;Webroot SpySweeper Service;c:\program files\webroot\enterprise\spy sweeper\SpySweeper.exe [2005-6-3 1805824]
S4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]

=============== Created Last 30 ================

2009-06-17 12:52 <DIR> --d----- c:\windows\697836DE03BB4C4C9B06CAFC93D0A506.TMP
2009-06-12 08:49 <DIR> --d----- C:\Logs
2009-06-11 15:25 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\marty\applic~1\Malwarebytes
2009-06-11 13:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 13:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\scripting
2009-06-11 11:26 <DIR> --d----- c:\windows\l2schemas
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\en
2009-06-10 12:26 158,720 a------- C:\0809 MEDICATION.xls
2009-06-01 13:12 <DIR> --d----- C:\HEIDI

==================== Find3M ====================

2009-06-11 11:37 90,127 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 23:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 23:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 23:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 23:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 23:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 23:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 23:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 23:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 23:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-28 04:05 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-28 04:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 00:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 00:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-06-11 19:54 56,912 a------- c:\documents and settings\marty\g2mdlhlpx.exe
2007-09-14 10:04 49,152 a------- c:\documents and settings\marty\IDHWTSS1.dll
2007-08-18 09:50 60,968 a------- c:\documents and settings\marty\GoToAssistDownloadHelper.exe
2007-04-05 11:36 69,168 a------- c:\docume~1\marty\applic~1\GDIPFONTCACHEV1.DAT
2005-01-25 15:06 65,536 a------- c:\documents and settings\marty\hobjni.dll
2005-01-25 15:06 36,867 a------- c:\documents and settings\marty\PrtDLL.dll

============= FINISH: 7:25:07.28 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 24 June 2009 - 08:23 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Please not that some settings we be reset. Our tools are not designed for corporate environments.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 oasyssupport

oasyssupport
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 24 June 2009 - 01:24 PM

Hi Panda,

Below are the ComboFix and GMER logs. The only changes I've made to the system was uninstalling some unused programs, adding Spybot Search and Destroy, installing Windows Updates and re-installing the Anti-virus software. Thank you for helping with this!

ComboFix log:

ComboFix 09-06-23.01 - marty 06/24/2009 9:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.302 [GMT -5:00]
Running from: c:\documents and settings\marty\Desktop\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning disabled* (Outdated) {C5703462-95EE-4A31-9387-77F9EBDA5696}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\program files\Manson
c:\windows\command
c:\windows\system32\twain_32
c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
c:\windows\command\EXTRACT.PIF
c:\windows\sview.exe
c:\windows\system32\drivers\SKYNETqjkdaiqh.sys
c:\windows\system32\SKYNETcufowkmo.dll
c:\windows\system32\SKYNEToseyfvkl.dll
c:\windows\system32\SKYNETrmqwuwsn.dat
c:\windows\system32\SKYNETvdypkfbw.dat
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETrtlwbdud


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-22 10:34 . 2009-06-22 10:34 93 ----a-w- c:\windows\system32\SKYNET.dat
2009-06-18 16:22 . 2009-06-18 16:22 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:35 . 2009-06-17 18:35 -------- d-----w- c:\documents and settings\marty\Application Data\Lavasoft
2009-06-17 17:52 . 2009-06-17 17:52 -------- d-----w- c:\windows\697836DE03BB4C4C9B06CAFC93D0A506.TMP
2009-06-15 14:12 . 2009-06-15 14:12 -------- d-----w- c:\documents and settings\Marty.SYSTEM01\Application Data\Malwarebytes
2009-06-12 13:49 . 2009-06-12 13:50 -------- d-----w- C:\Logs
2009-06-11 20:25 . 2009-04-02 21:08 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-06-11 18:19 . 2009-06-11 18:19 -------- d-----w- c:\documents and settings\marty\Application Data\Malwarebytes
2009-06-11 18:19 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 18:19 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 18:19 . 2009-06-11 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-11 18:19 . 2009-06-18 16:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 16:26 . 2009-06-11 16:26 -------- d-----w- c:\windows\system32\scripting
2009-06-11 16:26 . 2009-06-11 16:26 -------- d-----w- c:\windows\l2schemas
2009-06-11 16:26 . 2009-06-11 16:26 -------- d-----w- c:\windows\system32\en
2009-06-11 15:36 . 2009-06-17 19:41 152576 ----a-w- c:\documents and settings\marty\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-01 18:12 . 2009-06-01 20:03 -------- d-----w- C:\HEIDI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 13:57 . 2004-07-14 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 19:40 . 2004-07-14 21:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-11 18:13 . 2009-04-07 14:47 -------- d-----w- c:\program files\Trend Micro
2009-06-11 16:37 . 2001-08-31 18:30 90127 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-06-11 15:55 . 2003-11-28 17:06 -------- d-----w- c:\program files\Java
2009-05-07 15:32 . 2001-08-18 13:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2003-11-21 01:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-19 17:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-18 13:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-11-21 01:38 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"EZ Scheduler"="c:\program files\American Systems\EZ Scheduler\ezscheduler.exe" [2001-04-03 331776]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-01 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2009-03-02 882048]
"OE"="c:\program files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe" [2008-04-03 492808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 2X SSO Service;2X SSO Service;c:\program files\2X\ApplicationServer Client\TUXCredProv.exe [7/16/2008 11:30 AM 260600]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [3/27/2009 7:16 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [3/27/2009 7:16 PM 36368]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 4:18 PM 6942]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [7/21/2008 6:50 PM 334352]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [11/5/2008 2:58 PM 492888]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [11/5/2008 2:58 PM 677128]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]
S3 ASANYs_GTTEST;Adaptive Server Anywhere - GTTEST;c:\program files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe -hvASANYs_GTTEST --> c:\program files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe -hvASANYs_GTTEST [?]
S3 ASANYs_test;Adaptive Server Anywhere - test;c:\program files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe -hvASANYs_test --> c:\program files\Sybase\SQL Anywhere 8\win32\dbsrv8.exe -hvASANYs_test [?]
S3 ati2mpaa;ati2mpaa;c:\windows\SYSTEM32\DRIVERS\ati2mpaa.sys [11/13/2001 9:47 PM 281856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [6/11/2009 1:19 PM 38160]
S4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 2:41 PM 28672]
.
Contents of the 'Scheduled Tasks' folder

2009-06-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-11-20 20:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {743968CF-21EF-4F23-BB0B-7D611CFCEA7C} = 192.168.254.5,192.168.254.2
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED3C} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxConsole.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 09:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1272)
c:\program files\2X\ApplicationServer Client\TUXCredProv.dll
c:\windows\System32\awgina.dll
c:\windows\system32\iphlpapi.dll
.
Completion time: 2009-06-24 9:39
ComboFix-quarantined-files.txt 2009-06-24 14:39

Pre-Run: 3,421,941,760 bytes free
Post-Run: 3,851,956,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

151



GMER log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 13:17:29
Windows 5.1.2600 Service Pack 3


---- Kernel code sections - GMER 1.0.15 ----

PAGE fltmgr.sys!FltEnumerateInstanceInformationByVolume + 325 F83E6897 1 Byte [CC] {INT 3 }
PAGE fltmgr.sys!FltGetFilterFromName + 95 F83E692F 1 Byte [A8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud@imagepath \systemroot\system32\drivers\SKYNETqjkdaiqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main@aid 10120
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETqjkdaiqh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules@SKYNETcmd.dll \systemroot\system32\SKYNEToseyfvkl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules@SKYNETlog.dat \systemroot\system32\SKYNETrmqwuwsn.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules@SKYNETwsp.dll \systemroot\system32\SKYNETcufowkmo.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETrtlwbdud\modules@SKYNET.dat \systemroot\system32\SKYNETvdypkfbw.dat

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 24 June 2009 - 02:54 PM

Hello.

ComboFix was able to remove the infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer was infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.
--
Please manually delete this file:
c:\windows\system32\SKYNET.dat

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Take a new DDS.txt log after.

Also give me an update on the sypmtoms.

With Regards,
The Panda

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 29 June 2009 - 12:54 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 30 June 2009 - 01:15 PM

Reopened.

#9 oasyssupport

oasyssupport
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 30 June 2009 - 03:35 PM

Thanks for reopening this one! Unfortunately my boss has been using the computer and both times I ram the F-Secure Online Scan he's closed it before I got a chance to grab the log. I started it before I left on Wednesday of last week. By time I left it did pick up a couple items, but all that got closed and I don't know what it caught. I re-ran it today and once again it was closed before I could grab it. But I did get to run DDS again and have pasted that below.


DDS (Ver_09-05-14.01) - NTFSx86
Run by marty at 15:14:51.29 on Tue 06/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.160 [GMT -5:00]

AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {C5703462-95EE-4A31-9387-77F9EBDA5696}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O:\support\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [EZ Scheduler] c:\program files\american systems\ez scheduler\ezscheduler.exe /m
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://busrv01.oasys-llc.local:4343/officescan/console/ClientInstall/setup.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9BBB3919-F518-4D06-8209-299FC243FC2A} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxEnc.cab
DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED3C} - hxxps://busrv01.oasys-llc.local:4343/SMB/console/html/root/AtxConsole.cab
DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} - hxxp://manage.janesville.k12.wi.us/inc/kaxRemote.dll
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {743968CF-21EF-4F23-BB0B-7D611CFCEA7C} = 192.168.254.5,192.168.254.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marty\applic~1\mozilla\firefox\profiles\ahxzwqma.default\
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\aw_host5.sys [2002-6-10 30398]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\awlegacy.sys [2002-6-10 10816]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2009-3-27 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2009-3-27 36368]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-21 334352]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2008-11-5 492888]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2008-11-5 677128]
S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]
S3 ASANYs_GTTEST;Adaptive Server Anywhere - GTTEST;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_gttest --> c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_GTTEST [?]
S3 ASANYs_test;Adaptive Server Anywhere - test;c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvasanys_test --> c:\program files\sybase\sql anywhere 8\win32\dbsrv8.exe -hvASANYs_test [?]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [2001-11-13 281856]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2002-6-10 77880]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\marty\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2009-6-30 70144]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-11 38160]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]
S3 WebrootCommAgentService;Webroot CommAgent Service;c:\program files\webroot\enterprise\commagent\CommAgent.exe [2005-6-3 1867264]
S3 WebrootSpySweeperService;Webroot SpySweeper Service;c:\program files\webroot\enterprise\spy sweeper\SpySweeper.exe [2005-6-3 1805824]
S4 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]

=============== Created Last 30 ================

2009-06-30 10:51 <DIR> --ds---- C:\ComboFix
2009-06-24 09:45 <DIR> --dsh--- C:\found.002
2009-06-24 09:37 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-06-24 09:11 <DIR> a-dshr-- C:\cmdcons
2009-06-24 09:06 161,792 a------- c:\windows\SWREG.exe
2009-06-24 09:06 155,136 a------- c:\windows\PEV.exe
2009-06-24 09:06 98,816 a------- c:\windows\sed.exe
2009-06-17 12:52 <DIR> --d----- c:\windows\697836DE03BB4C4C9B06CAFC93D0A506.TMP
2009-06-12 08:49 <DIR> --d----- C:\Logs
2009-06-11 15:25 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\marty\applic~1\Malwarebytes
2009-06-11 13:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 13:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 13:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\scripting
2009-06-11 11:26 <DIR> --d----- c:\windows\l2schemas
2009-06-11 11:26 <DIR> --d----- c:\windows\system32\en
2009-06-10 12:26 158,720 a------- C:\0809 MEDICATION.xls
2009-06-01 13:12 <DIR> --d----- C:\HEIDI

==================== Find3M ====================

2009-06-11 11:37 90,127 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 23:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-28 23:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 23:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 23:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 23:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 23:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 23:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 23:56 44,544 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 23:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 23:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 23:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-28 04:05 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-28 04:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 00:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 00:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-06-11 19:54 56,912 a------- c:\documents and settings\marty\g2mdlhlpx.exe
2007-09-14 10:04 49,152 a------- c:\documents and settings\marty\IDHWTSS1.dll
2007-08-18 09:50 60,968 a------- c:\documents and settings\marty\GoToAssistDownloadHelper.exe
2007-04-05 11:36 69,168 a------- c:\docume~1\marty\applic~1\GDIPFONTCACHEV1.DAT
2005-01-25 15:06 65,536 a------- c:\documents and settings\marty\hobjni.dll
2005-01-25 15:06 36,867 a------- c:\documents and settings\marty\PrtDLL.dll

============= FINISH: 15:16:02.29 ===============

The system does seem to be running a little slow, but that is the only symptom I've noticed. The anti-virus did pick up some files in the scan this morning, but they were successfully quarantined. Both were listed as: TSPY_ONLINEG.LSM.

Thanks!

Attached Files



#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 01 July 2009 - 08:43 AM

Hello.

I don't see any active infections.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Keep me updated on the symptoms.

Normally, we could try disabling some startup programs to increase speed, but I don't want to change much on a company machine.

With Regards,
The Panda

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 PM

Posted 10 July 2009 - 08:10 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users