Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scans are clean but strange behavior continues


  • This topic is locked This topic is locked
16 replies to this topic

#1 LynnBR

LynnBR

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 26 July 2009 - 10:29 PM

Problems first noticed Tue 7/21. A/V was not up to date, nor were OS patches. After several frustrating attempts at installing McAfee VirusScan this week, we ditched it and have installed Eset suite including firewall. MS updates are now up-to-date. Troublesome behavior - on 7/21, logged into our everyday acct (power user, not admin rights). Got messages that Explorer was being blocked by firewall; several messages that components of our HP printer software (all .exe files) could not start; occasional message that logitech .exe file could not start; and the VeriSign Personal Trust Agent login screen started popping up (initially only when accessing internet, now all the time). The VeriSign software is related to login for spouse's employer and has never been associated with this user account before. We do not see any strange behavior when logging into the acct with admin rights. Nor do we see the behavior when logging into a "limited user" account. This only happens when logged into our everyday, power user acct. Initially McAfee found some trojans and quarantined but did not remove. (Have not yet cleared system restore points and created new) Since then, McAfee, MBAM and Eset all report back clean system. The VeriSign login popup opens every time a new page or session is opened in IE or a new program is opened, won't go to page or start program until click on cancel. Is this a malware infection, an app gone bad, or corrupted rights issue? DSS log follows:


DDS (Ver_09-06-26.01) - NTFSx86
Run by hraz at 18:39:47.93 on Sun 07/26/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1515 [GMT -7:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\bgsmsnd.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\wtsisctd.exe
C:\Documents and Settings\hraz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: pdfMachine: {56cf4856-ecb4-4e46-a897-a378821f97b9} - c:\windows\system32\spool\drivers\w32x86\3\bgstb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: pdfMachine: {56cf4856-ecb4-4e46-a897-a378821f97b9} - c:\windows\system32\spool\drivers\w32x86\3\bgstb.dll
uRun: [Aim6]
uRun: [userinit] c:\documents and settings\hraz\application data\sdra64.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [OSSelectorReinstall] c:\program files\common files\acronis\acronis disk director\oss_reinstall.exe
mRun: [e360SysTray] c:\program files\hgra\hgra\e360SysTray.exe
mRun: [bgsmsnd.exe] c:\windows\system32\bgsmsnd.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [Name of App] c:\program files\samsung\fw liveupdate\FWManager.exe r
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229877246484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229877238296
DPF: {6F7864F9-DB33-11D3-8166-0060B0F885E6} - hxxps://pki.honeywell.com/pki/VSApps/vspta3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: ckpNotify - ckpNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap c:\docume~1\hraz\locals~1\temp\tuvSjKEV

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-8-12 2234320]
R2 bgsserv;bgsserv;c:\windows\system32\spool\drivers\w32x86\3\bgsserv.exe [2007-8-14 217480]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-8-12 36400]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-5-14 731840]
R2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\hgra\hgra\wengine\wmonitor.exe [2006-1-13 69692]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [2007-12-31 14976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-20 24652]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-8-12 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-8-12 671408]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-8-7 103744]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-2 17536]

=============== Created Last 30 ================

2009-07-26 13:29 <DIR> --d----- c:\docume~1\hraz\applic~1\ESET
2009-07-26 12:15 <DIR> --d----- c:\program files\ESET
2009-07-26 09:54 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-26 09:54 <DIR> --d----- C:\362da426cb91534c3e297abc7a7bf5
2009-07-26 09:54 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-26 09:54 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-26 09:54 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-26 09:25 <DIR> --d----- c:\windows\system32\scripting
2009-07-26 09:25 <DIR> --d----- c:\windows\system32\en
2009-07-26 09:25 <DIR> --d----- c:\windows\system32\bits
2009-07-26 09:25 <DIR> --d----- c:\windows\l2schemas
2009-07-26 09:23 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-24 21:33 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-24 21:33 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-24 03:05 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-24 03:05 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-24 03:04 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-07-24 03:03 221,184 a------- c:\windows\system32\wmpns.dll
2009-07-23 23:10 404,990 -------- c:\windows\system32\drivers\slntamr.sys
2009-07-23 23:09 397,312 -------- c:\windows\system32\mmcex.dll
2009-07-23 23:08 36,480 -------- c:\windows\system32\drivers\bthprint.sys
2009-07-23 22:59 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-23 21:18 <DIR> --d----- c:\program files\Citrix
2009-07-22 06:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19828284
2009-07-21 21:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-21 21:28 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-20 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\18487654
2009-07-20 19:27 <DIR> --dsh--- c:\docume~1\hraz\applic~1\lowsec
2009-07-12 11:40 7,680 a--sh--- c:\windows\Thumbs.db

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-31 15:55 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2006-02-28 05:00 223,232 a----r-- c:\docume~1\hraz\applic~1\sdra64.exe

============= FINISH: 18:40:03.12 ===============


Thanks in advance. I will not have access to this computer for a few days in the middle of the week, so if someone does have a chance to get to this before I'm back online, be patient. I'll follow your instructions and report back as soon as I can later in the week. Thanks! Lynn

Attached Files



BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 27 July 2009 - 09:56 AM

Hello LynnBR and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :thumbup2:

In the meantime:

1. Please TRACK this Topic
  • At the top of this thread (not the top of this web page) there is an Options button, right below the Add Reply and the New Topic buttons.
  • Click on Options
  • Then click on Track This Topic
  • Place a tick mark next to Immediate Email Notification
  • Then click on Proceed
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :)
2. Do Not Make Any Changes to the "Infected" Computer.
Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
Doc.

#3 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 27 July 2009 - 10:11 AM

Thanks Doc. I can be as patient as you need me to be, just appreciate the experienced eyes looking at this and working on it with me. As I noted, I will not have access to the problem child during the middle of the week, so I may be slow getting back to you. As for Items, 1 was already marked as such, 2 and 3 are noted. As an additional note, I noticed when shutting down the computer this morning that there was a Logitech updater (for our universal remote) that wouldn't shut down, and the VeriSign login kept popping up. Wrote down the exact app but of course the paper I wrote it on is 7 miles away from me right now. OS came back and said it couldn't shut down Logitech, click End Now; I clicked Cancel on the Verisign box and everything closed and shut down. I suspect the Verisign app has gotten set so it runs whenever something tries to access internet, including this updater which runs in the background. Didn't have time to disable the updater and see if that stopped the problem. Still, question is why this is happening on this user acct and not on others. HTH and Thanks!

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 30 July 2009 - 04:48 PM

Hello LynnBR,

Sorry for the Delay. :thumbup2:

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt
Doc.

#5 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 31 July 2009 - 10:05 AM

Thanks Doc. Will get to it later today, too tired to even think about it last night after getting home from 2.5 day Arizona-NY whirlwind trip. Question in the meantime - you asked for fresh HJT log. However, I never ran full HJT, just DSS version. Do you want real-deal HJT or DSS logs?

#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 31 July 2009 - 10:46 AM

Hi LynnBR,

too tired to even think about it last night after getting home from 2.5 day Arizona-NY whirlwind trip.

Wow. I hope you had enough time to enjoy yourself at least. :)

Question in the meantime - you asked for fresh HJT log. However, I never ran full HJT, just DSS version. Do you want real-deal HJT or DSS logs?

No HJT, just the ComboFix.txt please. :cool:
Thank you so much for asking! I've been wondering why people have been posting HJT Logs. Forgot to take that part out. :) :thumbup2:

Doc.

#7 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 31 July 2009 - 11:25 AM

Thanks for the clarification, glad I could help you too! Tempting to go home at lunch and run ComboFix- then not come back to work.
I did have a good time while I was there. Could have done without Wed afternoon's storm that kept us from walking more of the Brooklyn Bridge, but that's life. Son was sworn in/admitted as member of NY State Bar Association and I went back to be there for his (and 125 others') ceremony.

Am I correct in assuming that I need to run ComboFix with Admin rights (Win XP Pro) so that Recovery Console can install?

#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 31 July 2009 - 02:26 PM

No, you can just run it normally following the instructions I posted previously. :thumbup2:

#9 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 31 July 2009 - 10:18 PM

OK. So, first, couldn't get ComboFix to run under ailing user login (hraz). Ran under user with admin rights. Created restore point, installed RC, ran through all steps, deleted 2 files but I don't remember their names (I think one was something like instsrv.exe or instsvr.exe?). One file was in hraz Doc & Settings, other I believe was in c:\windows\system32, but I could be mistaken. Then I walked away from computer for a little while, came back to login screen. Logged in, ComboFix screen said it was creating log files and to allow it to finish. Then, bam bam, BSOD, reboot, back to login, MS error reporting screen. Sent error, came back that it was a device driver problem. This is what is in ComboFix.txt:

ComboFix 09-07-31.04 - User 07/31/2009 19:52:53.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1534 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

Thought about running it again but decided to wait to see what you had to say before I tried that. I did log back into hraz account, still getting the Verisign popup.

What would you like me to try next? :thumbup2:

#10 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 31 July 2009 - 10:22 PM

Doc, just did a quick search on instsrv.exe. One link found mentioned remadmin worm. I recognize this as something that McAfee found during ill-fated first few install attempts. Just thought I'd share that piece of info with you in case it helps.

#11 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 01 August 2009 - 08:05 AM

Hey LynnBR,

Let's try ComboFix again. Please delete the ComboFix that you have on your Desktop.

1. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
2. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
3. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

5. What I need in Your Next Reply:
  • ComboFix.txt
Doc.

#12 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 01 August 2009 - 12:00 PM

Doc,
Tried running under hraz user, run as user with admin rights, got CFScript Name Error. So, ran under admin user. Here's the log:


ComboFix 09-07-31.04 - User 08/01/2009 9:49.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\hraz\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\instsrv.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-27 01:36 . 2009-07-27 01:36 -------- d-----w- c:\documents and settings\adam\Application Data\ESET
2009-07-26 20:29 . 2009-07-26 20:29 -------- d-----w- c:\documents and settings\hraz\Application Data\ESET
2009-07-26 19:15 . 2009-07-26 19:15 -------- d-----w- c:\documents and settings\User\Application Data\ESET
2009-07-26 19:15 . 2009-07-26 19:15 -------- d-----w- c:\program files\ESET
2009-07-26 19:15 . 2009-07-26 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-26 19:11 . 2009-07-26 19:11 36122624 ----a-w- c:\temp\ess_nt32_enu.msi
2009-07-26 18:13 . 2009-07-26 18:13 49152 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-07-26 18:13 . 2009-07-26 18:13 49152 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-07-26 16:54 . 2009-07-26 16:54 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-26 16:54 . 2009-07-26 16:54 -------- d-----w- c:\program files\MSBuild
2009-07-26 16:54 . 2009-07-26 16:54 -------- d-----w- c:\program files\Reference Assemblies
2009-07-26 16:54 . 2009-07-26 16:54 -------- d-----w- C:\362da426cb91534c3e297abc7a7bf5
2009-07-26 16:54 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-26 16:54 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-26 16:54 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-26 16:54 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-26 16:54 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-26 16:54 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-26 16:54 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-26 16:25 . 2009-07-26 16:25 -------- d-----w- c:\windows\system32\scripting
2009-07-26 16:25 . 2009-07-26 16:25 -------- d-----w- c:\windows\l2schemas
2009-07-26 16:25 . 2009-07-26 16:25 -------- d-----w- c:\windows\system32\en
2009-07-26 16:25 . 2009-07-26 16:25 -------- d-----w- c:\windows\system32\bits
2009-07-26 16:23 . 2009-07-26 16:26 -------- d-----w- c:\windows\ServicePackFiles
2009-07-25 04:33 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-24 12:43 . 2009-07-24 12:43 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-07-24 10:04 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-07-24 10:03 . 2006-02-28 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-07-24 06:10 . 2008-04-14 00:12 73796 ------w- c:\windows\system32\slserv.exe
2009-07-24 06:09 . 2008-04-14 00:12 33792 ------w- c:\windows\system32\mmcperf.exe
2009-07-24 06:08 . 2008-04-13 18:46 36480 ------w- c:\windows\system32\drivers\bthprint.sys
2009-07-24 06:06 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-24 06:06 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-24 06:06 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-24 06:06 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-24 06:06 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-24 06:06 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-24 06:06 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-24 06:06 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-24 06:06 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-24 06:06 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-24 06:06 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-24 06:06 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-24 05:59 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-24 05:59 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-24 05:24 . 2009-07-24 05:24 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-24 04:18 . 2009-07-24 04:18 -------- d-----w- c:\program files\Citrix
2009-07-24 04:17 . 2009-07-24 04:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Citrix
2009-07-24 04:17 . 2009-07-24 04:17 61224 ----a-w- c:\documents and settings\User\GoToAssistDownloadHelper.exe
2009-07-23 03:30 . 2009-07-23 03:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-22 13:18 . 2009-07-22 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\19828284
2009-07-22 04:29 . 2009-07-22 04:29 -------- d-----w- c:\windows\Sun
2009-07-22 04:28 . 2009-07-22 04:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 04:27 . 2009-07-22 04:27 -------- d-----w- c:\program files\Java
2009-07-22 04:27 . 2009-07-22 04:27 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-21 02:28 . 2009-07-21 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\18487654
2009-07-21 02:27 . 2009-08-01 16:30 -------- d-sh--w- c:\documents and settings\hraz\Application Data\lowsec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-27 01:36 . 2008-04-07 19:03 55904 ----a-w- c:\documents and settings\adam\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-26 19:02 . 2007-08-17 03:50 55904 ----a-w- c:\documents and settings\hraz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-26 17:12 . 2007-07-24 22:18 55904 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-26 16:27 . 2007-07-25 10:42 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-24 10:05 . 2009-07-24 10:05 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-24 10:05 . 2009-07-24 10:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-24 05:37 . 2008-12-28 04:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 20:36 . 2008-12-28 04:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2008-12-28 04:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 02:00 . 2007-08-14 05:09 3301 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-06-26 16:50 . 2006-02-28 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-18 07:01 . 2008-01-10 04:53 -------- d-----w- c:\documents and settings\hraz\Application Data\U3
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 22:55 . 2009-05-31 22:55 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-05-14 22:49 . 2009-05-14 22:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 22:49 . 2009-05-14 22:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 22:49 . 2009-05-14 22:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 22:47 . 2009-05-14 22:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 22:41 . 2009-05-14 22:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-09 08:14 . 2009-05-09 08:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 08:14 . 2009-05-09 08:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 03:39 . 2007-08-15 02:23 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-09-21 137216]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-20 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-20 81920]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 868352]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-17 149024]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-23 2209224]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-11-19 160136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2006-11-10 1051648]
"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2009-07-16 692340]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-11 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-22 148888]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-20 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-1 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-5-31 67128]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-3-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 21:27 24681 ----a-w- c:\windows\system32\ckpNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BounceBack Launcher.lnk
backup=c:\windows\pss\BounceBack Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [8/12/2007 1:50 PM 2234320]
R2 bgsserv;bgsserv;c:\windows\system32\spool\drivers\w32x86\3\bgsserv.exe [8/14/2007 8:45 PM 217480]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [8/12/2007 1:49 PM 36400]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [1/13/2006 3:41 PM 69692]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [12/31/2007 5:48 PM 14976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/20/2009 8:06 PM 24652]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [8/12/2007 1:50 PM 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [8/12/2007 1:49 PM 671408]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/2/2004 5:33 PM 17536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
SafeBoot-MCODS


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: intuit.com
Trusted Zone: mcafee.com
Trusted Zone: mcafee.com\www
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 09:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1872)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(5072)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-01 9:54
ComboFix-quarantined-files.txt 2009-08-01 16:54

Pre-Run: 281,763,004,416 bytes free
Post-Run: 281,836,113,920 bytes free

237 --- E O F --- 2009-08-01 02:25

Thanks again!

#13 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 02 August 2009 - 09:54 PM

Hello LynnBR,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Doc.

#14 LynnBR

LynnBR
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:01 AM

Posted 03 August 2009 - 01:29 PM

Doc,
Thanks, although that wasn't the first word out of my mouth when I read your reply. At least I didn't read it Sunday night and have it keep me awake! I'm used to bad news on Monday mornings... And, when I started this whole topic, I was fully expecting this reply, debated whether to even go this route or just format and go from there. I'm guessing, between file dates and web searches, that lowsec is the badboy. File date matches when we started having problems.

On the bright side, we imaged the system soon after purchase, so we do have an image we can restore from and won't need to go through quite the hassle of reinstalling everything. Unfortunately, that image is several years old, but that not much software has been installed during that time. And what data isn't already backed up on external drive can be done quickly. I already have WinXP SP3 and Ofc 2k3 SP3 on CD at work so can install those prior to connecting to internet.

Also on the bright side, spouse stores passwords in encrypted password-storage program, we don't save many online passwords (AIM, email are all I can think of), and have the remember-me and autocomplete turned off. We also haven't done anything sensitive online since weird behavior started, have found other computers for the few things we needed passwords to do. They might have gotten my Flickr password, but that's already been changed. Biggest worry, which we will be enabling fraud alerts as a result of, is that we do our taxes on this computer. Hopefully it won't be too long before we're back in business, fully patched and protected.

#15 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:01 AM

Posted 03 August 2009 - 03:06 PM

Hi LynnBR,

Good Luck! I hope the process go easy for you guys. :thumbup2:

Unless there is something else that I can help you with, we will be closing this Topic.

Please reply back so that I know that we are finished. :)

Doc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users