Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Freezes, IE dies, MasterCard SecureCode pop-ups


  • This topic is locked This topic is locked
48 replies to this topic

#1 SteveML

SteveML

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 03 August 2009 - 09:45 AM

Hello - thanks in advance for any assistance you can provide.

My PC (XP Pro, SP 3), began freezing up about a week ago. Never get a blue screen, just can't do anything at all. A few things I've noticed -

- services.exe is running up huge numbers in I/O Other
- the timestamp on my hosts file changes when I use IE. There are no additional entries in there, but this seems suspicious.
- when the PC freezes, I can sometimes CTL-ALT-DEL, and choose an option, but nothing happens
- a few days ago when paying bills online, I started noticing the MasterCard SecureCode pop-up - it has one of my card numbers pre-filled

I've run AVG, Malwarebytes and SpyNoMore. Sometimes it seems like things are getting better, but then it will just freeze up again.



DDS (Ver_09-07-30.01) - NTFSx86
Run by sleitz at 10:33:21.69 on Mon 08/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1016 [GMT -4:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Baan\shared\bin\BclmServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\GS_UTS\GS_Tnet.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Infor\Infor WMS\bin\Provia.Printer.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\IBM_DS3000\client\monitor\SMmonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Infor\Infor WMS\bin\instserver.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\DOCUME~1\sleitz\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\sleitz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061123
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = swi-isa:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Browser protection: {fb9ffb4b-9680-4256-8178-5ecdb2c19b23} - c:\progra~1\spynom~1\SNMIEG~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [dotNetInstallerBoot] c:\docume~1\sleitz\locals~1\temp\ixp000.tmp\Setup.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\sleitz\startm~1\programs\startup\autoru~1\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\sleitz\start menu\programs\imvu\Run IMVU.lnk
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: usdavwnitco
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F}
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2008-3-1 6097]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-1-16 58464]
R2 BCLMD_M;SSA License Server (Master:6005);c:\program files\baan\shared\bin\BclmServer.exe [2008-1-16 1002244]
R2 GS_Tnet;Georgia SoftWorks UTS;c:\gs_uts\GS_Tnet.exe [2007-1-23 90112]
R2 Infor WMS Printer;Infor WMS paperwork reprint helper;c:\program files\infor\infor wms\bin\Provia.Printer.exe [2008-3-13 32768]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-1-16 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2005-8-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2005-8-22 29184]
R2 SMmonitor;IBM DS3000 Storage Manager 2 Event Monitor;c:\program files\ibm_ds3000\client\monitor\SMmonitor.exe [2008-12-8 69632]
R2 ViaInstanceService;Via-Instance-Service;c:\program files\infor\infor wms\bin\instserver.exe [2008-3-12 488960]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-1-16 114624]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [2008-10-24 21240]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-23 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-31 38160]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2008-3-1 299923]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-2-12 280344]

=============== Created Last 30 ================

2009-08-02 22:55 <DIR> --d----- c:\program files\Trend Micro
2009-07-31 14:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-31 14:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 09:01 177,152 -------- c:\windows\system32\dllcache\msctfime.ime
2009-07-30 23:50 <DIR> --d----- c:\documents and settings\sleitz\Tracing
2009-07-30 23:48 <DIR> --d----- c:\program files\Microsoft
2009-07-30 23:48 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-30 23:33 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-30 21:59 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-07-30 21:44 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-30 21:43 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-30 21:43 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-30 21:43 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-30 21:43 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-30 21:43 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-30 21:43 <DIR> --d----- C:\0da5e34cbd23dc95a9ab0ecb2928
2009-07-30 21:43 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-30 21:43 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 21:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-29 20:31 <DIR> --d----- c:\program files\AVG
2009-07-29 10:16 <DIR> --d----- c:\docume~1\sleitz\applic~1\Malwarebytes
2009-07-29 10:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 10:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 14:20 268,288 -------- c:\windows\system32\dllcache\httpext.dll
2009-07-09 14:20 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-07-09 14:19 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-07-06 13:55 21,393 a------- c:\windows\system32\drivers\iPassP.sys
2009-07-06 13:54 <DIR> --d----- c:\program files\iPass
2009-07-06 13:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iPass

==================== Find3M ====================

2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2007-06-15 15:30 56,912 a------- c:\documents and settings\sleitz\g2mdlhlpx.exe
2008-06-05 16:15 88 ---shr-- c:\windows\system32\05E65E32C8.sys
2007-05-23 20:24 1,498,485 ---sh--- c:\windows\system32\dgjlm.bak1
2007-05-23 21:25 1,498,485 ---sh--- c:\windows\system32\efhkj.bak1
2008-06-05 16:15 2,984 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-05-23 16:29 1,498,525 ---sh--- c:\windows\system32\pqtss.bak1
2007-05-23 16:55 1,498,485 ---sh--- c:\windows\system32\stvwa.bak1

============= FINISH: 10:34:36.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 02:11 PM

Hello SteveML,

Is this a company, business or corporate computer? :thumbup2:




Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_12
    Java™ 6 Update 13

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

Edited by SifuMike, 12 August 2009 - 02:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 August 2009 - 03:07 PM

SifuMike - thanks for your help.

This is a personal laptop, but I use it at work, so it has a bunch of work stuff on it.


I followed your instructions and here's the contents of the file:



notcheckup23.txt
``````````````````````````````
DNS Vulnerability Check:


`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 03:17 PM

Did you get approval from your IT dept. to post this here? It is a business computer, so I has corporate antivirus on it.

In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources.

In fact, many companies will require you to read those policies and sign a statement of understanding. Further, they usually have procedures in place to deal with infections on the network and usually do not approve of employees seeking help at an online forum or outside the business office.

If their typical solution is to re-image, then have your supervisor speak to them about taking another approach.

Let me know what your IT dept. says.

Edited by SifuMike, 12 August 2009 - 03:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 August 2009 - 03:23 PM

Because it's my PC, we have an agreement that the maintenance of the PC is my responsibility, as long as I run the corporate anti-virus, which is McAfee.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 03:47 PM

Hi Steve,

OK, but you need to back up the business data before proceeding.

If worse case happens and the computer is trashed by our tools, then at least you saved the buesiness data.

We need to disable McAfee VirusScan Enterprise. Do you know how to do that? It is necessary to run one of our tools.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 August 2009 - 03:54 PM

Yes, I've already backed up any business data.

Yes, I can disable McAfee.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 04:10 PM

Hi SteveML,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee VirusScan Enterprise before running ComboFix, as they will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure you let ComobFix install Recovery Console.

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 12 August 2009 - 04:10 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 August 2009 - 07:33 PM

ComboFix 09-08-10.06 - sleitz 08/12/2009 20:09.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1431 [GMT -4:00]
Running from: c:\documents and settings\sleitz\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\sleitz\LOCALS~1\Temp\clclean.0001.dir.0181\~df394b.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\sleitz\Local Settings\Temp\clclean.0001.dir.0181\~df394b.tmp
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\windows\Installer\30541.msi
c:\windows\system32\Cache
c:\windows\system32\Data
c:\windows\system32\dgjlm.bak1
c:\windows\system32\dgjlm.ini
c:\windows\system32\drivers\1028_DELL_XPS_MP061 .MRK
c:\windows\system32\drivers\DELL_XPS_MP061 .MRK
c:\windows\system32\efhkj.bak1
c:\windows\system32\efhkj.ini
c:\windows\system32\ias\ntp2.ini
c:\windows\system32\pqtss.bak1
c:\windows\system32\pqtss.ini
c:\windows\system32\stvwa.bak1
c:\windows\system32\stvwa.ini
c:\windows\system32\T3
c:\windows\system32\T4
c:\windows\system32\T6

----- BITS: Possible infected sites -----

hxxp://10.34.32.149
.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-12 20:01 . 2009-08-12 20:01 152576 ----a-w- c:\documents and settings\sleitz\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 02:55 . 2009-08-03 02:55 -------- d-----w- c:\program files\Trend Micro
2009-07-31 18:10 . 2009-08-07 15:33 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-31 18:09 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 18:09 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-31 03:50 . 2009-08-13 00:20 -------- d-----w- c:\documents and settings\sleitz\Tracing
2009-07-31 03:48 . 2009-07-31 03:48 -------- d-----w- c:\program files\Microsoft
2009-07-31 03:48 . 2009-07-31 03:48 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-31 03:47 . 2009-07-31 03:48 -------- d-----w- c:\program files\Windows Live
2009-07-31 03:33 . 2009-07-31 03:33 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-31 01:44 . 2009-07-31 01:44 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-31 01:44 . 2009-07-31 01:44 -------- d-----w- c:\program files\MSBuild
2009-07-31 01:44 . 2009-07-31 01:44 -------- d-----w- c:\program files\Reference Assemblies
2009-07-31 01:43 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-31 01:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-31 01:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-31 01:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-31 01:43 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-31 01:43 . 2009-07-31 01:44 -------- d-----w- C:\0da5e34cbd23dc95a9ab0ecb2928
2009-07-31 01:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-31 01:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-30 01:33 . 2009-07-30 01:41 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-30 00:31 . 2009-07-30 00:31 -------- d-----w- c:\program files\AVG
2009-07-29 14:16 . 2009-07-29 14:16 -------- d-----w- c:\documents and settings\sleitz\Application Data\Malwarebytes
2009-07-29 14:16 . 2009-08-07 15:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-29 14:16 . 2009-07-29 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 20:02 . 2009-03-24 19:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-12 20:01 . 2006-11-23 12:34 -------- d-----w- c:\program files\Java
2009-07-31 03:50 . 2007-01-16 15:44 77024 ----a-w- c:\documents and settings\sleitz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-30 18:40 . 2009-04-15 00:07 -------- d-----w- c:\program files\TaxCut08
2009-07-30 18:38 . 2008-04-09 22:24 -------- d-----w- c:\program files\TaxCut07
2009-07-30 18:24 . 2008-04-09 22:24 -------- d-----w- c:\program files\PDF995
2009-07-30 18:22 . 2007-04-10 01:53 -------- d-----w- c:\program files\TaxCut06
2009-07-30 04:11 . 2007-11-14 00:29 -------- d-----w- c:\program files\Common Files\Apple
2009-07-29 19:19 . 2006-11-23 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-07-29 19:17 . 2006-11-23 12:59 -------- d-----w- c:\program files\Yahoo!
2009-07-29 03:29 . 2007-01-16 19:03 -------- d-----w- c:\documents and settings\sleitz\Application Data\U3
2009-07-06 18:06 . 2009-07-06 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\iPass
2009-07-06 17:55 . 2009-07-06 17:55 21393 ----a-w- c:\windows\system32\drivers\iPassP.sys
2009-07-06 17:54 . 2006-11-23 12:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 17:54 . 2009-07-06 17:54 -------- d-----w- c:\program files\iPass
2009-06-26 16:50 . 2004-08-11 23:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-18 13:28 . 2007-04-10 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-06 16:25 . 2008-06-02 02:46 132 ----a-w- c:\windows\system32\Audit.bat
2009-06-03 19:09 . 2004-08-11 23:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-06-05 20:15 . 2006-12-29 02:47 88 --sh--r- c:\windows\system32\05E65E32C8.sys
2008-06-05 20:15 . 2006-12-29 02:47 2984 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-18 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-23 94208]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2006-06-29 1355042]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]

c:\documents and settings\sleitz\Start Menu\Programs\Startup\AutorunsDisabled
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-1-3 784912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-1-14 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-938813117-458837582-310601177-343043\Scripts\Logon\0\0]
"Script"=\\infor.com\NETLOGON\maxcinstall.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-938813117-458837582-310601177-343043\Scripts\Logon\1\0]
"Script"=TrackIt.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-938813117-458837582-310601177-343043\Scripts\Logon\2\0]
"Script"=IESecurity_LocalIntranet_AddCompanyDomains.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-938813117-458837582-310601177-343043\Scripts\Logon\3\0]
"Script"=\\infor.com\sysvol\infor.com\scripts\Enterprise Vault\EVCinstall.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [3/1/2008 11:17 PM 6097]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [1/16/2007 2:45 PM 58464]
R2 BCLMD_M;SSA License Server (Master:6005);c:\program files\Baan\shared\bin\BclmServer.exe [1/16/2008 1:16 PM 1002244]
R2 GS_Tnet;Georgia SoftWorks UTS;c:\gs_uts\GS_Tnet.exe [1/23/2007 10:30 PM 90112]
R2 Infor WMS Printer;Infor WMS paperwork reprint helper;c:\program files\Infor\Infor WMS\bin\Provia.Printer.exe [3/13/2008 1:09 PM 32768]
R2 SMmonitor;IBM DS3000 Storage Manager 2 Event Monitor;c:\program files\IBM_DS3000\client\monitor\SMmonitor.exe [12/8/2008 4:56 PM 69632]
R2 ViaInstanceService;Via-Instance-Service;c:\program files\Infor\Infor WMS\bin\instserver.exe [3/12/2008 8:08 PM 488960]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\CSVirtA.sys [10/24/2008 2:00 PM 21240]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/23/2006 8:56 AM 30192]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [3/1/2008 11:17 PM 299923]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-08-09 c:\windows\Tasks\WMProviaWMSCleanup.job
- c:\program files\Infor\Infor WMS\scripts\cleanup.cmd [2005-03-28 15:36]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = swi-isa:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\sleitz\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: usdavwnitco
DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} - hxxps://vpn-am2.infor.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-12 20:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1040)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\EntApi.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\EntApi.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Cisco Systems\SSL VPN Client\Agent.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\docume~1\sleitz\LOCALS~1\Temp\clclean.0001
c:\windows\system32\igfxsrvc.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-08-13 20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 00:30

Pre-Run: 19,311,923,200 bytes free
Post-Run: 27,900,108,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

265 --- E O F --- 2009-08-06 13:02

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 09:14 PM

Hi SteveML,

Disable McAfee VirusScan Enterprise before running Combofix, as it will prevent it from running.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 12 August 2009 - 10:32 PM

I had disabled McAfee the first time I ran it. It does start automatically though and I disabled after reboot.

Before I followed your latest instructions I configured McAfee so it wouldn't run at all.

Now, when I followed your latest instructions my PC froze after it completed the stages and indicated that the log was being repaired. I waited about 15 minutes with no disk activity before rebooting and that's where I am now.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 12 August 2009 - 11:36 PM

Reboot your computer and see if there is a ComboFix.txt log. If so, post it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 13 August 2009 - 08:01 AM

When I rebooted there was no log file present.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:22 PM

Posted 13 August 2009 - 09:48 AM

There should be two logs, ComboFix.txt and ComboFix2.txt
Do a file search for ComobFix.txt
Post it when you find it.

If it is not there, then run ComboFix (without the script) after disabling your antivirus.

Post the log it produces.

Edited by SifuMike, 13 August 2009 - 09:48 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SteveML

SteveML
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 13 August 2009 - 10:08 AM

Found this under the ComboFix folder from last night:

ComboFix 09-08-10.06 - sleitz 08/12/2009 22:59:39.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1476 [GMT -4:00]
Running from: C:\Documents and Settings\sleitz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sleitz\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\sleitz\LOCALS~1\Temp\clclean.0001.dir.0003\~df394b.tmp
C:\Documents and Settings\sleitz\Local Settings\Temp\clclean.0001.dir.0003\~df394b.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users