Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IPS won't let me on the network-not sure what virus/malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 drrscott

drrscott

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 16 August 2009 - 09:26 PM

I have a computer that the Internet works fine on other computers but every time I try to get on the Internet-my IPS redirects to an isolation page saying my computer is infected. I have ran the IPS's virus scan and they didn't find anything and were no help. Posting DDS log to see if you can help.

Thanks!


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 21:18:55.56 on Sun 08/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.75 [GMT -5:00]

AV: SecureIT AntiVirus *On-access scanning enabled* (Updated) {12D9381A-7023-11DC-B2FD-DA9C55D89593}
FW: SecureIT Firewall *enabled* {FA5A49F3-BB67-42B5-A730-66FB6F8363F5}
FW: SecureIT Security Firewall *disabled* {B6D25D1C-7311-4A80-B8E4-6859A5DD3490}
FW: SecureIT Security Firewall *enabled* {12D9381A-7023-11DC-B2FD-DA9C55D89593}

============== Running Processes ===============

C:\Program Files\SecureIT\SCMonitor\SCMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SecureIT\scmonitor\SCUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\SecureIT\SCControlPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
svchost
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.netins.net/
uSearch Page = hxxp://www.google.com
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MSN helper: {996d4e16-517f-474a-870f-f882c6133c47} - gacaq32.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: CPub Object: {c68ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\secureit\PopupBlocker.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SCPopupBlocker] c:\program files\securitycoverage help and support center\PopupBlocker.exe
mRun: [SCControlPanel] c:\program files\secureit\SCControlPanel.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
dRun: [Power2GoExpress] NA
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\rncsys32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instan~1.lnk - c:\program files\u.s. robotics\controlcenter\Reminder.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
DPF: {0742b9ef-8c83-41ca-bfba-830a59e23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SCFilter;SCFilter;c:\windows\system32\drivers\SCFltr.sys [2008-5-8 59904]
R1 ipfrwl;ipfrwl;c:\windows\system32\drivers\ipfrwl.sys [2009-4-7 108672]
R2 SCMonitor;SecureIT Monitor Service 2.0;c:\program files\secureit\scmonitor\SCMonitorService.exe [2008-5-8 311296]
R2 scupdateservice;SecureIT Update Service;c:\program files\secureit\scmonitor\SCUpdateService.exe [2009-4-7 1793024]
S1 ndisrd;ndisrd; [x]

=============== Created Last 30 ================

2009-08-04 19:44 3,243 a------- c:\windows\system32\wbem\Outlook_01ca1565d674dd86.mof
2009-07-26 21:10 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-26 21:10 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-08-16 21:19 97,342 a------- c:\windows\system32\drivers\12d8a5cc.sys
2009-07-15 19:22 2 a------- c:\documents and settings\owner\x2.dat
2007-11-15 22:51 158,112 ac------ c:\program files\startzune.exe
2007-10-18 14:10 84 ac------ c:\program files\autorun.inf
2009-01-29 23:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012920090130\index.dat

============= FINISH: 21:19:30.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:21 PM

Posted 29 August 2009 - 07:03 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 30 August 2009 - 11:13 AM

Here is my updated log. Still not sure what is wrong-antivirus scans come up clean but my ISP won't let the computer on the network.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 11:07:04.65 on Sun 08/30/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.37 [GMT -5:00]

AV: SecureIT AntiVirus *On-access scanning enabled* (Updated) {12D9381A-7023-11DC-B2FD-DA9C55D89593}
FW: SecureIT Firewall *enabled* {FA5A49F3-BB67-42B5-A730-66FB6F8363F5}
FW: SecureIT Security Firewall *disabled* {B6D25D1C-7311-4A80-B8E4-6859A5DD3490}
FW: SecureIT Security Firewall *enabled* {12D9381A-7023-11DC-B2FD-DA9C55D89593}

============== Running Processes ===============

C:\Program Files\SecureIT\SCMonitor\SCMonitorService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SecureIT\scmonitor\SCUpdateService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\SecureIT\SCControlPanel.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
svchost
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.netins.net/
uSearch Page = hxxp://www.google.com
mStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MSN helper: {996d4e16-517f-474a-870f-f882c6133c47} - gacaq32.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: CPub Object: {c68ae9c0-0909-4ddc-b661-c1afb9f5ae53} - c:\program files\secureit\PopupBlocker.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [SCPopupBlocker] c:\program files\securitycoverage help and support center\PopupBlocker.exe
mRun: [SCControlPanel] c:\program files\secureit\SCControlPanel.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
dRun: [Power2GoExpress] NA
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\rncsys32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instan~1.lnk - c:\program files\u.s. robotics\controlcenter\Reminder.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
DPF: {0742b9ef-8c83-41ca-bfba-830a59e23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SCFilter;SCFilter;c:\windows\system32\drivers\SCFltr.sys [2008-5-8 59904]
R1 ipfrwl;ipfrwl;c:\windows\system32\drivers\ipfrwl.sys [2009-4-7 108672]
R2 SCMonitor;SecureIT Monitor Service 2.0;c:\program files\secureit\scmonitor\SCMonitorService.exe [2008-5-8 311296]
R2 scupdateservice;SecureIT Update Service;c:\program files\secureit\scmonitor\SCUpdateService.exe [2009-4-7 1793024]
S1 ndisrd;ndisrd; [x]

=============== Created Last 30 ================

2009-08-04 19:44 3,243 a------- c:\windows\system32\wbem\Outlook_01ca1565d674dd86.mof

==================== Find3M ====================

2009-08-30 11:07 97,342 a------- c:\windows\system32\drivers\12d8a5cc.sys
2009-07-15 19:22 2 a------- c:\documents and settings\owner\x2.dat
2007-11-15 22:51 158,112 ac------ c:\program files\startzune.exe
2007-10-18 14:10 84 ac------ c:\program files\autorun.inf
2009-01-29 23:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012920090130\index.dat

============= FINISH: 11:07:40.79 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 03 September 2009 - 06:56 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

I do see signs of infection.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your old copy and download a new one.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 05 September 2009 - 02:41 PM

Thanks for your help. I have made no changes to my computer since the last post.

Here is the combofix log:
ComboFix 09-09-04.02 - Owner 09/05/2009 13:34.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.64 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: SecureIT AntiVirus *On-access scanning enabled* (Updated) {12D9381A-7023-11DC-B2FD-DA9C55D89593}
FW: SecureIT Firewall *enabled* {FA5A49F3-BB67-42B5-A730-66FB6F8363F5}
FW: SecureIT Security Firewall *disabled* {B6D25D1C-7311-4A80-B8E4-6859A5DD3490}
FW: SecureIT Security Firewall *enabled* {12D9381A-7023-11DC-B2FD-DA9C55D89593}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\wiaserva.log
c:\documents and settings\Owner\Start Menu\Programs\Startup\rncsys32.exe
c:\program files\autorun.inf
c:\recycler\S-1-5-21-1826214996-327579553-2026666529-1003
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Installer\1324b.msi
c:\windows\Installer\d0146.msi
c:\windows\system32\drivers\12d8a5cc.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Service_ndisrd
-------\Service_12d8a5cc


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 14:45 . 2008-05-09 02:51 -------- d-----w- c:\program files\SecureIT
2009-07-16 00:22 . 2009-06-23 22:43 2 ----a-w- c:\documents and settings\Owner\x2.dat
2009-07-13 22:00 . 2009-07-13 22:00 1 ----a-w- c:\windows\system32\q1.dat
2007-11-16 03:51 . 2007-11-16 03:51 158112 -c--a-w- c:\program files\startzune.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2007-11-16 166304]
"SCControlPanel"="c:\program files\SecureIT\SCControlPanel.exe" [2009-05-22 3155968]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Instant Update Reminder.lnk - c:\program files\U.S. Robotics\ControlCenter\Reminder.exe [2007-7-31 977408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 4 (0x4)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Program Files\\SecureIT\\SCManagementConsole.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SCFilter;SCFilter;c:\windows\system32\drivers\SCFltr.sys [5/8/2008 9:51 PM 59904]
R1 ipfrwl;ipfrwl;c:\windows\system32\drivers\ipfrwl.sys [4/7/2009 8:09 PM 108672]
R2 SCMonitor;SecureIT Monitor Service 2.0;c:\program files\SecureIT\SCMonitor\SCMonitorService.exe [5/8/2008 9:51 PM 311296]
R2 scupdateservice;SecureIT Update Service;c:\program files\SecureIT\SCMonitor\SCUpdateService.exe [4/7/2009 8:09 PM 1793024]
.
Contents of the 'Scheduled Tasks' folder

2006-04-29 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2006-04-29 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SCPopupBlocker - c:\program files\SecurityCoverage Help and Support Center\PopupBlocker.exe
HKLM-Run-DiskeeperSystray - c:\program files\Executive Software\Diskeeper\DkIcon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netins.net/
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 13:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(544)
c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

- - - - - - - > 'explorer.exe'(2412)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\ZuneBusEnum.exe
.
**************************************************************************
.
Completion time: 2009-09-05 13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 18:46

Pre-Run: 144,860,200,960 bytes free
Post-Run: 145,067,614,208 bytes free

131 --- E O F --- 2009-06-12 03:33


Here is the gmer log:

GMER 1.0.15.15077 [vz7i51yz.exe] - http://www.gmer.net
Rootkit scan 2009-09-05 14:39:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT SCFltr.sys ZwCreateKey [0xF77094EC]
SSDT SCFltr.sys ZwOpenKey [0xF770942C]
SSDT SCFltr.sys ZwSetValueKey [0xF77095B8]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE3C2A64] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE3C2ABA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE3C2CEA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EE3C2D14] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE3C2CEA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE3C2ABA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE3C2A64] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [EE3C2A64] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [EE3C2ABA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [EE3C2D14] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [EE3C2CEA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE3C2CEA] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EE3C2D14] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE3C2A64] \SystemRoot\System32\Drivers\ipfrwl.SYS
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE3C2ABA] \SystemRoot\System32\Drivers\ipfrwl.SYS

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SCFltr.sys
AttachedDevice \FileSystem\Fastfat \Fat SCFltr.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 @ SENS Network Events
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 @AppID {D5978620-5B9F-11D1-8DD2-00AA004ABD5E}
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \InprocServer32@ C:\WINDOWS\System32\ES.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \ProgID
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \ProgID@ SENS Network Events.1
Reg HKLM\SOFTWARE\Classes\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5 \VersionIndependentProgID

---- Files - GMER 1.0.15 ----

File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb1C.tmp.exe.scm 0 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\44[1].pdf.scavm 26403 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0036323.exe.scm 2079292 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0036330.exe.scm 2079292 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0036331.exe.scm 6319374 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0036335.exe.scm 6319374 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0036339.exe.scm 2079292 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\A0041144.exe.scm 2119740 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb1.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb10.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb15.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb1A.tmp.exe.scm 0 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb2.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb3.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb4.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtb5.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtbA.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtbB.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtbC.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\gtbD.tmp.exe.scm 435824 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\Restore.exe.scm 2109440 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\start.exe.scm 122880 bytes executable
File C:\Program Files\SecureIT\SCMonitor\quarantine\WPV051~2.SCA.scavm 212339 bytes
File C:\Program Files\SecureIT\SCMonitor\quarantine\WPV491~2.SCA.scavm 14848 bytes executable

---- EOF - GMER 1.0.15 ----

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 05 September 2009 - 03:14 PM

Hello.

There was definately evidence of infection.

Install Recovery Console and Run ComboFix with CFScript
Before continueing, we need to install the recovery console.
  • Go to Microsoft's Website and select the download that's appropriate for your Operating System.
    Posted Image
  • Download and save the file as it is named on your desktop where ComboFix should be located.
  • Refering to the animation below, drag the Recovery Console setup file over ComboFix.exe.
    Posted Image
  • At the prompt below, select No. ComboFix will close.
    Posted Image
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\q1.dat
    c:\documents and settings\Owner\x2.dat
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-
    
    [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
    "NoAutoUpdate"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
You will need to use the MBAMRules.exe standalone updater since you do not have Internet access on that computer.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simply double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#7 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 05 September 2009 - 08:48 PM

Panda:

Here are the updated logs:


ComboFix 09-09-04.02 - Owner 09/05/2009 20:20.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.149 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: SecureIT AntiVirus *On-access scanning enabled* (Updated) {12D9381A-7023-11DC-B2FD-DA9C55D89593}
FW: SecureIT Firewall *enabled* {FA5A49F3-BB67-42B5-A730-66FB6F8363F5}
FW: SecureIT Security Firewall *disabled* {B6D25D1C-7311-4A80-B8E4-6859A5DD3490}
FW: SecureIT Security Firewall *enabled* {12D9381A-7023-11DC-B2FD-DA9C55D89593}

FILE ::
"c:\documents and settings\Owner\x2.dat"
"c:\windows\system32\q1.dat"
.

((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 01:12 . 2007-11-08 02:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-16 14:45 . 2008-05-09 02:51 -------- d-----w- c:\program files\SecureIT
2007-11-16 03:51 . 2007-11-16 03:51 158112 -c--a-w- c:\program files\startzune.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Update Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Update Reminder.lnk
backup=c:\windows\pss\Instant Update Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"scupdateservice"=2 (0x2)
"SCMonitor"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Program Files\\SecureIT\\SCManagementConsole.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SCFilter;SCFilter;c:\windows\system32\drivers\SCFltr.sys [5/8/2008 9:51 PM 59904]
R1 ipfrwl;ipfrwl;c:\windows\system32\drivers\ipfrwl.sys [4/7/2009 8:09 PM 108672]
S4 SCMonitor;SecureIT Monitor Service 2.0;c:\program files\SecureIT\SCMonitor\SCMonitorService.exe [5/8/2008 9:51 PM 311296]
S4 scupdateservice;SecureIT Update Service;c:\program files\SecureIT\SCMonitor\SCUpdateService.exe [4/7/2009 8:09 PM 1793024]
.
Contents of the 'Scheduled Tasks' folder

2006-04-29 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]

2006-04-29 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.netins.net/
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(540)
c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-06 20:26
ComboFix-quarantined-files.txt 2009-09-06 01:26
ComboFix2.txt 2009-09-06 00:34
ComboFix3.txt 2009-09-05 18:46

Pre-Run: 145,013,207,040 bytes free
Post-Run: 144,966,692,864 bytes free

97 --- E O F --- 2009-06-12 03:33



MalWare log:
Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/5/2009 8:38:25 PM
mbam-log-2009-09-05 (20-38-09).txt

Scan type: Quick Scan
Objects scanned: 96655
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\20080601.log (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\20080602.log (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\20080604.log (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\20080605.log (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\20080606.log (Trojan.Agent) -> No action taken.

Malwarebytes' Anti-Malware 1.40
Database version: 2734
Windows 5.1.2600 Service Pack 3

9/5/2009 8:39:40 PM
mbam-log-2009-09-05 (20-39-40).txt

Scan type: Quick Scan
Objects scanned: 96655
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\20080601.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20080602.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20080604.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20080605.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\20080606.log (Trojan.Agent) -> Quarantined and deleted successfully.


Panda:
********note: These files are still in the Quarantined folder. They have not been deleted despite what the logs say.**************************

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 05 September 2009 - 09:29 PM

Hello.

These files are still in the Quarantined folder. They have not been deleted despite what the logs say.

The "Quarantined and deleted successfully" is meant to indicate that the file was deleted from it's original location, and a backup was created in the quarentine folder.

Is your ISP still giving that warning?

With Regards,
The Panda

#9 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 06 September 2009 - 07:28 AM

Hey Panda:

I can not test the ISP as I am working on my parents computer for them-in a differnt state actually. So until I take it back I am not sure we can we sure on this one being fixed. Do you want me to post a new log and try and look for any other infections? Otherwise, we might have to postpone thie topic until I deliver it back to home. Please let me know what you want me to do.

Thanks,
Dylan

#10 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 06 September 2009 - 07:39 AM

also, question for you-should I delete those files or just leave them in Quarantined folder in regards of the last scan?

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 06 September 2009 - 09:20 AM

Hello.

Let's leave this topic for until you can test that.

Please leave the items in quarentine, in case we need the backups for some reason.

With Regards,
The Panda

#12 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 06 September 2009 - 10:25 AM

Panda:

Should i reply to this topic in the future-or open a new topic after I get this tested. It could be a month.

Thanks,
Dylan

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 06 September 2009 - 10:58 AM

I'll close this topic.

When you can get it tested, PM me and I'll reopen it. Sounds good?

With Regards,
The Panda

#14 drrscott

drrscott
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 07 September 2009 - 05:56 PM

Yes, I will PM you when I can test it.

Thanks for your help so far!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users