Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected copy of BITS


  • This topic is locked This topic is locked
3 replies to this topic

#1 petey2020

petey2020

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 26 September 2009 - 05:17 PM

I am not sure what or where the root of my problem is but my computer run very slow and the cpu easily reaches 100%. Combofix finds an infected copy of qmgr.dll and attempts to fix the problem and after system reboot the infected copy is still present. I have tried running DBAN and reinstalling but somehow the infected file is still found. Any help will be greatly appreciated.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Administrator at 17:57:01.06 on Sat 09/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.798 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [COMODO livePCsupport] c:\program files\comodo\livepcsupport\ELPS.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {6D3510E9-FE17-4E8F-8136-B67C84035D64} = 156.154.70.22,156.154.71.22
AppInit_DLLs: c:\windows\system32\guard32.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-26 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-26 25160]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-9-26 723632]

=============== Created Last 30 ================

2009-09-26 17:19 664 a------- c:\windows\system32\d3d9caps.tmp
2009-09-26 17:18 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-26 16:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-26 16:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-26 16:55 16,824,096 a------- C:\jre-6u16-windows-i586-s.exe
2009-09-26 15:18 130 a------- c:\windows\cfplogvw.INI
2009-09-26 14:47 8,864 a------- c:\windows\system32\drivers\sfi.dat
2009-09-26 14:46 <DIR> --ds---- c:\windows\system32\Microsoft
2009-09-26 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-09-26 14:43 179,792 a------- c:\windows\system32\guard32.dll
2009-09-26 14:43 132,296 a------- c:\windows\system32\drivers\cmdguard.sys
2009-09-26 14:43 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-26 14:43 <DIR> --d----- c:\program files\COMODO
2009-09-26 14:43 40,519,952 a------- C:\CIS_Setup_3.12.111745.560_XP_Vista_x32.exe
2009-09-26 14:09 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-09-26 14:07 316,640 a------- c:\windows\WMSysPr9.prx
2009-09-26 14:02 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-09-26 14:02 19,528 a------- c:\windows\003537_.tmp
2009-09-26 14:02 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-09-26 14:02 15,872 a------- c:\windows\system32\spupdsvc.exe
2009-09-26 13:51 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-26 13:51 <DIR> --d----- c:\windows\ehome
2009-09-26 13:47 147,456 a------- c:\windows\system32\odbctrac.dll
2009-09-26 13:46 290,816 a------- c:\windows\system32\l3codeca.acm
2009-09-19 11:51 <DIR> --ds---- c:\documents and settings\administrator\UserData
2009-09-19 08:44 89,104 ac------ c:\windows\system32\dllcache\e1000nt5.sys
2009-09-19 08:44 89,104 a------- c:\windows\system32\drivers\e1000nt5.sys
2009-09-19 08:44 53,248 a------- c:\windows\system32\Prounstl.exe
2009-09-19 08:44 23,040 a------- c:\windows\system32\IntelNic.dll
2009-09-19 08:44 2,726 a------- c:\windows\system32\net8254x.din
2009-09-19 08:42 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-09-19 08:42 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-09-19 08:42 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-09-19 08:42 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-09-19 08:42 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-09-19 08:42 176,128 a------- c:\windows\system32\RcdScan.dll
2009-09-19 08:42 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-09-19 08:42 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-09-19 08:42 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-09-19 08:42 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-09-19 08:32 <DIR> --dsh--- c:\windows\Installer
2009-09-19 08:31 <DIR> --d----- c:\documents and settings\Administrator
2009-09-19 08:31 8,192 a------- c:\windows\REGLOCS.OLD
2009-09-19 08:29 53,248 ac------ c:\windows\system32\dllcache\nextlink.dll
2009-09-19 08:28 14,848 ac------ c:\windows\system32\dllcache\flattemp.exe
2009-09-19 08:27 2,515,312 a------- c:\windows\system32\IE60~1.EXE
2009-09-19 08:25 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-09-19 08:25 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-09-19 08:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-19 08:25 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-09-19 08:25 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-09-19 08:25 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-09-19 08:24 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-09-19 08:24 <DIR> --d----- c:\windows\srchasst
2009-09-19 08:24 <DIR> --d----- c:\windows\system32\DirectX
2009-09-19 08:23 <DIR> --d----- c:\program files\common files\MSSoap
2009-09-19 08:22 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-09-19 08:22 <DIR> --d----- c:\program files\Online Services
2009-09-19 08:21 <DIR> --d----- c:\program files\Messenger
2009-09-19 08:21 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-09-19 08:21 <DIR> --d----- c:\program files\Windows NT
2009-09-19 04:17 <DIR> --d----- c:\program files\common files\ODBC
2009-09-19 04:16 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-09-19 04:16 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-19 08:28 5,473,872 a----r-- c:\windows\system32\MSJAVX86.EXE
2009-09-19 08:22 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 17:57:36.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 petey2020

petey2020
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 26 September 2009 - 07:35 PM

This is an updated DDS log and Attach.txt with A/V disabled.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Administrator at 20:30:55.64 on Sat 09/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.797 [GMT -4:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [COMODO livePCsupport] c:\program files\comodo\livepcsupport\ELPS.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {6D3510E9-FE17-4E8F-8136-B67C84035D64} = 156.154.70.22,156.154.71.22
AppInit_DLLs: c:\windows\system32\guard32.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-26 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-26 25160]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-9-26 723632]

=============== Created Last 30 ================

2009-09-26 17:18 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-26 16:59 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-26 16:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-26 16:55 16,824,096 a------- C:\jre-6u16-windows-i586-s.exe
2009-09-26 15:18 130 a------- c:\windows\cfplogvw.INI
2009-09-26 14:47 8,864 a------- c:\windows\system32\drivers\sfi.dat
2009-09-26 14:46 <DIR> --ds---- c:\windows\system32\Microsoft
2009-09-26 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-09-26 14:43 179,792 a------- c:\windows\system32\guard32.dll
2009-09-26 14:43 132,296 a------- c:\windows\system32\drivers\cmdguard.sys
2009-09-26 14:43 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-26 14:43 <DIR> --d----- c:\program files\COMODO
2009-09-26 14:43 40,519,952 a------- C:\CIS_Setup_3.12.111745.560_XP_Vista_x32.exe
2009-09-26 14:09 <DIR> --d----- c:\windows\system32\wbem\AutoRecover
2009-09-26 14:07 316,640 a------- c:\windows\WMSysPr9.prx
2009-09-26 14:02 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-09-26 14:02 19,528 a------- c:\windows\003537_.tmp
2009-09-26 14:02 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-09-26 14:02 15,872 a------- c:\windows\system32\spupdsvc.exe
2009-09-26 13:51 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-26 13:51 <DIR> --d----- c:\windows\ehome
2009-09-26 13:47 147,456 a------- c:\windows\system32\odbctrac.dll
2009-09-26 13:46 290,816 a------- c:\windows\system32\l3codeca.acm
2009-09-19 11:51 <DIR> --ds---- c:\documents and settings\administrator\UserData
2009-09-19 08:44 89,104 ac------ c:\windows\system32\dllcache\e1000nt5.sys
2009-09-19 08:44 89,104 a------- c:\windows\system32\drivers\e1000nt5.sys
2009-09-19 08:44 53,248 a------- c:\windows\system32\Prounstl.exe
2009-09-19 08:44 23,040 a------- c:\windows\system32\IntelNic.dll
2009-09-19 08:44 2,726 a------- c:\windows\system32\net8254x.din
2009-09-19 08:42 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-09-19 08:42 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-09-19 08:42 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-09-19 08:42 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-09-19 08:42 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-09-19 08:42 176,128 a------- c:\windows\system32\RcdScan.dll
2009-09-19 08:42 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-09-19 08:42 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-09-19 08:42 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-09-19 08:42 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-09-19 08:32 <DIR> --dsh--- c:\windows\Installer
2009-09-19 08:31 <DIR> --d----- c:\documents and settings\Administrator
2009-09-19 08:31 8,192 a------- c:\windows\REGLOCS.OLD
2009-09-19 08:29 53,248 ac------ c:\windows\system32\dllcache\nextlink.dll
2009-09-19 08:28 14,848 ac------ c:\windows\system32\dllcache\flattemp.exe
2009-09-19 08:27 2,515,312 a------- c:\windows\system32\IE60~1.EXE
2009-09-19 08:25 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-09-19 08:25 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-09-19 08:25 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-09-19 08:25 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-09-19 08:25 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-09-19 08:25 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-09-19 08:25 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-09-19 08:24 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-09-19 08:24 <DIR> --d----- c:\windows\srchasst
2009-09-19 08:24 <DIR> --d----- c:\windows\system32\DirectX
2009-09-19 08:23 <DIR> --d----- c:\program files\common files\MSSoap
2009-09-19 08:22 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-09-19 08:22 <DIR> --d----- c:\program files\Online Services
2009-09-19 08:21 <DIR> --d----- c:\program files\Messenger
2009-09-19 08:21 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-09-19 08:21 <DIR> --d----- c:\program files\Windows NT
2009-09-19 04:17 <DIR> --d----- c:\program files\common files\ODBC
2009-09-19 04:16 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-09-19 04:16 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-09-19 08:28 5,473,872 a----r-- c:\windows\system32\MSJAVX86.EXE
2009-09-19 08:22 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 20:31:07.32 ===============

Hello petey2020,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Attached Files


Edited by The weatherman, 27 September 2009 - 05:22 PM.


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:09 PM

Posted 13 October 2009 - 11:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:09 PM

Posted 24 October 2009 - 02:57 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users