Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
8 replies to this topic

#1 thebeatles5573

thebeatles5573

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 27 September 2009 - 06:43 PM

Hello and thankyou for this great site.

I have encountered some malware. At first I diagnosed it as braviax and ran SDfix to try to remove it. This did not work. Here are the symptoms:

I get a balloon by the task bar telling me that firewall is not turned on
I am unable to access the internet, even though my computer displays that I am connected (wirelessly)
My desktop background has been changed to a blue screen with a black box which, in red lettering, says "your computer is infected".
I cannot change my desktop background
I cannot use system restore

I ran hijack this and here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:27 PM, on 9/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/gs.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143375582218
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6811 bytes




Please help me.

Thanks,
Scott

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 14 October 2009 - 05:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 22 October 2009 - 09:24 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 25 October 2009 - 02:16 PM

**** Re-opened per OP request ****

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

Are you still unable to connect to the internet?

Please do this.......

RKill by Grinler
You will need to save it to a flashdrive or burn it on a CD.

Link #1
Link #2
Link #3
Link #4

  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Please download ComboFix from one of these locations:

Link 1
Link 2

You must rename it before saving it.

Posted Image

Posted Image


Save thcbytes.exe to your Desktop <-- Important!!!

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

==========

The infection might have created a Proxy with your internet connection. We will need to reset that.
Do this....

- In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

- In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver.

Reset TCP/IP Properties

First:

* Go to Start -> Control Panel -> Double click on Network Connections.
* Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

* Select the General tab.
* Double click on Internet Protocol (TCP/IP).

Under General tab:

- Select "Obtain an IP address automatically".
- Select "Obtain DNS server address automatically".

* Click OK twice to save the settings.
* Reboot if you had to change any setting.

Next:

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Combofix.txt
* Internet connection log
* Can you connect now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 thebeatles5573

thebeatles5573
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 26 October 2009 - 07:06 PM

THC-

I was able to establish connection to the internet after following your steps and am posting this from the infected computer! Thank you for that. The computer is still showing all other infected symptoms. I don't even know if you were expected these problems to be resolved already, anyways. Here are the logs that you requested:

Combofix:

ComboFix 09-10-26.01 - Owner 10/26/2009 19:36.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.647 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\thcbytes.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmqruevndo.sys
c:\windows\system32\drivers\UACmkkawkrx.sys
c:\windows\system32\kbiwkmkixdoyed.dat
c:\windows\system32\kbiwkmojckqeme.dll
c:\windows\system32\kbiwkmtjlqbaid.dll
c:\windows\system32\kbiwkmvttiwtai.dat
c:\windows\system32\kbiwkmyrdvbbal.dll
c:\windows\system32\tmp.reg
c:\windows\system32\UACcbpyojdn.dll
c:\windows\system32\UACddmljsxv.dll
c:\windows\system32\UAClnxyacmy.dll
c:\windows\system32\UACociwnvhj.log
c:\windows\system32\UACrocdcjsk.dat
c:\windows\system32\UACtpvqxnre.log
c:\windows\system32\UACumdixxnh.dll
c:\windows\system32\UACymfvxdeh.dll
c:\windows\system32\UACyprkudda.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmomkamnms
-------\Legacy_kbiwkmomkamnms
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 23:27 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-26 23:27 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-09-27 23:26 . 2009-09-27 23:26 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 02:11 . 2009-09-14 02:11 73552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 02:25 . 2008-08-12 04:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 13:12 . 2008-08-29 16:26 -------- d-----w- c:\program files\HammerHead
2009-09-03 15:21 . 2009-09-03 15:21 -------- d-----w- c:\program files\CCleaner
2009-08-16 13:10 . 2006-03-26 12:18 73552 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-08-29 02:24 . 2006-08-29 01:43 80 --sh--r- c:\windows\system32\29FE7AF9D9.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-13 88209]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143333789\\ee\\aolsoftware.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/21/2009 4:26 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/21/2009 4:26 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/21/2009 4:26 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 8:06 AM 276344]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/29/2009 7:37 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/21/2009 4:26 PM 115560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vg4117qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vg4117qm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000014D2B739EDC41305EC 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-495855631-3624000630-790477122-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C12B6EA2-7ED5-9AA8-1091-080525CDCB2E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ianibfpjkgpdpofndc"=hex:6a,61,6f,6c,65,64,6b,69,64,6e,65,6c,61,69,6a,6f,6f,67,
6b,6d,00,f2
"hadkhcanfjiikjao"=hex:69,61,6c,6c,66,64,61,6f,64,6e,6b,62,65,68,63,6f,68,67,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\thcbytes.exe\CF17039.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\thcbytes.exe\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 23:58
ComboFix2.txt 2009-10-04 15:14

Pre-Run: 10,448,650,240 bytes free
Post-Run: 10,304,716,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 828C7FAA3A7F08BA11DF1FD8AD383AD9








Internet Log:



Windows IP Configuration



Host Name . . . . . . . . . . . . : SCOTTLAPTOP

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-16-D3-00-8E-07



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® PRO/Wireless 2200BG Network Connection

Physical Address. . . . . . . . . : 00-16-6F-41-86-68

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.112

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 24.92.226.40

24.92.226.41

Lease Obtained. . . . . . . . . . : Monday, October 26, 2009 19:34:30

Lease Expires . . . . . . . . . . : Tuesday, October 27, 2009 19:34:30

Server: dns-cac-dts-01.nyroc.rr.com
Address: 24.92.226.40

Name: google.com
Addresses: 74.125.45.100, 74.125.53.100, 74.125.67.100



Pinging google.com [74.125.67.100] with 32 bytes of data:



Reply from 74.125.67.100: bytes=32 time=49ms TTL=52

Reply from 74.125.67.100: bytes=32 time=40ms TTL=52



Ping statistics for 74.125.67.100:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 40ms, Maximum = 49ms, Average = 44ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 d3 00 8e 07 ...... Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
0x3 ...00 16 6f 41 86 68 ...... Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.112 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.112 192.168.1.112 25
192.168.1.112 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.112 192.168.1.112 25
224.0.0.0 240.0.0.0 192.168.1.112 192.168.1.112 25
255.255.255.255 255.255.255.255 192.168.1.112 2 1
255.255.255.255 255.255.255.255 192.168.1.112 192.168.1.112 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None



Thanks,
Scott

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 26 October 2009 - 09:50 PM

Well done. :(
We still have lot's of work to do.

Please do this........

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Please download Posted Image by OldTimer to your desktop from here.
  • Open the file and close any other windows.
  • It will close all programs itself when run; make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job.
  • After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. It is important that you disable your Norton prior to this run. See here if you do not know how.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...t&p=1473484

Suspect::[89]
c:\windows\system32\29FE7AF9D9.dll

Folder::
c:\Program Files\SoulseekNS
c:\program files\Viewpoint

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SoulseekNS\\slsk.exe"=-

RegNull::
[HKEY_USERS\S-1-5-21-495855631-3624000630-790477122-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C12B6EA2-7ED5-9AA8-1091-080525CDCB2E}*]

Driver::
Viewpoint Manager Service


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

With your next post please provide:

* exehelper.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 thebeatles5573

thebeatles5573
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 28 October 2009 - 06:13 PM

exeHelper by Raktor
Build 20091021
Run at 18:30:56 on 10/28/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



ComboFix 09-10-26.01 - Owner 10/28/2009 18:47.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.528 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\thcbytes.exe.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: c:\windows\system32\29FE7AF9D9.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SoulseekNS
c:\program files\SoulseekNS\message.wav
c:\program files\SoulseekNS\Readme.txt
c:\program files\SoulseekNS\slsk.exe
c:\program files\SoulseekNS\uninstall.exe
c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr_03000F11.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 22:33 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-26 23:27 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-26 23:27 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 23:26 . 2009-09-27 23:26 -------- d-----w- c:\program files\Trend Micro
2009-09-14 02:11 . 2009-09-14 02:11 73552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 02:25 . 2008-08-12 04:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 13:12 . 2008-08-29 16:26 -------- d-----w- c:\program files\HammerHead
2009-09-03 15:21 . 2009-09-03 15:21 -------- d-----w- c:\program files\CCleaner
2009-08-16 13:10 . 2006-03-26 12:18 73552 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-08-29 02:24 . 2006-08-29 01:43 80 --sh--r- c:\windows\system32\29FE7AF9D9.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-26_23.50.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 03:21 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 08:00 . 2009-06-24 11:18 92928 c:\windows\system32\drivers\ksecdd.sys
+ 2009-06-25 08:25 . 2009-06-25 08:25 54272 c:\windows\system32\dllcache\wdigest.dll
- 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-02-03 19:59 . 2009-06-25 08:25 56832 c:\windows\system32\dllcache\secur32.dll
+ 2009-06-24 11:18 . 2009-06-24 11:18 92928 c:\windows\system32\dllcache\ksecdd.sys
+ 2004-08-04 08:00 . 2009-06-25 08:25 730112 c:\windows\system32\lsasrv.dll
+ 2008-12-05 06:54 . 2009-06-25 08:25 147456 c:\windows\system32\dllcache\schannel.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-04-15 00:07 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-02-08 159744]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-13 88209]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1143333789\\ee\\aolsoftware.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/21/2009 4:26 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/21/2009 4:26 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/21/2009 4:26 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/12/2009 8:06 AM 276344]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/21/2009 4:26 PM 115560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vg4117qm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vg4117qm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\Java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Soulseek2 - c:\program files\SoulseekNS\uninstall.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 19:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP00000001DED23726E068C541 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\thcbytes.exe\CF15434.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\wscntfy.exe
c:\thcbytes.exe\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 19:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 23:08
ComboFix2.txt 2009-10-26 23:58
ComboFix3.txt 2009-10-04 15:14

Pre-Run: 10,213,117,952 bytes free
Post-Run: 10,152,927,232 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 205C4A6134ABF9ACFBB3CB4AFB87CC53





Norton is not seen as running in the task bar or anywhere else but each time I run combofix, it tells me that norton is running. When I try to run norton in order to subsequently turn it off, a web page opens telling me how to remove norton and re install it. I can do this on my own, but is it interfering with combofix?

Thanks,

Scott

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 28 October 2009 - 06:57 PM

Hello,

Do you have the Norton install disc and key? If so...you might want to uninstall then reinstall. It might be corrupt. As far at it interfering with the fix. No...it has not interfered yet but Norton is notorious for making my job difficult.

You might want to uninstall Norton and then wait to reinstall it once I have given you the "all clear". Only do that if you plan to use that computer for cleanup purposes, and only visit the sites I guide you to. No other surfing or applications till were done!

Let's continue...........

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* What did you decide to do with Norton?
* MBAM log
* ESET log
* OTL.txt
* OTL Extra.txt
* How is your computer running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:15 PM

Posted 03 November 2009 - 10:07 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users