Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WinCodecPro Trojan


  • This topic is locked This topic is locked
9 replies to this topic

#1 ellege

ellege

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 17 October 2009 - 10:17 PM

I have the Red X circle in the systray which frequently pops up several different message such as "Warning your media codec is out of date...." or "Window System error! Possible reason: Media system crash, unable to play media files...." or "Warning! Fatal Error windows can play the following ....."

Soon their after my video display switched to 800x600, no sound plays from the PC, I received an error when attempting to open an .wmv file. Also, when attempting to correct the video resolution, all the tabs in the Display Properties window were gone.

Update Spybot, ran a full scan and fixed the detected problems but all the symptoms mentioned above still remained.

Began Google'ing for solutions and read about the taskmanager being disabled....sure enough, control-Alt-Delete didn't bring up taskmanger, and going to Start > Run >Taskmgr.exe returned an error window stating that "Windows cannot find 'taskmgr'......"

Tried MS's and CS's virus scans but neither helped the video, audio and taskmanager prob.
So I uninstalled both.

Greatly appreciate help in ridding my PC of this nasty virus!

Attached Attach.txt and Ark.txt, DSS Log below:
*** Also attached HiJackThis log.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Lenny at 19:53:51.56 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1268 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {E259B98F-D139-4728-92EA-2D71D722313E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\JD8849.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\DellTPad\tnApoint.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\Lenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Lenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Lenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Lenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Lenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Documents and Settings\Lenny\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.jzip.com
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080327
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080327
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FBF2401B-7447-4727-BE5D-C19B2075CA84} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\lenny\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [tnApoint] c:\program files\delltpad\tnApoint.exe
mRun: [<NO NAME>] c:\program files\delltpad\tnApoint.exe
StartupFolder: c:\docume~1\lenny\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\docume~1\lenny\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\trend micro\officescan\pccsrv\apache2\bin\ApacheMonitor.exe
IE: Download with ImTOO YouTube Video Converter - c:\program files\imtoo\youtube video converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://djv9lyf1:4343/officescan/console/html/root/AtxEnc.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} - hxxps://djv9lyf1:4343/officescan/console/html/root/AtxConsole.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} - hxxps://djv9lyf1:4343/officescan/console/html/root/AtxPie.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - 918461

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2008-5-29 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2008-5-29 36368]
S3 OfficeScanCMAgent;OfficeScan Control Manager Agent;c:\program files\trend micro\officescan\pccsrv\cmagent\OfcCMAgent.exe [2008-5-29 143360]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-5-29 575064]
S4 Drmlook;Drmlook; [x]

=============== Created Last 30 ================

2009-10-17 18:50 <DIR> --d----- c:\program files\Cobian Backup 8
2009-10-16 18:58 20,692 a------- c:\windows\system32\entitlement.xml
2009-10-16 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2009-10-14 07:37 95,452 a------- c:\windows\system32\drivers\KmxAgent.asc
2009-10-14 00:18 7 a------- c:\windows\system32\mkghj.dll
2009-10-13 23:54 201,968 a------- c:\windows\system32\Isafprod.dll
2009-10-13 23:54 128,240 a------- c:\windows\system32\Isafeif.dll
2009-10-13 23:54 95,472 a------- c:\windows\system32\Vetredir.dll
2009-10-13 23:53 <DIR> --d----- c:\windows\rnapxs
2009-10-13 23:53 111,856 a------- c:\windows\system32\wbem\canvprov.dll
2009-10-13 23:53 6,552 a------- c:\windows\system32\wbem\canvprov.mof
2009-10-13 17:52 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-29 20:40 129,784 -------- c:\windows\system32\pxafs.dll
2009-09-29 20:39 <DIR> --d----- c:\program files\common files\DivX Shared
2009-09-29 20:39 <DIR> --d----- c:\program files\DivX
2009-09-17 22:31 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-09-17 22:31 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-09-17 22:29 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-17 22:03 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-17 22:03 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

==================== Find3M ====================

2009-10-17 19:48 83,207 a------- c:\windows\system32\nvModes.dat
2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 10:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 17:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-09-04 13:17 447,216 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 13:16 58,592 a------- c:\windows\system32\ZuneBusEnum.exe
2009-09-02 00:29 74,240 a------- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 00:29 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 00:29 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 00:29 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2009-09-02 00:29 310,784 a------- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 00:29 147,456 a------- c:\windows\system32\ZuneMTPZ.dll
2009-09-02 00:28 40,832 a------- c:\windows\system32\drivers\zumbus.sys
2009-08-28 06:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 04:00 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-08-17 12:37 1,837,296 a------- c:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 12:37 1,461,992 a------- c:\windows\system32\WdfCoInstaller01009.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 11:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 11:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 10:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 10:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 10:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2008-08-04 19:09 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080420080805\index.dat

============= FINISH: 19:54:43.75 ===============

Attached Files


Edited by ellege, 17 October 2009 - 10:23 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 19 October 2009 - 06:56 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ellege

ellege
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 19 October 2009 - 09:02 PM

Hello Sam,
I very much appreciate your help. Per your instructions, I downloaded, installed, and ran the ComboFix app. The Recovery Console was also installed prior to running theComboFix scan. Please find attached report.

**Updated***
I noticed that the red X circle in the systray is gone along with all the other symptoms of the virus (no audio, low video res, disabled taskmgr). In short, it appears that my pc is back to normal! Let me reboot and try the other profiles on the pc and will post back results.

Thank you,
Lenny


ComboFix 09-10-19.01 - Lenny 10/19/2009 21:14.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1356 [GMT -4:00]
Running from: c:\documents and settings\Lenny\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {E259B98F-D139-4728-92EA-2D71D722313E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\96265306.ini
c:\documents and settings\Mitch\My Documents\My Documents.url
c:\documents and settings\Mitch\My Documents\My Music\My Music.url
c:\documents and settings\Mitch\My Documents\My Videos\My Video.url
c:\windows\system32\mkghj.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-17 22:50 . 2009-10-17 22:51 -------- d-----w- c:\program files\Cobian Backup 8
2009-10-16 22:19 . 2009-10-17 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-10-16 04:20 . 2009-10-16 04:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-16 01:35 . 2009-10-16 02:26 -------- d-----w- c:\documents and settings\Chri\Application Data\CallingID
2009-10-14 04:06 . 2009-10-14 04:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\CallingID
2009-10-14 03:54 . 2009-10-02 20:03 201968 ----a-w- c:\windows\system32\Isafprod.dll
2009-10-14 03:54 . 2009-10-02 20:02 95472 ----a-w- c:\windows\system32\Vetredir.dll
2009-10-14 03:54 . 2009-10-02 20:02 128240 ----a-w- c:\windows\system32\Isafeif.dll
2009-10-14 03:53 . 2009-10-17 20:59 -------- d-----w- c:\windows\rnapxs
2009-10-14 03:53 . 2009-08-28 17:39 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll
2009-10-13 21:52 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-13 16:45 . 2009-10-13 21:44 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-03 18:45 . 2009-10-03 18:45 -------- d-----w- c:\documents and settings\Chri\Application Data\DivX
2009-10-02 01:24 . 2009-10-02 01:24 -------- d-----w- c:\documents and settings\Lenny\Application Data\DivX
2009-09-30 00:40 . 2009-07-14 00:17 129784 ------w- c:\windows\system32\pxafs.dll
2009-09-30 00:39 . 2009-09-30 00:39 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-30 00:39 . 2009-09-30 00:40 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 01:45 . 2008-03-27 07:51 83207 ----a-w- c:\windows\system32\nvModes.dat
2009-10-18 23:28 . 2008-04-29 03:08 -------- d-----w- c:\documents and settings\Lenny\Application Data\Corel
2009-10-18 23:28 . 2008-04-29 03:08 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-10-17 20:58 . 2009-10-14 11:37 95452 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2009-10-17 20:53 . 2008-03-27 08:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-16 17:14 . 2008-12-21 19:23 664 ----a-w- c:\documents and settings\Chri\Local Settings\Application Data\d3d9caps.tmp
2009-10-14 11:42 . 2008-03-27 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Gtek
2009-10-14 04:30 . 2008-03-27 08:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-13 21:55 . 2008-04-01 23:06 -------- d-----w- c:\program files\Lavasoft
2009-10-13 21:34 . 2009-05-16 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\96265306
2009-10-13 21:34 . 2009-05-16 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\16255314
2009-10-12 23:58 . 2008-03-27 07:50 -------- d-----w- c:\program files\DellTPad
2009-10-12 02:51 . 2008-04-01 22:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-11 17:43 . 2008-10-26 21:38 -------- d-----w- c:\documents and settings\Mitch\Application Data\Corel
2009-09-26 13:31 . 2008-07-06 20:13 664 ----a-w- c:\documents and settings\Mitch\Local Settings\Application Data\d3d9caps.tmp
2009-09-18 02:31 . 2009-09-18 02:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-09-18 02:31 . 2009-09-18 02:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-09-18 02:29 . 2009-09-18 02:29 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-18 02:06 . 2008-05-14 21:57 -------- d-----w- c:\program files\Zune
2009-09-18 02:03 . 2009-09-18 02:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-18 02:03 . 2009-09-18 02:03 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 03:28 . 2008-04-02 00:26 -------- d-----w- c:\documents and settings\Lenny\Application Data\Apple Computer
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 17:17 . 2009-09-04 17:17 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 17:16 . 2009-09-04 17:16 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2009-09-02 04:29 . 2009-09-02 04:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 04:29 . 2009-09-02 04:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 04:29 . 2009-09-02 04:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 04:29 . 2009-09-02 04:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2009-09-02 04:29 . 2009-09-02 04:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 04:29 . 2009-09-02 04:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2009-09-02 04:28 . 2009-09-02 04:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-08-29 08:08 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 15:03 . 2008-11-15 21:48 70632 ----a-w- c:\documents and settings\Chri\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-22 01:06 . 2008-04-01 15:19 70632 ----a-w- c:\documents and settings\Lenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 22:03 . 2008-04-01 21:29 70632 ----a-w- c:\documents and settings\Mitch\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 11:47 . 2009-08-21 11:47 -------- d-----w- c:\program files\MSBuild
2009-08-21 11:47 . 2009-08-21 11:47 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 16:37 . 2009-08-17 16:37 1837296 ----a-w- c:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 16:37 . 2009-08-17 16:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2007-07-30 23:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 15:13 . 2004-08-10 18:51 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 09:23 . 2009-01-11 21:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-04-07 06:59 . 2008-05-22 02:20 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-05-22 02:20 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-05-22 02:20 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-05-22 02:20 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-05-22 02:20 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-27 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Google Update"="c:\documents and settings\Lenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-11-09 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-29 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-29 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-09-07 1236992]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-27 1838592]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-01-18 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-14 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 702072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"tnApoint"="c:\program files\DellTPad\tnApoint.exe" [2009-10-12 84480]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-01-29 86016]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-11-09 405504]

c:\documents and settings\Lenny\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-4-7 947544]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-4-23 200704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-5-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-27 50688]
Monitor Apache Servers.lnk - c:\program files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\ApacheMonitor.exe [2005-4-16 41042]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59549:TCP"= 59549:TCP:Trend Micro OfficeScan Listener

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [8/23/2007 7:29 PM 5376]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [5/29/2008 7:56 AM 205328]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/29/2008 7:56 AM 36368]
S3 OfficeScanCMAgent;OfficeScan Control Manager Agent;c:\program files\Trend Micro\OfficeScan\PCCSRV\CmAgent\OfcCMAgent.exe [5/29/2008 7:55 AM 143360]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [5/29/2008 7:56 AM 575064]
S4 Drmlook;Drmlook; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2826038548-4022235911-2570848929-1006Core.job
- c:\documents and settings\Lenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-27 15:43]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2826038548-4022235911-2570848929-1006UA.job
- c:\documents and settings\Lenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-27 15:43]

2009-10-20 c:\windows\Tasks\User_Feed_Synchronization-{024FE9D3-0D85-4343-AEF3-2CA0A1E0DB93}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.jzip.com
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080327
uInternet Settings,ProxyOverride = *.local
IE: Download with ImTOO YouTube Video Converter - c:\program files\ImTOO\YouTube Video Converter\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} - hxxps://djv9lyf1:4343/officescan/console/html/root/AtxConsole.cab
DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} - hxxps://djv9lyf1:4343/officescan/console/html/root/AtxPie.cab
FF - ProfilePath - c:\documents and settings\Lenny\Application Data\Mozilla\Firefox\Profiles\49e4lqrg.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-PFW - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(5876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\nvcpl.dll
c:\windows\system32\nvapi.dll
c:\windows\system32\nvshell.dll
c:\program files\jZip\jZipShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\program files\Trend Micro\OfficeScan\PCCSRV\Apache2\bin\Apache.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\OfficeScan\PCCSRV\Web\Service\OfcService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\windows\temp\NO8F3D.EXE
c:\program files\Trend Micro\OfficeScan\PCCSRV\Web\Service\DbServer.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\combofix\CF29673.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-20 21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-20 01:51

Pre-Run: 155,537,571,840 bytes free
Post-Run: 158,967,943,168 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 125F01E2AEE2E583034557DA260601C5

Attached Files


Edited by Buckeye_Sam, 20 October 2009 - 06:40 AM.


#4 ellege

ellege
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 19 October 2009 - 09:23 PM

Well after rebooting the red X circle came with the same media codec error balloon. Attempted to play a .wmv file and received an error and redirect to WinProCodec site.....

Video resolution is still OK for now, but the taskmgr is disabled again.

Thanks,
Lenny

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 20 October 2009 - 06:51 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


====================


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ellege

ellege
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 October 2009 - 07:24 PM

Sam - per your instructions, here is the Malwarebytes scan log:

Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 5.1.2600 Service Pack 3

10/20/2009 6:26:30 PM
mbam-log-2009-10-20 (18-26-30).txt

Scan type: Quick Scan
Objects scanned: 130417
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
C:\Program Files\DellTPad\tnApoint.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tnapoint (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(default) (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16255314 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\96265306 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\DellTPad\tnApoint.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16255314\16255314.glu (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.


And here is the ESET online scanner log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6210
# api_version=3.0.2
# EOSSerial=09d7d48e2c3e84448e37fea7bc702935
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-21 12:15:38
# local_time=2009-10-20 08:15:38 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 43094353 43094353 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=198820
# found=12
# cleaned=12
# scan_time=5883
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#7 ellege

ellege
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 October 2009 - 07:38 PM

Sam the last two scans appear to cleared the issues, but I'll await your review of the logs and further recommendations. Can you please recommend virus/malware protection app(s)? Once I figure out how to uninstall the Micro Trend - (don't have the requested password), I'll need to install good security apps.

Thanks,
Lenny

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 21 October 2009 - 08:01 AM

Looks good to me. I would definitely keep Malwarebytes. It's an excellent program to have. Just update it and run a scan periodically and it will keep you out of loads of trouble.

Here are some final steps and then some other recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ellege

ellege
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 21 October 2009 - 08:16 PM

Sam - Looks like everything is working as before the infection(s). Thank you very much for all your help!

Lenny

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:12 PM

Posted 22 October 2009 - 07:47 AM

I'm glad I could help you out! :(

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users