Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Is On My Computer - Unsure Of The Origin


  • This topic is locked This topic is locked
27 replies to this topic

#1 new_mm

new_mm

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 02 November 2009 - 03:06 PM

I have a co-worker with a virus on her computer. The following viruses have been detected on Norton Anti-Virus Corporate. The files show up on the scan and are unable to be cleaned. We have deleted the files and they have not come back, but the computer is still acting up. In Microsoft Outlook 2000 the program will open and the users signature will be missing. The user can add a new signature and everything works. When the user restarts the computer, the new signature is gone and the old signature has been returned. The saved favorites also disappear from Outlook and when the computer is restarted they return. In Internet Explorer 8 the user is unable to log into any web based applications. The program will give the log in screen, stop working, and shut down offering a error message. I have pasted below the norton results, IE 8 error message, and a hijack this log.

Norton Results:

11/2/2009 12:11 A0016344.exe Trojan Horse
10/30/2009 9:46 upgrade.exe Trojan Horse
10/30/2009 9:32 isqsys32.exe Trojan Horse
10/30/2009 9:24 ~TM5.tmp Trojan Horse

IE 8 Error Message:

AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: unknown
ModVer: 0.0.0.0 Offset: 00140194

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:54 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\All Users\Application Data\KwinzySrch\kwinzy149.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\KwinzySrch\kwinzy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\printkey.exe
C:\WINDOWS\system32\svchost.exe
V:\prgs91d\bin\prowin32.exe
C:\Program Files\NavNT\VPC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: NetAssistantBHO Class - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\My.Freeze.com NetAssistant\NetAssistant.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Microsoft Online Helper! - {24979EB2-B1F8-4EC4-9C31-44D7EFABC474} - %SystemRoot%\system32\beghghk.dll (file missing)
O2 - BHO: PriceGong - {D2A2595C-4FE4-4315-AA9B-19DBD6271B71} - C:\Program Files\PriceGong\1.2.0\PriceGongIE.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\My.Freeze.com NetAssistant\NetAssistant.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Szojowayewecigi] rundll32.exe "C:\WINDOWS\aporuzif.dll",Startup
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: printkey.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm603QPUS
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos1.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218635949910
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218642618138
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ultra-met.com
O17 - HKLM\Software\..\Telephony: DomainName = ultra-met.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ultra-met.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KwinzySrch Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\KwinzySrch\kwinzy149.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 7727 bytes

Thank you for your assistance,
Nick

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:43 PM

Posted 08 November 2009 - 10:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 09 November 2009 - 09:32 AM

I have posted the issues my co-worker has been experiencing above, but there have been a few new error messages that have come about since my initial posting. They have been initialization errors from Outlook and Internet Explorer. One error was from smartvwd and the program had to close. I have not made any changes or attempted any fixes since posting the first post. I ran the DDS on my co-workers computer and will post the logs below.

Attach

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/12/2008 3:55:29 PM
System Uptime: 11/9/2009 7:15:20 AM (2 hours ago)

Motherboard: Dell Computer Corp. | | 0F5949
Processor: Intel® Celeron® CPU 2.60GHz | Microprocessor | 2591/400mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 28.557 GiB free.
D: is CDROM ()
G: is NetworkDisk (NTFS) - 137 GiB total, 25.203 GiB free.
H: is NetworkDisk (NTFS) - 137 GiB total, 25.203 GiB free.
M: is NetworkDisk (NTFS) - 137 GiB total, 90.503 GiB free.
V: is NetworkDisk (NTFS) - 137 GiB total, 90.503 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.2
Broadcom 440x 10/100 Integrated Controller
Coupon Printer for Windows
Dell ResourceCD
EZ Cards (remove only)
FileMaker Pro 8.5
Freeze Clip Art
Graphite Share v7.4
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Intel® Extreme Graphics Driver
Kwinzy 1.0 build 153
LiveUpdate 1.6 (Symantec Corporation)
Manufacturing by Epicor
Microsoft Office 2000 SR-1 Standard
Microsoft Silverlight
MSN Toolbar
My Web Search (My Fun Cards)
My.Freeze.com NetAssistant
Norton AntiVirus Corporate Edition
pdfFactory
PriceGong 1.2.0
PROGRESS 9.1D Shared Network Installation
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Solid Edge Viewer V18
SoundMAX
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
WebFldrs XP
WHIO Desktop Alert
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/3/2009 9:03:43 AM, error: DCOM [10000] - Unable to start a DCOM Server: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}. The error: "%5" Happened while starting this command: C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding

==== End Of File ===========================

DDS

DDS (Ver_09-10-26.01) - NTFSx86
Run by barb at 9:19:44.69 on Mon 11/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.271 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Documents and Settings\All Users\Application Data\KwinzySrch\kwinzy153.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\KwinzySrch\kwinzy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\printkey.exe
svchost
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\FileMaker\FileMaker Pro 8.5\FileMaker Pro.exe
V:\prgs91d\bin\prorb32.exe
V:\prgs91d\bin\prowin32.exe
C:\Documents and Settings\barb\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&o=sb&gcht=qp
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\my.freeze.com netassistant\NetAssistant.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\2.bin\MWSSRCAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Microsoft Online Helper!: {24979eb2-b1f8-4ec4-9c31-44d7efabc474} - %SystemRoot%\system32\beghghk.dll
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.2.0\PriceGongIE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\my.freeze.com netassistant\NetAssistant.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\2.bin\mwsoemon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\2.bin\M3PLUGIN.DLL,UPF
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\2.bin\mwsoemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Szojowayewecigi] rundll32.exe "c:\windows\aporuzif.dll",Startup
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\printkey.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm603QPUS
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218635949910
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218642618138
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
LSA: Notification Packages = scecli rasaxt40.dll

============= SERVICES / DRIVERS ===============

R2 KwinzySrch Service;KwinzySrch Service;c:\documents and settings\all users\application data\kwinzysrch\kwinzy153.exe [2009-11-5 58856]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\2.bin\mwssvc.exe [2009-7-1 28762]

=============== Created Last 30 ================

2009-11-02 18:27:34 0 d-----w- c:\program files\Trend Micro
2009-10-30 11:18:58 5 ----a-w- c:\windows\system32\Band4
2009-10-30 11:18:57 7 ----a-w- c:\windows\system32\Class11
2009-10-29 18:24:40 0 d-sh--w- c:\documents and settings\barb\IECompatCache
2009-10-29 18:24:15 0 d-sh--w- c:\documents and settings\barb\PrivacIE
2009-10-29 17:22:49 0 d-sh--w- c:\documents and settings\barb\IETldCache
2009-10-29 17:17:31 0 dc-h--w- c:\windows\ie8
2009-10-29 17:15:50 0 d--h--w- c:\windows\msdownld.tmp
2009-10-28 11:16:46 0 ----a-w- c:\windows\Pfogu.bin
2009-10-28 11:16:45 120 ----a-w- c:\windows\Eyahisefaco.dat
2009-10-27 11:17:13 41472 ----a-w- c:\windows\system32\sys.dat
2009-10-16 19:35:49 0 d-----w- c:\program files\Kodak
2009-10-16 19:34:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak

==================== Find3M ====================


============= FINISH: 9:21:55.13 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 10 November 2009 - 04:25 AM

If this is a work computer, please ask your System Administrator to fix this problem. After all he is paid to do so.

If I am mistaken and this computer is used for personal use, please let me know and I will provide you with further steps.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 10 November 2009 - 08:47 AM

This is a personal computer, I am going to school for IT and some of my co-workers know this and sometimes ask me for help. I was unable to help, so that is why I turned here for help. I also have another post that was closed because someone thought it was a double post and it was not. If someone could help me with both issues it would be appreciated.

Thanks,
Nick

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 10 November 2009 - 09:47 AM

Hello new_mm,

I see that both logs indeed are different. The problem is, that both logs use the ultra-met.com domain. This is a corporate domain. I will be able to help you, but it would be a good idea to let a system administrator know of this.

I re-opened your other topic.

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
  • My Web Search (My Fun Cards)
  • My.Freeze.com NetAssistant
If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 10 November 2009 - 12:35 PM

Please note also my previous post. Combofix is currently off-line, please keep checking the download link.

EDIT ~ its back up now, please run it as instructed.

Edited by elise025, 11 November 2009 - 07:09 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 11 November 2009 - 10:17 AM

Ok, I deleted the programs you listed on your previous post, and I ran the combo fix. I will post the log below. After running the combo fix another virus was found using Norton and I will post the notification below also.

Combo Fix

ComboFix 09-11-09.02 - barb 11/11/2009 9:55.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.328 [GMT -5:00]
Running from: c:\documents and settings\barb\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\barb\Application Data\wiaservg.log
C:\setup.exe
c:\windows\aporuzif.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe
c:\windows\system32\sys.dat
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 15:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 15:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-05 12:08 . 2009-11-04 13:25 58856 ----a-w- c:\documents and settings\All Users\Application Data\KwinzySrch\kwinzy153.exe
2009-11-02 18:27 . 2009-11-02 18:27 -------- d-----w- c:\program files\Trend Micro
2009-11-02 17:43 . 2009-11-02 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\PriceGong
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\IECompatCache
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\PrivacIE
2009-10-29 17:23 . 2009-10-29 17:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-29 17:22 . 2009-10-29 17:22 -------- d-sh--w- c:\documents and settings\barb\IETldCache
2009-10-29 17:17 . 2009-10-29 17:18 -------- dc-h--w- c:\windows\ie8
2009-10-29 17:16 . 2009-10-29 17:16 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-29 17:15 . 2009-10-29 17:20 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-28 11:16 . 2009-11-11 12:10 0 ----a-w- c:\windows\Pfogu.bin
2009-10-28 11:16 . 2009-11-11 14:38 120 ----a-w- c:\windows\Eyahisefaco.dat
2009-10-28 11:16 . 2009-10-28 11:16 -------- d-----w- c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}
2009-10-16 19:35 . 2009-10-30 15:06 -------- d-----w- c:\program files\Kodak
2009-10-16 19:34 . 2009-10-30 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 12:10 . 2009-07-16 10:52 -------- d-----w- c:\program files\KwinzySrch
2009-11-05 12:09 . 2009-07-16 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\KwinzySrch
2009-10-21 18:27 . 2008-08-19 16:04 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24979EB2-B1F8-4EC4-9C31-44D7EFABC474}]
2008-04-14 00:11 438368 ----a-w- c:\windows\system32\beghghk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-03-09 02:09 271672 ----a-w- c:\program files\PriceGong\1.2.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2003-11-11 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
printkey.exe [2002-4-5 589824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli rasaxt40.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Vantage\\epicor\\prgs91d\\bin\\prowin32.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8.5\\FileMaker Pro.exe"=

R2 KwinzySrch Service;KwinzySrch Service;c:\documents and settings\All Users\Application Data\KwinzySrch\kwinzy153.exe [11/5/2009 7:08 AM 58856]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&o=sb&gcht=qp
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-Szojowayewecigi - c:\windows\aporuzif.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 10:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\rasaxt40.dll
.
Completion time: 2009-11-11 10:09
ComboFix-quarantined-files.txt 2009-11-11 15:08

Pre-Run: 30,576,447,488 bytes free
Post-Run: 31,086,862,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 11149423C898FB510C0B8893234C3A47

Norton Notification

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\WINDOWS\rasaxt40.dll
Location: C:\WINDOWS
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Nov 11 10:13:32 2009

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 11 November 2009 - 11:17 AM

Quick note, please ignore that Norton warning. We need indeed to fix this, but if Norton cleans this, you might have problems logging in into windows.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 11 November 2009 - 12:43 PM

Hello new_mm,

BACKDOOR WARNING
------------------------------
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


I missed a program to be uninstalled. Could you please also uninstall Kwinzy 1.0


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\rasaxt40.dll
c:\windows\Eyahisefaco.dat
c:\windows\Pfogu.bin

Folder::
c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

DDS::
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 November 2009 - 11:35 AM

Ok, thank you for the information. We are going to proceed and attempt to remove the virus. I have uninstalled the program you listed. I also copied the code into a txt file and followed the instructions provided. Combo fix did notify me of a upgrade and I did allow it to upgrade. I will post the combofix log below.

Combofix Log

ComboFix 09-11-11.02 - barb 11/12/2009 11:12.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.304 [GMT -5:00]
Running from: c:\documents and settings\barb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\barb\Desktop\CFScript.txt

FILE ::
"c:\windows\Eyahisefaco.dat"
"c:\windows\Pfogu.bin"
"c:\windows\rasaxt40.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}
c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}\chrome.manifest
c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}\chrome\content\_cfg.js
c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}\chrome\content\overlay.xul
c:\documents and settings\barb\Local Settings\Application Data\{A946C0E4-85DB-47D5-A9A3-C2225EADDC4B}\install.rdf
c:\windows\Eyahisefaco.dat
c:\windows\Pfogu.bin
c:\windows\rasaxt40.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 15:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 15:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 18:27 . 2009-11-02 18:27 -------- d-----w- c:\program files\Trend Micro
2009-11-02 17:43 . 2009-11-02 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\PriceGong
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\IECompatCache
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\PrivacIE
2009-10-29 17:23 . 2009-10-29 17:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-29 17:22 . 2009-10-29 17:22 -------- d-sh--w- c:\documents and settings\barb\IETldCache
2009-10-29 17:17 . 2009-10-29 17:18 -------- dc-h--w- c:\windows\ie8
2009-10-29 17:16 . 2009-10-29 17:16 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-29 17:15 . 2009-10-29 17:20 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-16 19:35 . 2009-10-30 15:06 -------- d-----w- c:\program files\Kodak
2009-10-16 19:34 . 2009-10-30 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 18:27 . 2008-08-19 16:04 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24979EB2-B1F8-4EC4-9C31-44D7EFABC474}]
2008-04-14 00:11 438368 ----a-w- c:\windows\system32\beghghk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-03-09 02:09 271672 ----a-w- c:\program files\PriceGong\1.2.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2003-11-11 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
printkey.exe [2002-4-5 589824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Vantage\\epicor\\prgs91d\\bin\\prowin32.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8.5\\FileMaker Pro.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&o=sb&gcht=qp
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3416)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NavNT\defwatch.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\MsgSys.EXE
c:\documents and settings\All Users\Start Menu\Programs\Startup\printkey.exe
.
**************************************************************************
.
Completion time: 2009-11-12 11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 16:25
ComboFix2.txt 2009-11-11 15:09

Pre-Run: 31,024,701,440 bytes free
Post-Run: 31,036,063,744 bytes free

- - End Of File - - DD99E72592E222FB0ED515430CF51FEC

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 12 November 2009 - 12:24 PM

Hello new_mm,

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\system32\beghghk.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24979EB2-B1F8-4EC4-9C31-44D7EFABC474}]
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.


In your next reply, please include the following:
  • Combofix.txt
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 12 November 2009 - 04:53 PM

Ok, I ran the combofix with the code requested and I also ran AntiMalware. I will post the logs below.

Combofix Log

ComboFix 09-11-13.03 - barb 11/12/2009 16:05.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.304 [GMT -5:00]
Running from: c:\documents and settings\barb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\barb\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\beghghk.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\beghghk.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 15:03 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 15:03 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 18:27 . 2009-11-02 18:27 -------- d-----w- c:\program files\Trend Micro
2009-11-02 17:43 . 2009-11-02 17:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\UserData
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-02 14:46 . 2009-11-02 14:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IECompatCache
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\IECompatCache
2009-10-29 18:24 . 2009-10-29 18:24 -------- d-sh--w- c:\documents and settings\barb\PrivacIE
2009-10-29 17:23 . 2009-10-29 17:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-29 17:22 . 2009-10-29 17:22 -------- d-sh--w- c:\documents and settings\barb\IETldCache
2009-10-29 17:17 . 2009-10-29 17:18 -------- dc-h--w- c:\windows\ie8
2009-10-29 17:16 . 2009-10-29 17:16 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-29 17:15 . 2009-10-29 17:20 -------- d--h--w- c:\windows\msdownld.tmp
2009-10-16 19:35 . 2009-10-30 15:06 -------- d-----w- c:\program files\Kodak
2009-10-16 19:34 . 2009-10-30 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 18:27 . 2008-08-19 16:04 -------- d-----w- c:\program files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-03-09 02:09 271672 ----a-w- c:\program files\PriceGong\1.2.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"pdfFactory Dispatcher v2"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2003-11-11 385024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
printkey.exe [2002-4-5 589824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"\\\\Vantage\\epicor\\prgs91d\\bin\\prowin32.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 8.5\\FileMaker Pro.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&o=sb&gcht=qp
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\windows\system32\NavLogon.dll
.
Completion time: 2009-11-12 16:13
ComboFix-quarantined-files.txt 2009-11-12 21:13
ComboFix2.txt 2009-11-12 16:25
ComboFix3.txt 2009-11-11 15:09

Pre-Run: 31,056,486,400 bytes free
Post-Run: 31,042,318,336 bytes free

- - End Of File - - 02D29F20912FDF0B976CE652F4F8E822


AntiMalware Log

Malwarebytes' Anti-Malware 1.41
Database version: 3156
Windows 5.1.2600 Service Pack 3

11/12/2009 4:42:07 PM
mbam-log-2009-11-12 (16-42-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152053
Time elapsed: 20 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 61

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\beghghk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sys.dat.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP187\A0014104.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP188\A0014125.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP188\A0014132.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP189\A0014181.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP200\A0015713.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP200\A0015724.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP202\A0015852.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP203\A0015971.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP205\A0016102.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP206\A0016130.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP211\A0016238.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP211\A0016295.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP211\A0016309.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP212\A0016652.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP213\A0016677.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP213\A0016685.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP213\A0016688.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016838.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016846.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016847.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016848.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016849.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016850.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016855.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016856.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016858.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016863.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016864.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016865.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016866.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016867.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016868.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016887.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016870.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016871.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016872.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016873.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016874.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016875.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016876.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016877.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016886.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016889.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016890.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016891.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016892.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016893.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP215\A0016897.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP216\A0016918.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP216\A0016948.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP216\A0016970.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP216\A0018055.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP216\A0018231.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP217\A0018316.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP217\A0018396.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP217\A0018478.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP175\A0012522.exe (Adware.Ziniky) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1CC64A03-C6DF-4185-A5B6-ECD4D7D1A022}\RP176\A0012592.exe (Adware.Ziniky) -> Quarantined and deleted successfully.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:43 AM

Posted 13 November 2009 - 04:05 AM

Looks better :( MBAM detected only some quarantined and System Restore items and cleaned a few registry remnants.

How is everything running now?

Can you please post me a new DDS log (no need for attach.txt)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 new_mm

new_mm
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 13 November 2009 - 09:38 AM

As far as I can tell, the computer seems to be working alright. I ran the DDS and will paste the log below.

DDS Log


DDS (Ver_09-10-26.01) - NTFSx86
Run by barb at 9:19:01.31 on Fri 11/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.240 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\printkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\Documents and Settings\barb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm603QPUS&fl=0&ptb=jAkLWQlOzTBgM1KTpVGyTA&ind=2009070108&url=http://cap.ask.com/web&q={searchTerms}&l=zz&o=sb&gcht=qp
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.2.0\PriceGongIE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\printkey.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos1.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218635949910
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218642618138
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-11-12 21:18:07 0 d-----w- c:\docume~1\barb\applic~1\Malwarebytes
2009-11-12 21:18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 21:18:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-12 21:18:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 21:18:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-11 15:03:17 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-11 15:03:17 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-11 14:50:17 0 d-sha-r- C:\cmdcons
2009-11-11 14:48:10 98816 ----a-w- c:\windows\sed.exe
2009-11-11 14:48:10 77312 ----a-w- c:\windows\MBR.exe
2009-11-11 14:48:10 260608 ----a-w- c:\windows\PEV.exe
2009-11-11 14:48:10 161792 ----a-w- c:\windows\SWREG.exe
2009-11-02 18:27:34 0 d-----w- c:\program files\Trend Micro
2009-10-30 11:18:58 5 ----a-w- c:\windows\system32\Band4
2009-10-30 11:18:57 7 ----a-w- c:\windows\system32\Class11
2009-10-29 18:24:40 0 d-sh--w- c:\documents and settings\barb\IECompatCache
2009-10-29 18:24:15 0 d-sh--w- c:\documents and settings\barb\PrivacIE
2009-10-29 17:22:49 0 d-sh--w- c:\documents and settings\barb\IETldCache
2009-10-29 17:17:31 0 dc-h--w- c:\windows\ie8
2009-10-29 17:15:50 0 d--h--w- c:\windows\msdownld.tmp
2009-10-16 19:35:49 0 d-----w- c:\program files\Kodak
2009-10-16 19:34:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak

==================== Find3M ====================


============= FINISH: 9:19:34.04 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users