Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent (amongst others)


  • This topic is locked This topic is locked
4 replies to this topic

#1 gmiani

gmiani

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 19 November 2009 - 12:32 AM

Working on cleaning up my sister-in-law's puter running XP SP3. A couple weeks ago she contracted Trojan.Vundo and I was pretty sure I cleaned it all out. Fast forward to a couple days ago and she's picked up quite a few more bugs. Backdoor.bot. Trojan.Agent. Rogue.Agent. And various forms thereof. She has had Norton running all this time and prior to with updates....but as I am aware...none of these programs are completely virusproof.

I managed to clear out quite of bit of this mess...from Malware reports upwards of 41 instances down to 1 or 2 that keep popping up (mainly Trojan.Agent). Its main characteristic is that it creates dummy executables for everyday processes like jusched, hkcmd, oscheck. but the most telling on is every time there's a reboot, task scheduler has new tasks (named At1, At2, ..., At24) that initiate a dummy exe called "acrotray.exe" that plants itself in the programfiles/adobe folder.

My malware, hjt, and combofix logs follow. Thank you in advance for the help. Hopefully you guys can see something I'm missing.
-g

Just realized that my malware log isn't a log at all. And in an effort to expedite...i am pasting in the other logs...although i uploaded them as directed in the sticky.

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:32 AM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
C:Program FilesCommon FilesSymantec SharedAppCoreAppSvc32.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSSystem32spoolDRIVERSW32X863dldfserv.exe
C:WINDOWSsystem32dldfcoms.exe
C:WINDOWSExplorer.EXE
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32PSIService.exe
C:WINDOWSsystem32hkcmd.exe
C:WINDOWSsystem32hkcmd.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesJavajre6binjusched .exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32msiexec.exe
C:WINDOWSsystem32MsiExec.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSsystem32ctfmon.exe
C:Documents and SettingsMikeDesktopHiJackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.optonline.net/Home
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser1.7NppBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.3.4501.1418swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:Program FilesGoogleGoogle ToolbarComponentfastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:Program FilesCommon FilesSymantec SharedcoSharedBrowser1.7UIBHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:Program FilesGoogleGoogle ToolbarGoogleToolbar_32.dll
O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malware6uq56ac0k .exe" /runcleanupscript
O4 - HKLM..Run: [MSConfig] C:WINDOWSpchealthhelpctrBinariesMSCONFIG.EXE /auto
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:program filesaolaol toolbar 2.0resourcesen-USlocalsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141599189296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedVAScannercomHost.exe
O23 - Service: dldfCATSCustConnectService - Unknown owner - C:WINDOWSSystem32spoolDRIVERSW32X863dldfserv.exe
O23 - Service: dldf_device - - C:WINDOWSsystem32dldfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:Program FilesDellSupportbrkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:Program FilesNorton Internet SecurityisPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:Program FilesIntelPROSetWiredNCSSyncNetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:WINDOWSsystem32PSIService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:Program FilesCommon FilesSymantec SharedAppCoreAppSvc32.exe

--
End of file - 8492 bytes





COMBOFIX LOG

ComboFix 09-11-18.06 - Mike 11/19/2009 0:12.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1481 [GMT -5:00]
Running from: c:documents and settingsMikeDesktopComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:windowssystem32ctfmon .exe
c:windowssystem32hkcmd .exe

.
((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 05:08 . 2009-11-19 05:08 96468 ----a-w- c:windowssystem32hkcmd.exe
2009-11-19 03:47 . 2009-11-19 03:47 -------- d-----w- c:program filesCCleaner
2009-11-19 00:30 . 2004-08-10 11:00 7168 ----a-w- c:windowssystem32dllcachewamregps.dll
2009-11-19 00:30 . 2001-08-17 19:56 66048 ----a-w- c:windowssystem32dllcaches3legacy.dll
2009-11-19 00:29 . 2004-08-10 11:00 7680 ----a-w- c:windowssystem32dllcacheinetmgr.exe
2009-11-19 00:29 . 2004-08-10 11:00 19968 ----a-w- c:windowssystem32dllcacheinetsloc.dll
2009-11-19 00:29 . 2004-08-10 11:00 169984 ----a-w- c:windowssystem32dllcacheiisui.dll
2009-11-19 00:29 . 2004-08-10 11:00 5632 ----a-w- c:windowssystem32dllcacheiisrstap.dll
2009-11-19 00:29 . 2004-08-10 11:00 14336 ----a-w- c:windowssystem32dllcacheiisreset.exe
2009-11-19 00:29 . 2004-08-10 11:00 6144 ----a-w- c:windowssystem32dllcacheftpsapi2.dll
2009-11-19 00:05 . 2008-04-14 00:12 50176 ----a-w- c:windowssystem32proquota.exe
2009-11-19 00:05 . 2008-04-14 00:12 50176 ----a-w- c:windowssystem32dllcacheproquota.exe
2009-11-17 02:00 . 2009-11-17 02:00 -------- d-----w- c:documents and settingsNetworkServiceLocal SettingsApplication DataGoogle
2009-11-07 19:02 . 2009-11-07 19:02 -------- d-----w- c:documents and settingsMikeApplication DataMalwarebytes
2009-11-07 19:02 . 2009-09-10 19:54 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-11-07 19:02 . 2009-11-07 19:02 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2009-11-07 19:02 . 2009-09-10 19:53 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-11-07 19:02 . 2009-11-19 05:08 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2009-11-07 15:15 . 2009-11-07 15:15 -------- d-----w- c:windowssystem32scripting
2009-11-07 15:15 . 2009-11-07 15:15 -------- d-----w- c:windowsl2schemas
2009-11-07 15:15 . 2009-11-07 15:15 -------- d-----w- c:windowssystem32en
2009-11-07 15:15 . 2009-11-07 15:15 -------- d-----w- c:windowssystem32bits
2009-11-06 21:43 . 2008-04-14 00:12 144384 ------w- c:windowssystem32onex.dll
2009-11-06 21:42 . 2008-04-14 00:12 2134528 ----a-w- c:windowssystem32dllcachesmtpsnap.dll
2009-11-06 03:33 . 2009-11-07 15:11 -------- d-----w- c:windowsServicePackFiles
2009-11-06 01:58 . 2008-06-12 10:09 33088 ----a-w- c:documents and settingsJeanApplication DataMacromediaFlash Playerwww.macromedia.combinairappinstallerairappinstaller.exe
2009-11-06 00:46 . 2009-03-06 14:22 284160 ------w- c:windowssystem32dllcachepdh.dll
2009-11-06 00:46 . 2009-02-09 12:10 401408 ------w- c:windowssystem32dllcacherpcss.dll
2009-11-06 00:46 . 2009-02-06 11:11 110592 ------w- c:windowssystem32dllcacheservices.exe
2009-11-06 00:46 . 2009-02-06 10:39 35328 ------w- c:windowssystem32dllcachesc.exe
2009-11-06 00:46 . 2009-02-09 12:10 473600 ------w- c:windowssystem32dllcachefastprox.dll
2009-11-06 00:46 . 2009-02-09 12:10 453120 ------w- c:windowssystem32dllcachewmiprvsd.dll
2009-11-06 00:46 . 2009-02-06 10:10 227840 ------w- c:windowssystem32dllcachewmiprvse.exe
2009-11-06 00:46 . 2009-02-09 12:10 617472 ------w- c:windowssystem32dllcacheadvapi32.dll
2009-11-06 00:46 . 2009-08-05 01:44 2189184 ----a-w- c:windowssystem32dllcachentoskrnl.exe
2009-11-06 00:46 . 2009-08-04 14:20 2023936 ------w- c:windowssystem32dllcachentkrpamp.exe
2009-11-06 00:46 . 2009-06-21 21:44 153088 ------w- c:windowssystem32dllcachetriedit.dll
2009-11-06 00:45 . 2008-10-24 11:21 455296 ------w- c:windowssystem32dllcachemrxsmb.sys
2009-11-06 00:45 . 2008-12-11 10:57 333952 ------w- c:windowssystem32dllcachesrv.sys
2009-11-06 00:45 . 2009-07-10 13:27 1315328 ------w- c:windowssystem32dllcachemsoe.dll
2009-11-06 00:44 . 2009-06-10 14:19 2066432 ------w- c:windowssystem32dllcachemstscax.dll
2009-11-06 00:43 . 2008-05-03 11:55 2560 ------w- c:windowssystem32xpsp4res.dll
2009-11-06 00:43 . 2008-04-21 12:08 215552 ------w- c:windowssystem32dllcachewordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 04:29 . 2006-02-15 02:36 -------- d-----w- c:documents and settingsAll UsersApplication DataSymantec
2009-11-19 04:20 . 2006-02-15 02:36 -------- d-----w- c:program filesCommon FilesSymantec Shared
2009-11-19 04:12 . 2007-09-23 01:15 -------- d-----w- c:program filesNorton Internet Security
2009-11-19 01:25 . 2008-03-09 22:02 -------- d-----w- c:program filesQuickTime
2009-11-19 01:18 . 2008-12-06 19:53 -------- d-----w- c:program filesDell AIO Printer 948
2009-11-19 01:17 . 2009-06-20 18:06 -------- d-----w- c:program filesiTunes
2009-11-18 00:16 . 2006-02-15 01:55 131504 ----a-w- c:windowssystem32igfxpers.exe
2009-11-16 18:13 . 2006-03-10 22:48 5852 --sha-w- c:windowssystem32KGyGaAvL.sys
2009-11-16 18:13 . 2006-03-10 22:48 104 --sh--r- c:windowssystem32075E1B743D.sys
2009-11-08 23:29 . 2006-03-09 14:00 65456 ----a-w- c:documents and settingsJeanLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-11-07 20:22 . 2006-04-22 23:17 65456 ----a-w- c:documents and settingsMikeLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-11-07 15:20 . 2005-08-16 10:41 88983 ----a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-11-06 02:11 . 2006-02-15 02:31 -------- d-----w- c:program filesCommon FilesCorel
2009-11-06 00:38 . 2006-02-15 02:27 -------- d--h--w- c:program filesInstallShield Installation Information
2009-09-11 14:18 . 2005-08-16 10:18 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-04 21:03 . 2005-08-16 10:18 58880 ----a-w- c:windowssystem32msasn1.dll
2009-08-29 07:36 . 2005-08-16 10:18 832512 ------w- c:windowssystem32wininet.dll
2009-08-29 07:36 . 2005-08-16 10:18 78336 ----a-w- c:windowssystem32ieencode.dll
2009-08-29 07:36 . 2005-08-16 10:18 17408 ----a-w- c:windowssystem32corpol.dll
2009-08-26 08:00 . 2005-08-16 10:19 247326 ----a-w- c:windowssystem32strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-11-19_02.53.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-19 05:09 . 2009-11-19 05:09 16384 c:windowsTempPerflib_Perfdata_a34.dat
+ 2009-11-19 05:07 . 2009-11-19 05:07 16384 c:windowsTempPerflib_Perfdata_748.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"igfxhkcmd"="c:windowssystem32hkcmd.exe" [2009-11-19 96468]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2009-11-19 104268]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
"RunNarrator"="Narrator.exe" - c:windowssystem32narrator.exe [2008-04-14 53760]

[HKLM~startupfolderC:^Documents and Settings^Mike^Start Menu^Programs^Startup^..]
path=c:documents and settingsMikeStart MenuProgramsStartup..
backup=c:windowspss..Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"Viewpoint Manager Service"=2 (0x2)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringSymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"c:Program FilesMessengermsmsgs.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:WINDOWSsystem32dldfcoms.exe"=
"c:Program FilesDell AIO Printer 948DLDFFax.exe"=
"c:WINDOWSsystem32spooldriversw32x863dldfpswx.exe"=
"c:WINDOWSsystem32spooldriversw32x863dldfjswx.exe"=
"c:Program FilesBonjourmDNSResponder.exe"=
"c:Program FilesiTunesiTunes.exe"=
"c:Program FilesDell AIO Printer 948dldfmon .exe"=
"c:Program FilesDell AIO Printer 948memcard .exe"=

R2 dldf_device;dldf_device;c:windowssystem32dldfcoms.exe -service --> c:windowssystem32dldfcoms.exe -service [?]
R2 dldfCATSCustConnectService;dldfCATSCustConnectService;c:windowssystem32spooldriversw32x863dldfserv.exe [6/26/2007 1:56 AM 98952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filesCommon FilesSymantec SharedEENGINEEraserUtilRebootDrv.sys [8/27/2009 1:28 PM 102448]
S3 daqdrv;daqdrv;??c:windowssystem32daqdrv.sys --> c:windowssystem32daqdrv.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:program filesViewpointCommonViewpointService.exe [6/26/2008 4:21 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost - NetSvcs
BtwSrv
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.net/Home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:program filesaolaol toolbar 2.0resourcesen-USlocalsearch.html
IE: E&xport to Microsoft Excel - c:progra~1MICROS~4OFFICE11EXCEL.EXE/3000
Trusted Zone: musicmatch.comonline
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:program filesJavajre6binjusched.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:program filesMalwarebytes' Anti-Malware6uq56ac0k .exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 00:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-19 00:22
ComboFix-quarantined-files.txt 2009-11-19 05:22
ComboFix2.txt 2009-11-19 02:55
ComboFix3.txt 2009-11-19 00:24

Pre-Run: 42,671,550,464 bytes free
Post-Run: 42,628,657,152 bytes free

- - End Of File - - 1F82CDE576D6500121341083768A7C10

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 19 November 2009 - 07:21 PM.


BC AdBot (Login to Remove)

 


#2 gmiani

gmiani
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 23 November 2009 - 10:16 AM

bumpity bump please

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:28 AM

Posted 27 November 2009 - 09:52 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Please also provide a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 gmiani

gmiani
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 28 November 2009 - 11:13 AM

Thanks for keeping track...although I have since mitigated the issue...at least for now. For anyone who searches this topic, I used a combination of Malwarebytes, Autoruns, & CCleaner to get rid of the bulk of the nastiness. The key was to get into Safe Mode, and utilizing ComboFix, DDS, and Gmer reports, go back through and manual remove the sticky parts. And then rinse and repeat for each user on the computer.

I basically looked for anything that had been modified since the inception of the virus. This is not for the faint of heart or computer illiterate. You have to know what you can or cannot delete...and that takes a lot of research and looking at typical processes and files that are important to your system (and which ones aren't). The information is out there...you just have to find it...bleepingcomputer.com has a great process & file library.

Make sure you create backup images in case you do delete something that you need and copy your registry. Have your OS install disk nearby in case you have to replace something. And good luck. This was the nastiest and most stubborn bug I've come across. When all else fails...reformat...but thats like giving up the hunt.
-g

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:28 AM

Posted 28 November 2009 - 01:58 PM

Hi,

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users