Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown malware infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 decon101

decon101

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 28 November 2009 - 07:16 PM

Virus redirects search results generated from Google and Bing to unknown web sites that appear to be ads. Random internet browser pops up intermittently while connected to the internet with a browser open.

Cannot boot in safe mode, cannot restore safe boot, cannot remove malware/virus even after running malwarebytes, superantivirus, and McAffee Stinger.

I was unable to run dds or rootrepeal using the Prep Guide, but able to generate log using RSIT (thanks to garmanma).

Here is the log from RSIT (also attached the .txt file):

Logfile of random's system information tool 1.06 (written by random/random)
Run by CDixon at 2009-11-28 15:58:14
Microsoft Windows XP Professional Service Pack 3
System drive C: has 58 GB (76%) free of 76 GB
Total RAM: 2046 MB (70% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:31 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe
C:\WINDOWS\system32\mDNSResponder.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Castelle\FaxPress\FaxTray.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Abacus\BillingPopup\BIllingPopupSettings.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\cdixon\Desktop\RSIT.exe
C:\Program Files\trend micro\CDixon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by NBBJ
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet/proxy.pac
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\derrida.exe" /runcleanupscript
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jsh87r3huiehf89esiudgd] C:\WINDOWS\TEMP\p07bwdofq.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Abacus Billing Popup Settings.lnk = C:\Program Files\Abacus\BillingPopup\BIllingPopupSettings.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://Intranet/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1256430839234
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://nbbj.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nbbj.com
O17 - HKLM\Software\..\Telephony: DomainName = nbbj.com
O23 - Service: Abacus Billing Popup (AbacusBillingPopup) - Mirrorplus Technologies Inc - C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\WINDOWS\system32\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8565 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2008-01-24 66880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll [2007-02-16 161352]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2004-01-07 110592]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-11-16 397312]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2008-01-24 111952]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-05-03 155648]
"nwiz"=nwiz.exe /installquiet []
"NVHotkey"=nvHotkey.dll,Start []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-01-19 7401472]
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UdaterUI.exe [2007-10-25 136512]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\derrida.exe /runcleanupscript []
"Logitech Utility"=C:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"FPEXCNVT"=C:\Program Files\Castelle\FaxPress\ExCnvt.exe [2002-04-22 40960]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-04-26 53248]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-08-13 122939]
"CstlFaxTray"=C:\Program Files\Castelle\FaxPress\FaxTray.exe [1999-08-17 57344]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Apoint"=C:\Program Files\Apoint\Apoint.exe [2005-10-07 176128]
"Adobe Acrobat Speed Launcher"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat_sl.exe [2007-05-11 46200]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-01-11 623992]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Abacus Billing Popup Settings.lnk - C:\Program Files\Abacus\BillingPopup\BIllingPopupSettings.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"=C:\Program Files\Novell\ZENworks\NalExpEx.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Canon\Network ScanGear\SgTool.exe"="C:\Program Files\Canon\Network ScanGear\SgTool.exe:*:Enabled:SGTOOL"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe"="C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe:*:Enabled:Cisco IP Communicator"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"E:\TurboTax\TurboTax Deluxe 2007\32bit\ttax.exe"="E:\TurboTax\TurboTax Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"E:\TurboTax\TurboTax Deluxe 2007\32bit\updatemgr.exe"="E:\TurboTax\TurboTax Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe"="C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe:*:Enabled:Abacus Billing Popup"
"C:\WINDOWS\system32\mDNSResponder.exe"="C:\WINDOWS\system32\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe"="C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe:*:Enabled:Cisco IP Communicator"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe"="C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe:*:Enabled:Abacus Billing Popup"
"C:\WINDOWS\system32\mDNSResponder.exe"="C:\WINDOWS\system32\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{097c4b7a-8b72-11dd-bb13-001641b5140d}]
shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9013a3b-b733-11d9-b92c-806d6172696f}]
shell\AutoRun\command - E:\AutoPlay.exe -auto


======File associations======

.scr - open - C:\WINDOWS\NOTEPAD.EXE "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-11-28 15:58:15 ----D---- C:\Program Files\trend micro
2009-11-28 15:58:14 ----D---- C:\rsit
2009-11-27 15:20:45 ----D---- C:\McAfee
2009-11-27 14:33:34 ----D---- C:\Autoruns
2009-11-27 12:03:31 ----D---- C:\WINDOWS\system32\NtmsData
2009-11-25 16:10:44 ----A---- C:\WINDOWS\system32\MRT.INI
2009-11-25 16:04:52 ----D---- C:\WINDOWS\system32\winrm
2009-11-25 16:04:51 ----D---- C:\WINDOWS\system32\GroupPolicy
2009-11-25 16:04:45 ----HDC---- C:\WINDOWS\$968930Uinstall_KB968930$
2009-11-25 16:04:36 ----D---- C:\WINDOWS\$NtUninstallKB968930$
2009-11-25 16:03:44 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2009-11-25 15:53:49 ----A---- C:\WINDOWS\imsins.BAK
2009-11-25 15:52:45 ----A---- C:\WINDOWS\system32\RMErrorLog0.txt
2009-11-24 10:00:58 ----A---- C:\WINDOWS\OEWABLog.txt
2009-11-23 02:17:55 ----A---- C:\boot.ini
2009-11-22 16:03:13 ----D---- C:\WINDOWS\tmp
2009-11-20 19:55:44 ----A---- C:\xrvho.exe
2009-11-19 03:26:39 ----D---- C:\Program Files\WinPcap
2009-11-02 08:26:52 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-11-02 08:24:50 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-11-02 08:24:20 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-11-02 08:24:14 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-11-02 08:24:05 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-11-02 08:23:19 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-11-02 08:22:28 ----HDC---- C:\WINDOWS\$NtUninstallKB971513$
2009-11-02 08:22:07 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-11-02 08:21:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-11-02 08:20:47 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$

======List of files/folders modified in the last 1 months======

2009-11-28 15:58:15 ----RD---- C:\Program Files
2009-11-28 15:54:52 ----D---- C:\WINDOWS\Temp
2009-11-28 15:49:49 ----D---- C:\WINDOWS\system32\drivers
2009-11-28 15:40:10 ----SHD---- C:\WINDOWS\Installer
2009-11-28 15:40:10 ----SHD---- C:\Config.Msi
2009-11-28 15:39:50 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-11-27 15:26:25 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-27 15:24:08 ----D---- C:\WINDOWS\system32
2009-11-27 12:48:20 ----D---- C:\quarantine
2009-11-27 12:10:37 ----SHD---- C:\System Volume Information
2009-11-27 12:06:51 ----HD---- C:\WINDOWS\inf
2009-11-27 12:06:51 ----D---- C:\WINDOWS
2009-11-27 12:06:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-27 12:06:45 ----D---- C:\WINDOWS\Registration
2009-11-27 10:34:39 ----D---- C:\WINDOWS\security
2009-11-25 16:23:09 ----D---- C:\WINDOWS\Prefetch
2009-11-25 16:22:42 ----D---- C:\Documents and Settings
2009-11-25 16:18:03 ----D---- C:\WINDOWS\system32\config
2009-11-25 16:11:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-11-25 16:10:56 ----HD---- C:\WINDOWS\$hf_mig$
2009-11-25 16:07:32 ----RSD---- C:\WINDOWS\assembly
2009-11-25 16:05:44 ----D---- C:\WINDOWS\Microsoft.NET
2009-11-25 16:04:57 ----D---- C:\WINDOWS\Help
2009-11-25 16:04:52 ----D---- C:\WINDOWS\system32\wbem
2009-11-25 16:04:21 ----D---- C:\WINDOWS\system32\CatRoot
2009-11-25 16:00:29 ----D---- C:\Program Files\Windows Desktop Search
2009-11-25 15:51:08 ----D---- C:\Program Files\Autodesk Architectural Desktop 3
2009-11-25 15:49:31 ----D---- C:\Program Files\Common Files\Adobe
2009-11-25 15:49:31 ----D---- C:\Program Files\Adobe
2009-11-25 15:49:30 ----D---- C:\Documents and Settings\cdixon\Application Data\Adobe
2009-11-25 15:47:47 ----HD---- C:\Program Files\InstallShield Installation Information
2009-11-25 15:43:32 ----D---- C:\Program Files\Sepialine
2009-11-25 15:43:32 ----D---- C:\Program Files\Common Files
2009-11-25 15:37:52 ----SHD---- C:\WINDOWS\CSC
2009-11-23 21:22:14 ----D---- C:\spoolerlogs
2009-11-23 16:50:23 ----D---- C:\WINDOWS\WinSxS
2009-11-23 16:50:13 ----D---- C:\Program Files\Common Files\Intuit
2009-11-23 16:11:13 ----SD---- C:\WINDOWS\Tasks
2009-11-23 16:04:09 ----D---- C:\Documents and Settings\cdixon\Application Data\SUPERAntiSpyware.com
2009-11-23 16:03:46 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-11-23 16:03:11 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-17 14:49:15 ----D---- C:\WINDOWS\system32\LogFiles
2009-11-13 19:50:53 ----D---- C:\Documents and Settings\cdixon\Application Data\Move Networks
2009-11-12 15:48:59 ----A---- C:\WINDOWS\jobs.ini
2009-11-12 15:48:25 ----A---- C:\WINDOWS\MWorks.ini
2009-11-10 15:46:19 ----D---- C:\WINDOWS\SoftwareDistribution
2009-11-07 21:21:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-06 11:41:40 ----D---- C:\Documents and Settings\cdixon\Application Data\webex
2009-11-06 11:41:28 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-11-05 21:08:59 ----D---- C:\WINDOWS\Debug
2009-11-05 09:36:21 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-02 08:23:52 ----D---- C:\WINDOWS\system32\en-us
2009-11-02 08:23:51 ----D---- C:\Program Files\Internet Explorer
2009-11-02 08:23:34 ----D---- C:\WINDOWS\ie7updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2008-01-24 52104]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-07-14 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-07-14 23545]
R1 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 agnwifi;AT&T Wi-Fi Support Driver; C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2005-08-10 19328]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver; C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2006-09-13 35697]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-08-13 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 npf;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-15 34064]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-08-13 25723]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-08-13 34843]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-08-13 4123]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-08-13 2239]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-08-13 86202]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-08-13 14715]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-08-13 6363]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-08-13 98714]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-08-13 100603]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2005-09-28 113847]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2005-11-10 142720]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 Cpmt;Cisco Media Termination; C:\WINDOWS\System32\Drivers\Cpmt.sys [2006-09-13 1293345]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-07-22 201600]
R3 LHidFlt2;Logitech HID/USB Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys [2003-12-17 25505]
R3 LHidUsb;Logitech USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsb.Sys [2003-12-17 37887]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2008-01-24 64232]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-01-24 72936]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-01-24 33960]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-01-24 171400]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-01-19 3595296]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 USBCCID;USB Smart Card reader; C:\WINDOWS\system32\DRIVERS\usbccid.sys [2005-05-13 28672]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S2 mjxupvelejujl;mjxupvelejujl; \??\C:\WINDOWS\system32\drivers\xqadyjw.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AbacusBillingPopup;Abacus Billing Popup; C:\Program Files\Abacus\BillingPopup\AbacusBillingPopup.exe [2009-03-03 1363968]
R2 Bonjour Service;Bonjour Service; C:\WINDOWS\system32\mDNSResponder.exe [2008-02-01 229376]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2008-01-24 144704]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2008-01-24 54608]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 NetCfgSvr;Network Configuration Service; C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE [2005-08-10 188480]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2007-12-21 654848]
S2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2007-10-25 103744]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-01-19 143428]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WinRM;Windows Remote Management (WS-Management); C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Attached Files

  • Attached File  log.txt   27.52KB   0 downloads


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:00 PM

Posted 09 December 2009 - 12:05 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following logs:
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:10:00 PM

Posted 14 December 2009 - 07:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users