Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Olmarik Trojan, Kryptik.BNX trojan


  • This topic is locked This topic is locked
15 replies to this topic

#1 chri1720

chri1720

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 04 January 2010 - 02:21 PM

Hi Bleeping Computer,

I'm new here and I really hope someone can help me.

Problem: I have been experiencing freezing or unprompted hanging from my laptop ( Dell precision m90 model , windows XP sp2) since last Friday. The hanging issue doesn't seem to be present in the safe mode. ESET NOD32 antivirus scan show olmarik trojan and kryptik.bnx trojan are present but it can't remove olmarik and while it quarantined kryptik.bnx trojan , it shows up again in the next scan. Lavasoft-Ad aware scans show nothing is affecting the system. Meanwhile, my system continues to freeze and I have no idea if the trojan is the problem.

Attached with this post is dds, rootrepeal, hijackthis logs and I hope someone can figure it out as I'm out of ideas.

Thank you so much for your hard work.

P/s: If admin thinks this is a non trojan issue, can you please move to the windows xp forum, thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 04 January 2010 - 05:22 PM

Hi chri1720,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your computer is infected, this is definitely a malware issue.

Please before running ComboFix make Nod32, Spyware Doctor and /or ThreatFire are all disabled and will not run at startup. We prefer to run Combofix in normal mode unless the freezing doesn't allow it. In that case you may run it in Safe Mode with networking but when rebooting required reboot to normal mode and wait until the log is produced.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 04 January 2010 - 06:32 PM

Hi Farbar,

Thanks for helping. I have encountered a problem with combofix.

I downloaded combofix (3.64mb) and tried to run it, but I don't get any prompts :( I tried it in both modes ( safe and normal) and both times all I get is a panel indicating progress and combofix label and then the desktop "refreshes" 2 times and then nothing.

What should I do ?

Thank you.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 04 January 2010 - 06:42 PM

Rename it to far.exe and run it.

#5 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 04 January 2010 - 07:34 PM

Hi Farbar,

Sorry for taking so long. Attached is the log file from combofix.

Thanks for the help and pointer. :(

ComboFix 10-01-04.01 - henry 01/05/2010 0:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1704 [GMT 0:00]
Running from: c:\documents and settings\henry\Desktop\far.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\henry\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-1292428093-879983540-725345543-500
C:\Thumbs.db
c:\windows\system32\drivers\H8SRTcnusbphtwh.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\H8SRTajmeypligc.dll
c:\windows\system32\H8SRTgdtylnibhq.dat
c:\windows\system32\H8SRTmchqximkiq.dll
c:\windows\system32\H8SRTmqeqjlvusg.dll
c:\windows\system32\mutelupo.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pihakeda.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\srcr.dat
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\gbckfhro.job
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-04 23:03 . 2010-01-04 23:03 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-04 18:46 . 2010-01-04 18:46 0 ----a-w- c:\documents and settings\henry\settings.dat
2010-01-04 16:58 . 2004-08-04 10:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 16:57 . 2004-08-04 10:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-01-04 16:41 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-04 16:41 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-04 16:41 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-04 16:41 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 15:38 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-04 15:37 . 2004-08-04 10:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-04 15:37 . 2004-08-04 10:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-01-04 15:37 . 2004-08-04 10:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-01-04 15:37 . 2004-08-04 10:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-01-04 14:59 . 2010-01-04 14:59 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2010-01-01 15:43 . 2010-01-01 15:43 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-01-01 01:15 . 2010-01-01 01:15 -------- d-----w- c:\documents and settings\henry\Application Data\AVG8
2010-01-01 01:12 . 2010-01-01 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-01 01:12 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:09 . 2010-01-01 01:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 22:25 . 2009-12-31 22:25 -------- d-----w- c:\program files\TrendMicro
2009-12-31 21:54 . 2009-12-31 22:02 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-31 21:30 . 2009-12-31 21:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 21:22 . 2009-12-31 21:22 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\ESET
2009-12-31 19:14 . 2009-12-31 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-12-31 16:36 . 2009-12-31 16:36 -------- d-----w- c:\program files\ESET
2009-12-31 16:36 . 2009-12-31 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-12-31 16:21 . 2009-12-31 16:21 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-12-31 14:30 . 2009-12-31 14:33 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\Tific
2009-12-31 14:30 . 2009-12-31 14:30 -------- d-----w- c:\documents and settings\henry\Application Data\Tific
2009-12-31 13:51 . 2009-12-31 13:51 -------- d-----w- c:\windows\system32\drivers\NAV
2009-12-31 13:51 . 2009-12-31 13:51 -------- d-----w- c:\program files\Windows Sidebar
2009-12-31 13:51 . 2009-12-31 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-31 01:59 . 2009-12-31 02:00 -------- dc-h--w- c:\windows\ie8
2009-12-31 01:37 . 2009-12-31 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 15:07 . 2009-12-30 15:07 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\Threat Expert
2009-12-30 15:05 . 2009-12-30 15:05 -------- d-----w- c:\documents and settings\henry\Application Data\PC Tools
2009-12-30 14:41 . 2010-01-04 02:53 860 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-12 14:12 . 2009-12-12 14:12 -------- d-----w- c:\documents and settings\henry\Application Data\UpdateMoniter
2009-12-11 12:34 . 2009-12-11 12:34 -------- d-----w- c:\documents and settings\henry\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 00:23 . 2009-01-09 17:05 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-05 00:03 . 2009-12-30 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-04 23:20 . 2007-06-29 13:10 86580 ----a-w- c:\windows\system32\nvModes.dat
2010-01-04 23:02 . 2007-06-28 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-04 18:16 . 2008-03-24 14:14 -------- d-----w- c:\program files\Tudou
2010-01-04 17:45 . 2007-06-28 14:07 -------- d-----w- c:\program files\BitLord
2010-01-04 16:53 . 2007-06-28 09:40 22704 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-01-01 02:04 . 2008-06-21 13:15 -------- d-----w- c:\program files\Sony Ericsson
2010-01-01 02:02 . 2007-06-28 14:05 -------- d-----w- c:\program files\Common Files\Real
2010-01-01 02:02 . 2007-06-28 14:05 -------- d-----w- c:\program files\Real
2010-01-01 02:01 . 2008-11-26 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PPLiveVA
2010-01-01 02:01 . 2008-11-26 01:17 -------- d-----w- c:\program files\PPLiveVA
2010-01-01 01:47 . 2007-06-28 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-01 00:36 . 2009-12-30 15:05 -------- d-----w- c:\program files\Spyware Doctor
2009-12-31 22:25 . 2009-12-31 22:25 388096 ----a-r- c:\documents and settings\henry\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 20:24 . 2008-02-11 18:28 -------- d-----w- c:\documents and settings\henry\Application Data\dvdcss
2009-11-09 11:20 . 2009-12-30 15:05 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-08 14:12 . 2007-06-28 12:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 20:42 . 2009-10-02 15:53 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-30 11:11 . 2009-12-30 15:05 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-28 01:36 . 2009-12-30 15:06 1152444 ----a-w- c:\windows\UDB.zip
2009-12-10 15:27 . 2009-05-31 12:19 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-16 02:50 . 2009-01-16 02:50 181 -csha-w- c:\windows\system32\pitepadu.dll
2009-01-15 13:49 . 2009-01-15 13:49 181 -csha-w- c:\windows\system32\tenedefi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7557120]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"nwiz"="nwiz.exe" [2006-03-21 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-21 73728]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ c:\windows\system32\rdujrbhq.exe c:\windows\system32\rdujrbhq.exe:changelist\0c:\windows\system32\pchwbtur.exe c:\windows\system32\pchwbtur.exe:changelist\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^启动飞速土豆.lnk]
backup=c:\windows\pss\启动飞速土豆.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 20:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 04:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-09 19:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-12-28 10:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-28 10:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 12:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 15:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 15:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-21 19:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-03-21 19:03 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-03-21 19:03 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 21:47 198184 ----a-w- c:\program files\O2\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 16:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 03:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMonitor]
2009-12-06 13:29 274488 ----a-w- c:\documents and settings\henry\Application Data\UpdateMoniter\UpdateMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\WINDOWS\\stsystra.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16013:TCP"= 16013:TCP:bitlord

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/30/2009 3:05 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/30/2009 3:06 PM 112592]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [6/7/2007 3:19 PM 202280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/14/2007 1:17 PM 682232]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [6/21/2008 1:16 PM 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [6/21/2008 1:16 PM 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [6/21/2008 1:16 PM 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [6/21/2008 1:16 PM 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [6/21/2008 1:16 PM 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [6/21/2008 1:16 PM 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [6/21/2008 1:16 PM 110120]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/30/2009 3:05 PM 359624]
S3 V0100VID;Creative WebCam Vista Pro;c:\windows\system32\drivers\V0100Vid.sys [2/15/2009 12:26 PM 91155]
.
Contents of the 'Scheduled Tasks' folder

2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-01-05 c:\windows\Tasks\User_Feed_Synchronization-{8DAD1F5D-FE8B-4A34-A418-FE55EC6DA685}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\henry\Application Data\Mozilla\Firefox\Profiles\29f4igmd.default\
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\henry\Application Data\Move Networks\plugins\npqmp071503000010.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-cbXRLfca - cbXRLfca.dll
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-TudouVAStart - c:\progra~1\Tudou\TUDOU~1\TudouVa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(768)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-05 00:30:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 00:30

Pre-Run: 13,421,060,096 bytes free
Post-Run: 14,154,752,000 bytes free

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 3D9D55CC56EEE9953FDBDE6D1BE7E314

Attached Files


Edited by farbar, 04 January 2010 - 08:29 PM.
Opened the log.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 04 January 2010 - 08:38 PM

Well done. :(
  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    File::
    c:\windows\system32\krl32mainweq.dll
    c:\windows\system32\rdujrbhq.exe
    c:\windows\system32\pchwbtur.exe

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Open your Malwarebytes' Anti-Malware.
  • First update it, to do that under the Update tab press "Check for Updates".
  • Under Scanner tab select "Perform Quick Scan", then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#7 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 04 January 2010 - 10:19 PM

Sorry for the delay.

Here are the logs. Once again, thanks for the help! :(

COMBOFIX


ComboFix 10-01-04.01 - henry 01/05/2010 2:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1612 [GMT 0:00]
Running from: c:\documents and settings\henry\Desktop\far.exe
Command switches used :: c:\documents and settings\henry\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\krl32mainweq.dll"
"c:\windows\system32\pchwbtur.exe"
"c:\windows\system32\rdujrbhq.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 01:51 . 2010-01-05 01:51 -------- d-----w- c:\documents and settings\henry\Application Data\Malwarebytes
2010-01-05 01:51 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 23:03 . 2010-01-04 23:03 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-01-04 18:46 . 2010-01-04 18:46 0 ----a-w- c:\documents and settings\henry\settings.dat
2010-01-04 16:58 . 2004-08-04 10:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-01-04 16:57 . 2004-08-04 10:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-01-04 16:41 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-01-04 16:41 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-01-04 16:41 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-01-04 16:41 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-01-04 15:38 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-01-04 15:37 . 2004-08-04 10:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-01-04 15:37 . 2004-08-04 10:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-01-04 15:37 . 2004-08-04 10:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-01-04 15:37 . 2004-08-04 10:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-01-04 14:59 . 2010-01-04 14:59 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2010-01-01 15:43 . 2010-01-01 15:43 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-01-01 01:15 . 2010-01-01 01:15 -------- d-----w- c:\documents and settings\henry\Application Data\AVG8
2010-01-01 01:12 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-01 01:09 . 2010-01-05 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 22:25 . 2009-12-31 22:25 -------- d-----w- c:\program files\TrendMicro
2009-12-31 21:54 . 2009-12-31 22:02 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-31 21:30 . 2009-12-31 21:30 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-31 21:22 . 2009-12-31 21:22 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\ESET
2009-12-31 19:14 . 2009-12-31 19:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-12-31 16:36 . 2009-12-31 16:36 -------- d-----w- c:\program files\ESET
2009-12-31 16:21 . 2009-12-31 16:21 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-12-31 14:30 . 2009-12-31 14:33 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\Tific
2009-12-31 14:30 . 2009-12-31 14:30 -------- d-----w- c:\documents and settings\henry\Application Data\Tific
2009-12-31 13:51 . 2009-12-31 13:51 -------- d-----w- c:\windows\system32\drivers\NAV
2009-12-31 13:51 . 2009-12-31 13:51 -------- d-----w- c:\program files\Windows Sidebar
2009-12-31 01:59 . 2009-12-31 02:00 -------- dc-h--w- c:\windows\ie8
2009-12-30 15:07 . 2009-12-30 15:07 -------- d-----w- c:\documents and settings\henry\Local Settings\Application Data\Threat Expert
2009-12-30 15:06 . 2009-11-10 10:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-30 15:06 . 2009-11-10 10:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-30 15:06 . 2009-10-28 01:36 1152444 ----a-w- c:\windows\UDB.zip
2009-12-30 15:06 . 2008-11-26 12:08 131 ----a-w- c:\windows\IDB.zip
2009-12-30 15:06 . 2009-11-10 10:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-30 15:06 . 2009-11-10 10:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-30 15:05 . 2009-10-30 11:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-30 15:05 . 2009-11-09 11:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-30 15:05 . 2009-10-06 16:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-30 15:05 . 2009-09-03 09:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-30 15:05 . 2010-01-01 00:36 -------- d-----w- c:\program files\Spyware Doctor
2009-12-30 15:05 . 2009-12-30 15:06 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-30 15:05 . 2009-12-30 15:05 -------- d-----w- c:\documents and settings\henry\Application Data\PC Tools
2009-12-12 14:12 . 2009-12-12 14:12 -------- d-----w- c:\documents and settings\henry\Application Data\UpdateMoniter
2009-12-11 12:34 . 2009-12-11 12:34 -------- d-----w- c:\documents and settings\henry\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 23:20 . 2007-06-29 13:10 86580 ----a-w- c:\windows\system32\nvModes.dat
2010-01-04 18:16 . 2008-03-24 14:14 -------- d-----w- c:\program files\Tudou
2010-01-04 17:45 . 2007-06-28 14:07 -------- d-----w- c:\program files\BitLord
2010-01-04 16:53 . 2007-06-28 09:40 22704 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-01-01 02:04 . 2008-06-21 13:15 -------- d-----w- c:\program files\Sony Ericsson
2010-01-01 02:02 . 2007-06-28 14:05 -------- d-----w- c:\program files\Common Files\Real
2010-01-01 02:02 . 2007-06-28 14:05 -------- d-----w- c:\program files\Real
2010-01-01 02:01 . 2008-11-26 01:17 -------- d-----w- c:\program files\PPLiveVA
2009-12-31 20:24 . 2008-02-11 18:28 -------- d-----w- c:\documents and settings\henry\Application Data\dvdcss
2009-12-11 12:35 . 2009-02-15 12:21 -------- d-----w- c:\program files\Creative
2009-12-11 12:35 . 2007-06-28 10:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-11 12:23 . 2009-11-14 21:14 -------- d-----w- c:\documents and settings\henry\Application Data\EndNote
2009-12-02 14:34 . 2009-12-02 14:24 -------- d-----w- c:\documents and settings\henry\Application Data\gtk-2.0
2009-12-02 12:59 . 2009-12-02 12:59 -------- d-----w- c:\program files\GIMP-2.0
2009-12-02 12:58 . 2009-12-02 12:47 -------- d-----w- c:\program files\Paint.NET
2009-11-12 14:17 . 2009-11-12 14:17 -------- d-----w- c:\program files\Common Files\Risxtd
2009-11-12 14:13 . 2007-11-02 20:58 -------- d-----w- c:\program files\WebTV
2009-11-12 14:09 . 2008-02-28 12:05 -------- d-----w- c:\program files\Bonjour
2009-11-08 14:12 . 2007-06-28 12:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 20:42 . 2009-10-02 15:53 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-12-10 15:27 . 2009-05-31 12:19 253952 ----a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-01-16 02:50 . 2009-01-16 02:50 181 -csha-w- c:\windows\system32\pitepadu.dll
2009-01-15 13:49 . 2009-01-15 13:49 181 -csha-w- c:\windows\system32\tenedefi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7557120]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"nwiz"="nwiz.exe" [2006-03-21 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-21 73728]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^henry^Start Menu^Programs^Startup^启动飞速土豆.lnk]
backup=c:\windows\pss\启动飞速土豆.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-14 20:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 04:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-09 19:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-12-28 10:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-28 10:55 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 12:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 15:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 15:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-03-21 19:03 7557120 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2006-03-21 19:03 73728 ----a-w- c:\windows\system32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-03-21 19:03 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\O2]
2008-03-28 21:47 198184 ----a-w- c:\program files\O2\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-24 16:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 03:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMonitor]
2009-12-06 13:29 274488 ----a-w- c:\documents and settings\henry\Application Data\UpdateMoniter\UpdateMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\WINDOWS\\stsystra.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16013:TCP"= 16013:TCP:bitlord

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/30/2009 3:05 PM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/30/2009 3:06 PM 112592]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [6/7/2007 3:19 PM 202280]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/14/2007 1:17 PM 682232]
S3 EraserUtilDrvI9;EraserUtilDrvI9;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI9.sys [?]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [6/21/2008 1:16 PM 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [6/21/2008 1:16 PM 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [6/21/2008 1:16 PM 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [6/21/2008 1:16 PM 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [6/21/2008 1:16 PM 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [6/21/2008 1:16 PM 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [6/21/2008 1:16 PM 110120]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/30/2009 3:05 PM 359624]
S3 V0100VID;Creative WebCam Vista Pro;c:\windows\system32\drivers\V0100Vid.sys [2/15/2009 12:26 PM 91155]
.
Contents of the 'Scheduled Tasks' folder

2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-01-05 c:\windows\Tasks\User_Feed_Synchronization-{8DAD1F5D-FE8B-4A34-A418-FE55EC6DA685}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: o2.co.uk\*.broadband
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\henry\Application Data\Mozilla\Firefox\Profiles\29f4igmd.default\
FF - component: c:\program files\Mozilla Firefox\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\henry\Application Data\Move Networks\plugins\npqmp071503000010.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 03:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-05 03:05:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 03:05
ComboFix2.txt 2010-01-05 00:30

Pre-Run: 14,129,971,200 bytes free
Post-Run: 14,094,553,088 bytes free

Current=4 Default=4 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 620D5AC1B53022EA7F8A670A1160F9C2

MALWARE


Malwarebytes' Anti-Malware 1.43
Database version: 3495
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/5/2010 3:12:00 AM
mbam-log-2010-01-05 (03-12-00).txt

Scan type: Quick Scan
Objects scanned: 117034
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pitepadu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tenedefi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 05 January 2010 - 04:25 AM

No worries about the delay.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Tell me also how is the computer running.


#9 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 January 2010 - 07:28 AM

Hi Farbar,

Java update completed. The laptop seems to run well now (no more hanging!) except for this microsoft feed synchronization error that keeps popping up, any idea what this does?

AppName: msfeedssync.exe AppVer: 8.0.6001.18702 ModName: user32.dll
ModVer: 5.1.2600.2180 Offset: 0000bbcd

Once again, thanks for all your help.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 05 January 2010 - 07:49 AM

I find it strange. The error is related to IE 8 but you have IE 6, have you tried to install IE 8 or previously installed IE 8?

#11 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 January 2010 - 08:52 AM

Hi Farbar,

Yes, I was prompted to install the newer IE7/8 but I remembered clicking no to it, maybe I clicked yes accidentally since I have been using firefox for a long time. I've never seen this error previously though and I don't even recall the last time I opened IE. Should I ignore this?

Thanks.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 05 January 2010 - 09:04 AM

I see the Service Pack version is outdated.

Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Windows XP Service Pack 2 is now outdated. Microsoft has released Service Pack 3 which has more features and is more secure than Service Pack 2.

In order to update Windows go to Start -> All Programs -> Windows Update wait the page to be loaded, then press Custom button. Windows searches your computer and gives you possible updates.

Prior to installing SP3 it is better to disable your antivirus and enable it after SP3 is installed.

After this you can update you IE 6 to IE 8.

If you wanted to do this you can better make a fresh restore point just in case something goes wrong and SP3 didn't installed.

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 05 January 2010 - 10:10 AM

Just to add to my post: That is my recommendation. If you have had serious trouble updating to SP3 before and are not using IE I can probably remove the error your you without the need to do much more.

FYI: The IE 8 related error is from today (January 5) and i was looking at the logs dated befofe. If you have installed it accidentally, it is from today and the current IE version is IE 8. To confirm that do the following: Open IE, go to Help menu and click About Internet Explorer and tell me the version mentioned.

#14 chri1720

chri1720
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 January 2010 - 10:49 AM

Hi Farbar,

Thanks for the prompt response, been updating for the past 2 hours and I think it's finally finished.

IE8 and Windows xp on sp3 now and the laptop is running fine as far as I can tell. Thanks for all your suggestions and help! :( It's much appreciated.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:12 AM

Posted 05 January 2010 - 11:09 AM

Looks good and you are welcome. :(

Go to Start => Run => copy and paste next command in the field then hit enter:

far.exe /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Happy Surfing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users