Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus live


  • This topic is locked This topic is locked
13 replies to this topic

#1 bblumquist

bblumquist

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 24 January 2010 - 09:49 AM

Good morning! I ran the ComboFix program at the advice of an IT person. It appears to have deleted the virus. I was not aware of the DDS or Root repeal tools before I ran the program so I did not run them. I have a ComboFix log that I can post if you wish. I had a memory stick inserted into the computer when the virus attacked. I (obviously!) could not stop it and could not even turn my computer off so I unplugged it. I removed the memory stick before I turned the computer back on. What is your advice at this point for the computer? I was advised to download Super Anti Spyware and Malwarebytes to a DIFFERENT memory stick and install them also. I have them on my desktop but I have not ran them yet. Should I run those two programs next? Should I plug the potentialy infected memory stick into the computer after I run those two programs? Thank you for your help!!!! Barry


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 24 January 2010 - 10:44 AM

Greetings bblumquist and Welcome to the Forums,

Was the memory stick inserted when you ran combofix? Let's have a look at that combofix scan log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 24 January 2010 - 10:58 AM

Thank you! No the potentially infected one was not inserted when I ran ComboFix. Here is the log. I appretiate your timely response! Barry

ComboFix 10-01-23.02 - Owner 01/23/2010 20:28:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.392 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\jcowfi
c:\documents and settings\Owner\Local Settings\Application Data\jcowfi\tfiosysguard.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\program files\MSBuild
2010-01-23 20:03 . 2010-01-23 20:03 -------- d-----w- c:\program files\Reference Assemblies
2010-01-23 20:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2010-01-23 20:03 -------- d-----w- C:\e4b046e65b55399df7a4878886
2010-01-15 23:40 . 2010-01-16 14:54 256 ----a-w- c:\windows\system32\pool.bin
2010-01-15 23:40 . 2010-01-15 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2010-01-15 22:20 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-15 22:18 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-15 22:18 . 2010-01-15 22:21 -------- d-----w- c:\program files\Research In Motion
2010-01-13 12:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 00:51 . 2007-05-10 23:04 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-01-15 23:05 . 2009-11-09 16:45 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 10:00 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-03 17:10 . 2009-12-13 23:51 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-14 01:08 . 2009-12-14 01:07 -------- d-----w- c:\program files\QuickTime
2009-12-14 01:07 . 2009-12-14 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-14 01:04 . 2009-12-14 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160]
"KMCONFIG"="c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2008 4:44 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 7:26 PM 297752]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/dogpile/ws/index/_iceUrlFlag=11?_IceUrl=true
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ebay.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-jmxaelqv - c:\documents and settings\Owner\Local Settings\Application Data\jcowfi\tfiosysguard.exe
HKLM-Run-jmxaelqv - c:\documents and settings\Owner\Local Settings\Application Data\jcowfi\tfiosysguard.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-23 20:52:04
ComboFix-quarantined-files.txt 2010-01-24 01:51

Pre-Run: 8,319,676,416 bytes free
Post-Run: 8,593,317,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DE27024FB3D184D60C64A8B6340333CA


#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 24 January 2010 - 12:19 PM

A couple things of note. Your Open Office application is out dated, as is your Adobe Acrobat 7.0. You should Uninstall the Acrobat you have and install the latest version Here. The Open Office can just be installed over itself...no need to uninstall it. That latest version is Here.

I would also like to know if you turned off the Windows Security Monitoring feature for your antivirus product via the control panel.
This entry in the log:
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

...tells me that it is turned off (dword "1"= Off, do not monitor and "0" = On, monitor).

I realize you could have turned it off but so could your malware issue. If you did, that's fine, but if you didn't then you might want to turn it back on. Let me know if you need instructions how to do that.

Now on to your log...Things don't look so bad. We need to run a script though to see what is up with a couple things...one file and one folder. I believe these items are harmless but we should have a look nonetheless:

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated and let us know how things are running on that end. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

FileLook::
C:\windows\system32\pool.bin

DirLook::
C:\e4b046e65b55399df7a4878886

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 24 January 2010 - 12:55 PM

I did turn off the AVG at the request of the ComboFix program. I will run the items you asked me to, should I have the potentially infected memory stick installed? I have some work on that stick that I need to finish today and files to send. Thank you! Barry

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 24 January 2010 - 04:25 PM

Yeah, after you read this...maybe print it if you need to then disconnect from the internet. While disconnected, go ahead with running the script as indicated in the previous instruction. Post back THAT log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 24 January 2010 - 07:14 PM

OK, I ran the program again as you instructed. I plugged my potentially infected memory stick into the computer just before I dragged the CFScript file to the icon. The resulting log is below. I have not enabled the AVG yet.
Barry

ComboFix 10-01-23.02 - Owner 01/24/2010 17:57:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.340 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\program files\MSBuild
2010-01-23 20:03 . 2010-01-23 20:03 -------- d-----w- c:\program files\Reference Assemblies
2010-01-23 20:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2010-01-23 20:03 -------- d-----w- C:\e4b046e65b55399df7a4878886
2010-01-15 23:40 . 2010-01-16 14:54 256 ----a-w- c:\windows\system32\pool.bin
2010-01-15 23:40 . 2010-01-15 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2010-01-15 22:20 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-15 22:18 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-15 22:18 . 2010-01-15 22:21 -------- d-----w- c:\program files\Research In Motion
2010-01-13 12:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 23:34 . 2007-05-10 23:04 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-01-15 23:05 . 2009-11-09 16:45 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-03 17:10 . 2009-12-13 23:51 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-14 01:08 . 2009-12-14 01:07 -------- d-----w- c:\program files\QuickTime
2009-12-14 01:07 . 2009-12-14 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-14 01:04 . 2009-12-14 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\pool.bin ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 256
Created time: 2010-01-15 23:40
Modified time: 2010-01-16 14:54
MD5: B08167A0F10C89F888250159372BB893
SHA1: 0D938087191295528C7CEA871F7E2CD226C6B231

---- Directory of C:\e4b046e65b55399df7a4878886 ----

2010-01-23 20:02 . 2008-06-19 05:33 72 ------w- c:\e4b046e65b55399df7a4878886\amd64\msxpsinc.ppd
2010-01-23 20:02 . 2008-06-19 05:33 2204 ------w- c:\e4b046e65b55399df7a4878886\i386\msxpsdrv.inf
2010-01-23 20:02 . 2008-06-19 16:03 73 ------w- c:\e4b046e65b55399df7a4878886\i386\msxpsinc.gpd
2010-01-23 20:02 . 2008-06-19 05:33 72 ------w- c:\e4b046e65b55399df7a4878886\i386\msxpsinc.ppd
2010-01-23 20:02 . 2008-06-19 05:33 2204 ------w- c:\e4b046e65b55399df7a4878886\amd64\msxpsdrv.inf
2010-01-23 20:02 . 2008-07-06 12:06 10929 ------w- c:\e4b046e65b55399df7a4878886\amd64\msxpsdrv.cat
2010-01-23 20:02 . 2008-07-06 12:06 10929 ------w- c:\e4b046e65b55399df7a4878886\i386\msxpsdrv.cat
2010-01-23 20:02 . 2008-07-06 12:06 147456 ------w- c:\e4b046e65b55399df7a4878886\amd64\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 89088 ------w- c:\e4b046e65b55399df7a4878886\i386\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 765440 ------w- c:\e4b046e65b55399df7a4878886\i386\mxdwdrv.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 ------w- c:\e4b046e65b55399df7a4878886\i386\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 12:06 748032 ------w- c:\e4b046e65b55399df7a4878886\amd64\mxdwdrv.dll
2008-07-06 22:36 . 2008-07-06 22:36 2936832 ------w- c:\e4b046e65b55399df7a4878886\amd64\xpssvcs.dll
2008-06-19 16:03 . 2008-06-19 16:03 73 ------w- c:\e4b046e65b55399df7a4878886\amd64\msxpsinc.gpd


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160]
"KMCONFIG"="c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2006-1-25 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2008 4:44 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 7:26 PM 297752]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/dogpile/ws/index/_iceUrlFlag=11?_IceUrl=true
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ebay.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 18:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMConfig.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.BIN
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
.
**************************************************************************
.
Completion time: 2010-01-24 18:40:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 23:40
ComboFix2.txt 2010-01-24 01:52

Pre-Run: 8,581,181,440 bytes free
Post-Run: 8,547,188,736 bytes free

- - End Of File - - 36E493A7983689784196751086875B89


#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 24 January 2010 - 07:58 PM

You haven't updated the programs I warned about and you failed to mention how things are running on your end. Of the two programs I warned about, Adobe Acrobat is most dangerous to run without the update. It might be pointless for you to continue a cleanup since without that updated application present, the exploit will just download the infection we are trying to rid, next time you open an infected .pdf file. Let me know when you have updated those applications. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 24 January 2010 - 09:18 PM

I appologize for not updating the programs. I misenterpreted your "A couple things of note' comment to mean i could update those items after the fix. I have updated those programs and things appear to be running fine at this point. I am mostly worried about the memory stick at this point and also the programs you suggested I update. Please advise at this point. Thank you! Barry

#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 24 January 2010 - 10:19 PM

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

File::
c:\windows\system32\pool.bin

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 25 January 2010 - 06:37 AM

Good morning, here is the log. I will not be able to check your response until this evening. Thank you and have a great day! Barry

ComboFix 10-01-24.03 - Owner 01/25/2010 6:13.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.291 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\pool.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pool.bin

.
((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-25 02:05 . 2010-01-25 02:05 -------- d-----w- c:\program files\JRE
2010-01-25 02:05 . 2010-01-25 02:05 -------- d-----w- c:\program files\OpenOffice.org 3
2010-01-25 01:21 . 2010-01-25 01:21 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-25 01:20 . 2010-01-25 01:21 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-25 01:15 . 2010-01-25 01:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\windows\system32\XPSViewer
2010-01-23 20:04 . 2010-01-23 20:04 -------- d-----w- c:\program files\MSBuild
2010-01-23 20:03 . 2010-01-23 20:03 -------- d-----w- c:\program files\Reference Assemblies
2010-01-23 20:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-01-23 20:02 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-01-23 20:02 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-01-23 20:02 . 2010-01-23 20:03 -------- d-----w- C:\e4b046e65b55399df7a4878886
2010-01-15 23:40 . 2010-01-15 23:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Research In Motion
2010-01-15 22:20 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-01-15 22:19 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-15 22:18 . 2010-01-15 22:19 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-01-15 22:18 . 2010-01-15 22:21 -------- d-----w- c:\program files\Research In Motion
2010-01-13 12:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 11:28 . 2009-01-08 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-25 02:04 . 2006-12-14 17:44 -------- d-----w- c:\program files\OpenOffice.org 2.0
2010-01-25 02:02 . 2007-05-10 23:04 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-01-25 02:01 . 2008-12-20 01:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-25 01:11 . 2010-01-25 01:10 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-15 23:05 . 2009-11-09 16:45 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-05 10:00 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-01-03 17:10 . 2009-12-13 23:51 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-14 01:08 . 2009-12-14 01:07 -------- d-----w- c:\program files\QuickTime
2009-12-14 01:07 . 2009-12-14 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-12-14 01:04 . 2009-12-14 01:04 -------- d-----w- c:\program files\Common Files\Apple
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-25 01:15 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-20 11:08 . 2010-01-25 01:15 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-10-23 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160]
"KMCONFIG"="c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2008 4:44 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/28/2009 7:26 PM 297752]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe [4/5/2007 10:29 AM 208896]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/dogpile/ws/index/_iceUrlFlag=11?_IceUrl=true
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: ebay.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 06:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3808)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMConfig.exe
c:\program files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-01-25 06:35:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 11:35
ComboFix2.txt 2010-01-24 23:40
ComboFix3.txt 2010-01-24 01:52

Pre-Run: 7,871,434,752 bytes free
Post-Run: 8,008,441,856 bytes free

- - End Of File - - E3972104018080FCAF52B587766837BC


#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 25 January 2010 - 10:26 AM

Alright, things look fine now...as for the memory stick, make sure your AVG8 is updated. Run a manual update for it and install every update it finds. Repeat the process until the program finds no more updates to install. At that point, boot into safe mode, insert the memory stick and wait until Windows recognizes it. Open AVG and perform a full system scan. When it completes, allow the software to quarantine whatever it complains of. If anything, it may just be that it finds whatever is in the qoobox. Regardless, when that finishes, reboot back to your normal windows user mode and post back your results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 bblumquist

bblumquist
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:40 PM

Posted 26 January 2010 - 09:36 PM

Scanned stick with updated AVG and Malwarebytes. All is good. I want to thank you very much for your help!!! You guy's provide an awesome sevice here and if there is anything I could do for you, do not hesitate to ask. Have a great day!! Barry

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:40 PM

Posted 26 January 2010 - 09:45 PM

Excellent...You did good work bblumquist thumbup2.gif

Please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20090101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall
Zone Alarm
Outpost Free
Comodo This download includes the HopSurf toolbar.
Beware

By installing this toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. If you DONT WANT IT be sure to remove the check from the box when presented during the installation. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

This issue appears resolved and the thread is closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users