Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Links being redirected to other websites/DCOM Process launcher causing windows to shutdown


  • This topic is locked This topic is locked
14 replies to this topic

#1 Lordmanannan

Lordmanannan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 26 January 2010 - 06:23 PM

I've been fighting a losing battle with a shared computer at work. It started with Windows AntiVirus 2010, which I used one of these topics to fix. Now I'm having problems with links being redirected. A window also keeps popping up saying that a "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.."

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : unknown
szModVer : 0.0.0.0 offset : 02a6f7a5

C:\DOCUME~1\Hotel\LOCALS~1\Temp\WERcc03.dir00\svchost.exe.mdmp
C:\DOCUME~1\Hotel\LOCALS~1\Temp\WERcc03.dir00\appcompat.txt

This is followed by a one minute countdown that says it is authorized by NT/Authority. DCOM Server Process Launcher has terminated unexpectantly. (I've been using Run: Shutdown -a to stop the timer.) The computer is running Microsoft Windows XP Professional 2002 SP3.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Hotel at 16:43:41.17 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NGServer] c:\program files\symantec\ghost\ngserver.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SDJobCheck] triggusr.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\4t5TwQjDr.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2002\office10\OSA.EXE
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2ADE19BB-1E79-4EC4-976E-AC74339ADD76} - hxxp://192.168.0.79/ActiveViewGUI.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121260911812
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://192.168.0.79/ActiveView.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254360810343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37907.5040277778
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {D74E38CD-CA4F-4A30-828E-5F840887CA50} = 10.86.109.140,10.86.109.145
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kunokeja.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zetolerug - {99115873-e3b9-4167-acc4-1968b55f38ea} - No File
SSODL: jiwujipem - {01cf873f-c36d-47ba-a658-7981796341d0} - c:\windows\system32\kunokeja.dll
STS: {99115873-e3b9-4167-acc4-1968b55f38ea} - No File
STS: gahurihor: {01cf873f-c36d-47ba-a658-7981796341d0} - c:\windows\system32\kunokeja.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
LSA: Notification Packages = scecli depiwore.dll
Hosts: 10.93.92.179 S01-03848 S01-03848.shotel.cendant.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-24 23:26:42 0 d-----w- c:\program files\ESET
2010-01-24 20:40:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 20:40:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 20:40:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 01:11:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-22 23:31:22 0 d-----w- c:\docume~1\hotel\applic~1\Malwarebytes
2010-01-22 23:31:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 21:43:48 0 ----a-w- c:\windows\system32\21724.exe
2010-01-19 21:23:47 0 ----a-w- c:\windows\system32\16941.exe
2010-01-19 21:03:47 0 ----a-w- c:\windows\system32\1150.exe
2010-01-19 20:43:46 0 ----a-w- c:\windows\system32\27350.exe
2010-01-19 20:23:46 0 ----a-w- c:\windows\system32\12052.exe
2010-01-19 20:03:45 0 ----a-w- c:\windows\system32\4031.exe
2010-01-19 19:43:45 0 ----a-w- c:\windows\system32\15574.exe
2010-01-19 19:23:44 0 ----a-w- c:\windows\system32\23655.exe
2010-01-19 19:03:42 0 ----a-w- c:\windows\system32\24767.exe
2010-01-19 18:43:39 0 ----a-w- c:\windows\system32\22355.exe
2010-01-19 18:23:38 0 ----a-w- c:\windows\system32\18636.exe
2010-01-19 18:03:27 0 ----a-w- c:\windows\system32\9161.exe
2010-01-19 17:43:07 0 ----a-w- c:\windows\system32\13290.exe
2010-01-19 17:22:47 0 ----a-w- c:\windows\system32\23986.exe
2010-01-19 17:02:29 0 ----a-w- c:\windows\system32\16512.exe
2010-01-19 16:42:09 0 ----a-w- c:\windows\system32\5097.exe
2010-01-19 16:21:50 0 ----a-w- c:\windows\system32\15573.exe
2010-01-19 16:01:30 0 ----a-w- c:\windows\system32\26777.exe
2010-01-19 15:41:10 0 ----a-w- c:\windows\system32\5829.exe
2010-01-19 15:20:50 0 ----a-w- c:\windows\system32\6270.exe
2010-01-19 15:00:30 0 ----a-w- c:\windows\system32\19072.exe
2010-01-19 14:40:10 0 ----a-w- c:\windows\system32\26924.exe
2010-01-19 14:19:51 0 ----a-w- c:\windows\system32\28745.exe
2010-01-19 13:59:31 0 ----a-w- c:\windows\system32\5021.exe
2010-01-19 13:39:11 0 ----a-w- c:\windows\system32\22386.exe
2010-01-19 13:18:53 0 ----a-w- c:\windows\system32\31673.exe
2010-01-19 12:58:52 0 ----a-w- c:\windows\system32\2306.exe
2010-01-19 12:38:50 0 ----a-w- c:\windows\system32\13977.exe
2010-01-19 12:18:49 0 ----a-w- c:\windows\system32\9930.exe
2010-01-19 11:58:49 0 ----a-w- c:\windows\system32\22704.exe
2010-01-19 11:38:48 0 ----a-w- c:\windows\system32\29658.exe
2010-01-19 11:18:48 0 ----a-w- c:\windows\system32\4639.exe
2010-01-19 10:58:47 0 ----a-w- c:\windows\system32\31115.exe
2010-01-19 10:38:46 0 ----a-w- c:\windows\system32\4833.exe
2010-01-19 10:18:46 0 ----a-w- c:\windows\system32\16541.exe
2010-01-19 09:58:45 0 ----a-w- c:\windows\system32\22929.exe
2010-01-19 09:38:45 0 ----a-w- c:\windows\system32\2082.exe
2010-01-19 09:18:44 0 ----a-w- c:\windows\system32\16118.exe
2010-01-19 08:58:44 0 ----a-w- c:\windows\system32\21538.exe
2010-01-19 08:38:43 0 ----a-w- c:\windows\system32\5537.exe
2010-01-19 08:18:43 0 ----a-w- c:\windows\system32\11323.exe
2010-01-19 07:58:42 0 ----a-w- c:\windows\system32\24626.exe
2010-01-19 07:38:42 0 ----a-w- c:\windows\system32\32439.exe
2010-01-19 07:18:41 0 ----a-w- c:\windows\system32\16944.exe
2010-01-19 06:58:41 0 ----a-w- c:\windows\system32\26308.exe
2010-01-19 06:38:39 0 ----a-w- c:\windows\system32\13931.exe
2010-01-19 06:18:39 0 ----a-w- c:\windows\system32\7376.exe
2010-01-19 05:58:38 0 ----a-w- c:\windows\system32\4966.exe
2010-01-19 05:38:38 0 ----a-w- c:\windows\system32\11840.exe
2010-01-19 05:18:37 0 ----a-w- c:\windows\system32\18756.exe
2010-01-19 04:58:37 0 ----a-w- c:\windows\system32\19954.exe
2010-01-19 04:38:36 0 ----a-w- c:\windows\system32\24084.exe
2010-01-19 04:18:36 0 ----a-w- c:\windows\system32\12623.exe
2010-01-19 03:58:35 0 ----a-w- c:\windows\system32\19629.exe
2010-01-19 03:38:34 0 ----a-w- c:\windows\system32\3548.exe
2010-01-19 03:18:32 0 ----a-w- c:\windows\system32\24393.exe
2010-01-19 02:58:31 0 ----a-w- c:\windows\system32\31101.exe
2010-01-19 02:38:31 0 ----a-w- c:\windows\system32\15006.exe
2010-01-19 02:18:30 0 ----a-w- c:\windows\system32\15350.exe
2010-01-19 01:58:27 0 ----a-w- c:\windows\system32\24370.exe
2010-01-19 01:38:26 0 ----a-w- c:\windows\system32\6729.exe
2010-01-19 01:18:25 0 ----a-w- c:\windows\system32\15890.exe
2010-01-19 00:58:25 0 ----a-w- c:\windows\system32\23805.exe
2010-01-19 00:38:24 0 ----a-w- c:\windows\system32\27446.exe
2010-01-19 00:18:14 0 ----a-w- c:\windows\system32\22648.exe
2010-01-18 23:58:10 0 ----a-w- c:\windows\system32\19264.exe
2010-01-18 23:38:10 0 ----a-w- c:\windows\system32\8942.exe
2010-01-18 23:18:10 0 ----a-w- c:\windows\system32\9040.exe
2010-01-18 22:58:09 0 ----a-w- c:\windows\system32\30106.exe
2010-01-18 22:38:09 0 ----a-w- c:\windows\system32\288.exe
2010-01-18 22:18:08 0 ----a-w- c:\windows\system32\1842.exe
2010-01-18 21:58:05 0 ----a-w- c:\windows\system32\22190.exe
2010-01-18 21:38:04 0 ----a-w- c:\windows\system32\3035.exe
2010-01-18 21:18:04 0 ----a-w- c:\windows\system32\12316.exe
2010-01-18 20:58:03 0 ----a-w- c:\windows\system32\778.exe
2010-01-18 20:38:00 0 ----a-w- c:\windows\system32\27529.exe
2010-01-18 20:17:56 0 ----a-w- c:\windows\system32\9741.exe
2010-01-18 19:57:53 0 ----a-w- c:\windows\system32\8723.exe
2010-01-18 19:37:52 0 ----a-w- c:\windows\system32\12859.exe
2010-01-18 19:17:51 0 ----a-w- c:\windows\system32\20037.exe
2010-01-18 18:57:50 0 ----a-w- c:\windows\system32\32757.exe
2010-01-18 18:37:30 0 ----a-w- c:\windows\system32\32662.exe
2010-01-18 18:17:29 0 ----a-w- c:\windows\system32\27644.exe
2010-01-18 17:57:06 0 ----a-w- c:\windows\system32\25547.exe
2010-01-18 17:37:06 0 ----a-w- c:\windows\system32\6868.exe
2010-01-18 17:17:05 0 ----a-w- c:\windows\system32\28253.exe
2010-01-18 16:56:55 0 ----a-w- c:\windows\system32\7711.exe
2010-01-18 16:36:51 0 ----a-w- c:\windows\system32\15141.exe
2010-01-18 16:16:51 0 ----a-w- c:\windows\system32\4664.exe
2010-01-18 15:56:50 0 ----a-w- c:\windows\system32\17673.exe
2010-01-18 15:36:50 0 ----a-w- c:\windows\system32\30333.exe
2010-01-18 15:16:49 0 ----a-w- c:\windows\system32\31322.exe
2010-01-18 14:56:48 0 ----a-w- c:\windows\system32\23811.exe
2010-01-18 14:36:47 0 ----a-w- c:\windows\system32\28703.exe
2010-01-18 14:16:47 0 ----a-w- c:\windows\system32\9894.exe
2010-01-18 13:56:46 0 ----a-w- c:\windows\system32\17035.exe
2010-01-18 13:36:46 0 ----a-w- c:\windows\system32\26299.exe
2010-01-18 12:16:25 0 ----a-w- c:\windows\system32\11538.exe
2010-01-18 11:56:25 0 ----a-w- c:\windows\system32\14771.exe
2010-01-18 11:36:24 0 ----a-w- c:\windows\system32\21726.exe
2010-01-18 11:16:24 0 ----a-w- c:\windows\system32\5447.exe
2010-01-18 10:56:24 0 ----a-w- c:\windows\system32\19895.exe
2010-01-18 10:36:21 0 ----a-w- c:\windows\system32\19718.exe
2010-01-18 10:16:21 0 ----a-w- c:\windows\system32\18716.exe
2010-01-18 09:56:21 0 ----a-w- c:\windows\system32\17421.exe
2010-01-18 09:36:20 0 ----a-w- c:\windows\system32\12382.exe
2010-01-18 09:16:20 0 ----a-w- c:\windows\system32\292.exe
2010-01-18 08:56:19 0 ----a-w- c:\windows\system32\153.exe
2010-01-18 08:36:19 0 ----a-w- c:\windows\system32\3902.exe
2010-01-18 08:16:19 0 ----a-w- c:\windows\system32\14604.exe
2010-01-18 07:56:18 0 ----a-w- c:\windows\system32\32391.exe
2010-01-18 07:36:18 0 ----a-w- c:\windows\system32\5436.exe
2010-01-18 07:16:18 0 ----a-w- c:\windows\system32\4827.exe
2010-01-18 06:56:17 0 ----a-w- c:\windows\system32\11942.exe
2010-01-18 06:36:17 0 ----a-w- c:\windows\system32\2995.exe
2010-01-18 06:16:17 0 ----a-w- c:\windows\system32\491.exe
2010-01-18 05:56:16 0 ----a-w- c:\windows\system32\9961.exe
2010-01-18 05:36:16 0 ----a-w- c:\windows\system32\16827.exe
2010-01-18 05:16:15 0 ----a-w- c:\windows\system32\23281.exe
2010-01-18 04:56:15 0 ----a-w- c:\windows\system32\28145.exe
2010-01-18 04:36:14 0 ----a-w- c:\windows\system32\5705.exe
2010-01-18 04:16:14 0 ----a-w- c:\windows\system32\24464.exe
2010-01-18 03:56:13 0 ----a-w- c:\windows\system32\26962.exe
2010-01-18 03:36:10 0 ----a-w- c:\windows\system32\29358.exe
2010-01-18 03:16:09 0 ----a-w- c:\windows\system32\11478.exe
2010-01-18 02:56:06 0 ----a-w- c:\windows\system32\15724.exe
2010-01-18 02:36:03 0 ----a-w- c:\windows\system32\19169.exe
2010-01-18 02:16:02 0 ----a-w- c:\windows\system32\26500.exe
2010-01-18 01:56:00 0 ----a-w- c:\windows\system32\6334.exe
2010-01-18 01:35:59 0 ----a-w- c:\windows\system32\18467.exe
2010-01-18 00:28:00 7680 -csha-w- c:\windows\system32\dllcache\Thumbs.db
2010-01-18 00:27:53 6144 --sha-w- c:\windows\system32\Thumbs.db
2010-01-17 19:20:00 0 d-----w- c:\windows\pss
2009-12-31 00:28:51 0 --sha-w- c:\windows\yalafami.dll

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-11 20:57:58 83576 ----a-w- c:\docume~1\hotel\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:45:36.71 ===============

Attached Files


Edited by Lordmanannan, 26 January 2010 - 06:56 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 02 February 2010 - 06:20 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 02 February 2010 - 06:45 PM

Yes, I still need help. The computer still has all the problems previously mentioned: popups, redirected links and the shutdown process that says it's the DCOM Process Launcher. It's also quite sluggish. While running rootrepeal an error popped up. The contents are in the log.txt.

Thanks!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Hotel at 17:25:08.84 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\windows\COUPON~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NGServer] c:\program files\symantec\ghost\ngserver.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [SDJobCheck] triggusr.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2002\office10\OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2ADE19BB-1E79-4EC4-976E-AC74339ADD76} - hxxp://192.168.0.79/ActiveViewGUI.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121260911812
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://192.168.0.79/ActiveView.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254360810343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37907.5040277778
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {D74E38CD-CA4F-4A30-828E-5F840887CA50} = 10.86.109.140,10.86.109.145
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zetolerug - {99115873-e3b9-4167-acc4-1968b55f38ea} - No File
SSODL: jiwujipem - {01cf873f-c36d-47ba-a658-7981796341d0} - No File
STS: {99115873-e3b9-4167-acc4-1968b55f38ea} - No File
STS: {01cf873f-c36d-47ba-a658-7981796341d0} - No File
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
LSA: Notification Packages = scecli depiwore.dll
Hosts: 10.93.92.179 S01-03848 S01-03848.shotel.cendant.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-30 01:55:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 01:55:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 01:55:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 23:26:42 0 d-----w- c:\program files\ESET
2010-01-23 01:11:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-22 23:31:22 0 d-----w- c:\docume~1\hotel\applic~1\Malwarebytes
2010-01-22 23:31:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 21:43:48 0 ----a-w- c:\windows\system32\21724.exe
2010-01-19 21:23:47 0 ----a-w- c:\windows\system32\16941.exe
2010-01-19 21:03:47 0 ----a-w- c:\windows\system32\1150.exe
2010-01-19 20:43:46 0 ----a-w- c:\windows\system32\27350.exe
2010-01-19 20:23:46 0 ----a-w- c:\windows\system32\12052.exe
2010-01-19 20:03:45 0 ----a-w- c:\windows\system32\4031.exe
2010-01-19 19:43:45 0 ----a-w- c:\windows\system32\15574.exe
2010-01-19 19:23:44 0 ----a-w- c:\windows\system32\23655.exe
2010-01-19 19:03:42 0 ----a-w- c:\windows\system32\24767.exe
2010-01-19 18:43:39 0 ----a-w- c:\windows\system32\22355.exe
2010-01-19 18:23:38 0 ----a-w- c:\windows\system32\18636.exe
2010-01-19 18:03:27 0 ----a-w- c:\windows\system32\9161.exe
2010-01-19 17:43:07 0 ----a-w- c:\windows\system32\13290.exe
2010-01-19 17:22:47 0 ----a-w- c:\windows\system32\23986.exe
2010-01-19 17:02:29 0 ----a-w- c:\windows\system32\16512.exe
2010-01-19 16:42:09 0 ----a-w- c:\windows\system32\5097.exe
2010-01-19 16:21:50 0 ----a-w- c:\windows\system32\15573.exe
2010-01-19 16:01:30 0 ----a-w- c:\windows\system32\26777.exe
2010-01-19 15:41:10 0 ----a-w- c:\windows\system32\5829.exe
2010-01-19 15:20:50 0 ----a-w- c:\windows\system32\6270.exe
2010-01-19 15:00:30 0 ----a-w- c:\windows\system32\19072.exe
2010-01-19 14:40:10 0 ----a-w- c:\windows\system32\26924.exe
2010-01-19 14:19:51 0 ----a-w- c:\windows\system32\28745.exe
2010-01-19 13:59:31 0 ----a-w- c:\windows\system32\5021.exe
2010-01-19 13:39:11 0 ----a-w- c:\windows\system32\22386.exe
2010-01-19 13:18:53 0 ----a-w- c:\windows\system32\31673.exe
2010-01-19 12:58:52 0 ----a-w- c:\windows\system32\2306.exe
2010-01-19 12:38:50 0 ----a-w- c:\windows\system32\13977.exe
2010-01-19 12:18:49 0 ----a-w- c:\windows\system32\9930.exe
2010-01-19 11:58:49 0 ----a-w- c:\windows\system32\22704.exe
2010-01-19 11:38:48 0 ----a-w- c:\windows\system32\29658.exe
2010-01-19 11:18:48 0 ----a-w- c:\windows\system32\4639.exe
2010-01-19 10:58:47 0 ----a-w- c:\windows\system32\31115.exe
2010-01-19 10:38:46 0 ----a-w- c:\windows\system32\4833.exe
2010-01-19 10:18:46 0 ----a-w- c:\windows\system32\16541.exe
2010-01-19 09:58:45 0 ----a-w- c:\windows\system32\22929.exe
2010-01-19 09:38:45 0 ----a-w- c:\windows\system32\2082.exe
2010-01-19 09:18:44 0 ----a-w- c:\windows\system32\16118.exe
2010-01-19 08:58:44 0 ----a-w- c:\windows\system32\21538.exe
2010-01-19 08:38:43 0 ----a-w- c:\windows\system32\5537.exe
2010-01-19 08:18:43 0 ----a-w- c:\windows\system32\11323.exe
2010-01-19 07:58:42 0 ----a-w- c:\windows\system32\24626.exe
2010-01-19 07:38:42 0 ----a-w- c:\windows\system32\32439.exe
2010-01-19 07:18:41 0 ----a-w- c:\windows\system32\16944.exe
2010-01-19 06:58:41 0 ----a-w- c:\windows\system32\26308.exe
2010-01-19 06:38:39 0 ----a-w- c:\windows\system32\13931.exe
2010-01-19 06:18:39 0 ----a-w- c:\windows\system32\7376.exe
2010-01-19 05:58:38 0 ----a-w- c:\windows\system32\4966.exe
2010-01-19 05:38:38 0 ----a-w- c:\windows\system32\11840.exe
2010-01-19 05:18:37 0 ----a-w- c:\windows\system32\18756.exe
2010-01-19 04:58:37 0 ----a-w- c:\windows\system32\19954.exe
2010-01-19 04:38:36 0 ----a-w- c:\windows\system32\24084.exe
2010-01-19 04:18:36 0 ----a-w- c:\windows\system32\12623.exe
2010-01-19 03:58:35 0 ----a-w- c:\windows\system32\19629.exe
2010-01-19 03:38:34 0 ----a-w- c:\windows\system32\3548.exe
2010-01-19 03:18:32 0 ----a-w- c:\windows\system32\24393.exe
2010-01-19 02:58:31 0 ----a-w- c:\windows\system32\31101.exe
2010-01-19 02:38:31 0 ----a-w- c:\windows\system32\15006.exe
2010-01-19 02:18:30 0 ----a-w- c:\windows\system32\15350.exe
2010-01-19 01:58:27 0 ----a-w- c:\windows\system32\24370.exe
2010-01-19 01:38:26 0 ----a-w- c:\windows\system32\6729.exe
2010-01-19 01:18:25 0 ----a-w- c:\windows\system32\15890.exe
2010-01-19 00:58:25 0 ----a-w- c:\windows\system32\23805.exe
2010-01-19 00:38:24 0 ----a-w- c:\windows\system32\27446.exe
2010-01-19 00:18:14 0 ----a-w- c:\windows\system32\22648.exe
2010-01-18 23:58:10 0 ----a-w- c:\windows\system32\19264.exe
2010-01-18 23:38:10 0 ----a-w- c:\windows\system32\8942.exe
2010-01-18 23:18:10 0 ----a-w- c:\windows\system32\9040.exe
2010-01-18 22:58:09 0 ----a-w- c:\windows\system32\30106.exe
2010-01-18 22:38:09 0 ----a-w- c:\windows\system32\288.exe
2010-01-18 22:18:08 0 ----a-w- c:\windows\system32\1842.exe
2010-01-18 21:58:05 0 ----a-w- c:\windows\system32\22190.exe
2010-01-18 21:38:04 0 ----a-w- c:\windows\system32\3035.exe
2010-01-18 21:18:04 0 ----a-w- c:\windows\system32\12316.exe
2010-01-18 20:58:03 0 ----a-w- c:\windows\system32\778.exe
2010-01-18 20:38:00 0 ----a-w- c:\windows\system32\27529.exe
2010-01-18 20:17:56 0 ----a-w- c:\windows\system32\9741.exe
2010-01-18 19:57:53 0 ----a-w- c:\windows\system32\8723.exe
2010-01-18 19:37:52 0 ----a-w- c:\windows\system32\12859.exe
2010-01-18 19:17:51 0 ----a-w- c:\windows\system32\20037.exe
2010-01-18 18:57:50 0 ----a-w- c:\windows\system32\32757.exe
2010-01-18 18:37:30 0 ----a-w- c:\windows\system32\32662.exe
2010-01-18 18:17:29 0 ----a-w- c:\windows\system32\27644.exe
2010-01-18 17:57:06 0 ----a-w- c:\windows\system32\25547.exe
2010-01-18 17:37:06 0 ----a-w- c:\windows\system32\6868.exe
2010-01-18 17:17:05 0 ----a-w- c:\windows\system32\28253.exe
2010-01-18 16:56:55 0 ----a-w- c:\windows\system32\7711.exe
2010-01-18 16:36:51 0 ----a-w- c:\windows\system32\15141.exe
2010-01-18 16:16:51 0 ----a-w- c:\windows\system32\4664.exe
2010-01-18 15:56:50 0 ----a-w- c:\windows\system32\17673.exe
2010-01-18 15:36:50 0 ----a-w- c:\windows\system32\30333.exe
2010-01-18 15:16:49 0 ----a-w- c:\windows\system32\31322.exe
2010-01-18 14:56:48 0 ----a-w- c:\windows\system32\23811.exe
2010-01-18 14:36:47 0 ----a-w- c:\windows\system32\28703.exe
2010-01-18 14:16:47 0 ----a-w- c:\windows\system32\9894.exe
2010-01-18 13:56:46 0 ----a-w- c:\windows\system32\17035.exe
2010-01-18 13:36:46 0 ----a-w- c:\windows\system32\26299.exe
2010-01-18 12:16:25 0 ----a-w- c:\windows\system32\11538.exe
2010-01-18 11:56:25 0 ----a-w- c:\windows\system32\14771.exe
2010-01-18 11:36:24 0 ----a-w- c:\windows\system32\21726.exe
2010-01-18 11:16:24 0 ----a-w- c:\windows\system32\5447.exe
2010-01-18 10:56:24 0 ----a-w- c:\windows\system32\19895.exe
2010-01-18 10:36:21 0 ----a-w- c:\windows\system32\19718.exe
2010-01-18 10:16:21 0 ----a-w- c:\windows\system32\18716.exe
2010-01-18 09:56:21 0 ----a-w- c:\windows\system32\17421.exe
2010-01-18 09:36:20 0 ----a-w- c:\windows\system32\12382.exe
2010-01-18 09:16:20 0 ----a-w- c:\windows\system32\292.exe
2010-01-18 08:56:19 0 ----a-w- c:\windows\system32\153.exe
2010-01-18 08:36:19 0 ----a-w- c:\windows\system32\3902.exe
2010-01-18 08:16:19 0 ----a-w- c:\windows\system32\14604.exe
2010-01-18 07:56:18 0 ----a-w- c:\windows\system32\32391.exe
2010-01-18 07:36:18 0 ----a-w- c:\windows\system32\5436.exe
2010-01-18 07:16:18 0 ----a-w- c:\windows\system32\4827.exe
2010-01-18 06:56:17 0 ----a-w- c:\windows\system32\11942.exe
2010-01-18 06:36:17 0 ----a-w- c:\windows\system32\2995.exe
2010-01-18 06:16:17 0 ----a-w- c:\windows\system32\491.exe
2010-01-18 05:56:16 0 ----a-w- c:\windows\system32\9961.exe
2010-01-18 05:36:16 0 ----a-w- c:\windows\system32\16827.exe
2010-01-18 05:16:15 0 ----a-w- c:\windows\system32\23281.exe
2010-01-18 04:56:15 0 ----a-w- c:\windows\system32\28145.exe
2010-01-18 04:36:14 0 ----a-w- c:\windows\system32\5705.exe
2010-01-18 04:16:14 0 ----a-w- c:\windows\system32\24464.exe
2010-01-18 03:56:13 0 ----a-w- c:\windows\system32\26962.exe
2010-01-18 03:36:10 0 ----a-w- c:\windows\system32\29358.exe
2010-01-18 03:16:09 0 ----a-w- c:\windows\system32\11478.exe
2010-01-18 02:56:06 0 ----a-w- c:\windows\system32\15724.exe
2010-01-18 02:36:03 0 ----a-w- c:\windows\system32\19169.exe
2010-01-18 02:16:02 0 ----a-w- c:\windows\system32\26500.exe
2010-01-18 01:56:00 0 ----a-w- c:\windows\system32\6334.exe
2010-01-18 01:35:59 2308 ----a-w- c:\windows\system32\18467.exe
2010-01-18 00:28:00 7680 -csha-w- c:\windows\system32\dllcache\Thumbs.db
2010-01-18 00:27:53 6144 --sha-w- c:\windows\system32\Thumbs.db
2010-01-17 19:20:00 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-11 20:57:58 83576 ----a-w- c:\docume~1\hotel\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:26:45.00 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 02 February 2010 - 07:28 PM

Okay. Let's start off with Combofix. It appears you probably have a rootkit on board. Let' see.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 02 February 2010 - 09:11 PM

Here you are, sir.

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 03 February 2010 - 05:38 PM

Hello.

Forgot to warn you before, but one of the infection is a backdoor. Let me know if you wish to continue or not. Combofix disinfected it however.

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 03 February 2010 - 06:04 PM

What's the next step to cleaning the computer and what are the risks? Do I need to worry about flashdrives that have been connected to this computer carrying it to another?

Edited by Lordmanannan, 03 February 2010 - 06:07 PM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 04 February 2010 - 08:13 PM

It's possible that flash-drives can be infected through this. Since you wish to continue, let's continue with an online scan. The logs are looking good so far.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 05 February 2010 - 04:28 PM

Would using Norton ghost remove the security vulnerability of the backdoor?

KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, February 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, February 05, 2010 22:49:26
Records in database: 3432814


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
G:\

Scan statistics
Objects scanned 79861
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 02:17:31

File name Threat Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1

Selected area has been scanned.

Edited by Lordmanannan, 05 February 2010 - 08:18 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 06 February 2010 - 02:46 PM

Hello.

That file is just the quarantine item from Combofix.

QUOTE
Would using Norton ghost remove the security vulnerability of the backdoor?

You can if it's before the infection began.

However, the logs are looking good now. let's just get one last DDS scan to make sure all is good.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 07 February 2010 - 02:47 PM

Thanks EB. Everything has been running smoothly and I haven't noticed any problems.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Hotel at 13:38:53.84 on Sun 02/07/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.89 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\TNGSD\BIN\SDSERV.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Winfax\WFXMOD32.EXE
C:\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Winfax\WFXSWTCH.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\TNGSD\BIN\triggusr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winfax\WFXCTL32.EXE
C:\Program Files\AZZCardfile\AZZ Cardfile.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hotel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NGServer] c:\program files\symantec\ghost\ngserver.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SDJobCheck] triggusr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2002\office10\OSA.EXE
IE: E&xport to Microsoft Excel
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: buy-internet-security10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: buy-internet-security10.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2ADE19BB-1E79-4EC4-976E-AC74339ADD76} - hxxp://192.168.0.79/ActiveViewGUI.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121260911812
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://192.168.0.79/ActiveView.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1254360810343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37907.5040277778
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {D74E38CD-CA4F-4A30-828E-5F840887CA50} = 10.86.109.140,10.86.109.145
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-29 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-29 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-29 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-23 285392]
R2 SDService;Unicenter Software Delivery;c:\tngsd\bin\SDServ.exe [2003-12-11 24576]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\tnet1130.sys [2009-9-29 386688]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-3-11 547744]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2005-8-2 14336]
S3 TPM12;NSC Integrated Trusted Platform Module 1.2;c:\windows\system32\drivers\nsctpm12.sys [2005-4-21 13056]

=============== Created Last 30 ================

2010-02-06 16:59:55 230808 ----a-r- c:\windows\cpnprt2.cid
2010-02-05 22:46:54 0 d-----w- c:\docume~1\hotel\applic~1\AVG9
2010-02-03 01:43:17 0 d-sha-r- C:\cmdcons
2010-02-03 01:39:31 98816 ----a-w- c:\windows\sed.exe
2010-02-03 01:39:31 77312 ----a-w- c:\windows\MBR.exe
2010-02-03 01:39:31 261632 ----a-w- c:\windows\PEV.exe
2010-02-03 01:39:31 161792 ----a-w- c:\windows\SWREG.exe
2010-01-30 01:55:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-30 01:55:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 01:55:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 23:26:42 0 d-----w- c:\program files\ESET
2010-01-23 01:11:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-22 23:31:22 0 d-----w- c:\docume~1\hotel\applic~1\Malwarebytes
2010-01-22 23:31:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-18 00:28:00 7680 -csha-w- c:\windows\system32\dllcache\Thumbs.db
2010-01-17 19:20:00 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-02-03 00:15:23 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 20:57:58 83576 ----a-w- c:\docume~1\hotel\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 13:39:29.87 ===============

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 08 February 2010 - 08:18 PM

Hello.

Great to hear. smile.gif

Just uninstall these two older versions of Java:

QUOTE
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 7


Also, I suggest you remove the sites in your trusted zones unless you need it for the site to operate properly.

--
Other than that the logs looks good too. Let's wrap up.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Lordmanannan

Lordmanannan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 09 February 2010 - 06:45 PM

Followed all suggested steps. That covers everything. Thanks again Extreme Boy.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 10 February 2010 - 04:02 PM

No problem. You're very welcome.

Happy surfing again.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:41 PM

Posted 19 February 2010 - 05:22 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users