Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DCOM server process launcher ... terminate


  • This topic is locked This topic is locked
15 replies to this topic

#1 JimG156

JimG156

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 11 February 2010 - 05:17 PM

Hi Bleeping computer folks,

Thanks for taking a look. This is a friend's Netbook. I followed your instuctions to remove Internet Security 2010. During that process I noticed the DCOM problem. There may be some other maleware infesting this little thing. Anything you can do to help will be greatly appreciated.

Thanks,
JimG156


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brad at 15:57:15.07 on Thu 02/11/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.662 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 89.149.210.109 www.google.com
Hosts: 89.149.210.109 www.google.de
Hosts: 89.149.210.109 www.google.fr
Hosts: 89.149.210.109 www.google.co.uk
Hosts: 89.149.210.109 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-11 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-11 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-26 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-26 1684736]

=============== Created Last 30 ================

2010-02-11 19:36:36 81920 ----a-w- c:\windows\system32\emp77.exe
2010-02-11 19:23:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:34:01 487 ----a-w- C:\77.js
2010-02-11 17:15:22 0 d--h--w- c:\windows\PIF
2010-02-11 16:59:26 0 ----a-w- c:\windows\system32\13965.exe
2010-02-11 16:39:26 0 ----a-w- c:\windows\system32\27927.exe
2010-01-25 16:34:33 648 ----a-w- C:\Internet Security 2010.lnk
2010-01-25 16:34:01 437 ----a-w- C:\44.js
2010-01-18 22:34:00 437 ----a-w- C:\33.js
2010-01-14 22:34:44 0 d-----w- c:\docume~1\brad\applic~1\Windows Search

==================== Find3M ====================

2010-02-11 18:27:25 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-06 00:08:20 16460 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 15:58:31.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 17 February 2010 - 01:21 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 17 February 2010 - 10:14 PM

Thanks Sylar, I appreciate the help.

JimG

Below are the logs you requested.

Logfile of random's system information tool 1.06 (written by random/random)
Run by Brad at 2010-02-17 21:55:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 6 GB (42%) free of 15 GB
Total RAM: 1014 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:58 PM, on 2/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Brad\Desktop\RSIT.exe
C:\Documents and Settings\Brad\Desktop\HiJackThis\Brad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 89.149.210.109 www.google.com
O1 - Hosts: 89.149.210.109 www.google.de
O1 - Hosts: 89.149.210.109 www.google.fr
O1 - Hosts: 89.149.210.109 www.google.co.uk
O1 - Hosts: 89.149.210.109 www.google.com.br
O1 - Hosts: 89.149.210.109 www.google.it
O1 - Hosts: 89.149.210.109 www.google.es
O1 - Hosts: 89.149.210.109 www.google.co.jp
O1 - Hosts: 89.149.210.109 www.google.com.mx
O1 - Hosts: 89.149.210.109 www.google.ca
O1 - Hosts: 89.149.210.109 www.google.com.au
O1 - Hosts: 89.149.210.109 www.google.nl
O1 - Hosts: 89.149.210.109 www.google.co.za
O1 - Hosts: 89.149.210.109 www.google.be
O1 - Hosts: 89.149.210.109 www.google.gr
O1 - Hosts: 89.149.210.109 www.google.at
O1 - Hosts: 89.149.210.109 www.google.se
O1 - Hosts: 89.149.210.109 www.google.ch
O1 - Hosts: 89.149.210.109 www.google.pt
O1 - Hosts: 89.149.210.109 www.google.dk
O1 - Hosts: 89.149.210.109 www.google.fi
O1 - Hosts: 89.149.210.109 www.google.ie
O1 - Hosts: 89.149.210.109 www.google.no
O1 - Hosts: 89.149.210.109 search.yahoo.com
O1 - Hosts: 89.149.210.109 us.search.yahoo.com
O1 - Hosts: 89.149.210.109 uk.search.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 4955 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-08-26 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-08-26 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-07 429392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
C:\Program Files\AIM\aim.exe [2009-09-16 3634024]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe [2008-12-11 2220032]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2009-03-29 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2009-03-29 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2009-03-29 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2009-05-14 17881088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-08-26 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2009-03-11 1434920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
C:\PROGRA~1\WINDOW~4\WINDOW~1.EXE [2008-05-26 123904]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2009-03-29 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AIM"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f918f043-b219-11de-a46d-0026b9005ca7}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-02-17 21:55:45 ----D---- C:\rsit
2010-02-11 14:36:36 ----A---- C:\WINDOWS\system32\emp77.exe
2010-02-11 12:34:01 ----A---- C:\77.js
2010-02-11 12:15:22 ----HD---- C:\WINDOWS\PIF
2010-02-11 11:59:26 ----A---- C:\WINDOWS\system32\13965.exe
2010-02-11 11:39:26 ----A---- C:\WINDOWS\system32\27927.exe
2010-01-25 11:34:01 ----A---- C:\44.js
2010-01-18 17:34:00 ----A---- C:\33.js

======List of files/folders modified in the last 1 months======

2010-02-17 21:53:01 ----AD---- C:\WINDOWS\system32
2010-02-17 21:53:01 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-02-17 21:51:55 ----D---- C:\WINDOWS\system32\CatRoot2
2010-02-17 21:44:05 ----AD---- C:\WINDOWS
2010-02-17 21:43:31 ----D---- C:\WINDOWS\Temp
2010-02-17 21:42:03 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-02-11 14:26:14 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-11 14:26:10 ----D---- C:\WINDOWS\system32\drivers
2010-02-11 13:53:15 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2010-02-11 13:52:09 ----D---- C:\Program Files
2010-02-11 11:22:50 ----D---- C:\Documents and Settings\Brad\Application Data\U3
2010-01-25 11:34:33 ----D---- C:\WINDOWS\Prefetch
2010-01-24 13:39:03 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-01-24 13:38:24 ----D---- C:\Documents and Settings\Brad\Application Data\Adobe
2010-01-21 17:30:18 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-14 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-04-14 12032]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2009-03-11 187392]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-12-11 1287552]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-14 13952]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2009-03-29 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-05-15 5080064]
R3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader; C:\WINDOWS\System32\Drivers\RtsUStor.sys [2009-03-11 164352]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2009-03-11 205232]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-14 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-14 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-14 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-14 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-14 43008]
S4 atapi;Standard IDE/ESDI Hard Disk Controller; C:\WINDOWS\system32\DRIVERS\atapi.sys [2008-04-14 96512]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-14 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-14 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-14 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-08-26 152984]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2008-12-11 24064]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-21 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-02-17 21:56:01

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Acrobat.com-->MsiExec.exe /I{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
AIM 7-->C:\Program Files\AIM\uninst.exe
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom NetXtreme-I Netlink Driver and Management Installer-->MsiExec.exe /I{75729BD7-F978-4C18-AF98-C0A682BF17D0}
Dell Touchpad-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Dell Wireless WLAN Card Utility-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe
HijackThis 2.0.2-->"C:\Documents and Settings\Brad\Desktop\HiJackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 6.0 Parser (KB927977)-->MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}

======Hosts File======

89.149.210.109 www.google.com
89.149.210.109 www.google.de
89.149.210.109 www.google.fr
89.149.210.109 www.google.co.uk
89.149.210.109 www.google.com.br
89.149.210.109 www.google.it
89.149.210.109 www.google.es
89.149.210.109 www.google.co.jp
89.149.210.109 www.google.com.mx
89.149.210.109 www.google.ca

======System event log======

Computer Name: DHTNX7K1
Event Code: 1005
Message: Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 00265E554325 is already in use on the network.
Your computer will automatically attempt to obtain a different address.

Record Number: 21
Source Name: Dhcp
Time Written: 20090916004555.000000-240
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00265E554325. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 20
Source Name: Dhcp
Time Written: 20090916004555.000000-240
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 1005
Message: Your computer has detected that the IP address 192.168.2.10 for the Network Card
with network address 00265E554325 is already in use on the network.
Your computer will automatically attempt to obtain a different address.

Record Number: 10
Source Name: Dhcp
Time Written: 20090915004609.000000-240
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 1005
Message: Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 00265E554325 is already in use on the network.
Your computer will automatically attempt to obtain a different address.

Record Number: 9
Source Name: Dhcp
Time Written: 20090915004609.000000-240
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00265E554325. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 8
Source Name: Dhcp
Time Written: 20090915004609.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: DHTNX7K1
Event Code: 1
Message:
Record Number: 1280
Source Name: MBAMService
Time Written: 20100211134625.000000-300
Event Type: error
User:

Computer Name: DHTNX7K1
Event Code: 1004
Message: Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x0279f7a0.

Record Number: 1274
Source Name: Application Error
Time Written: 20100211133421.000000-300
Event Type: error
User:

Computer Name: DHTNX7K1
Event Code: 32068
Message: The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Record Number: 1264
Source Name: Microsoft Fax
Time Written: 20100211131242.000000-300
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 32026
Message: Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Record Number: 1263
Source Name: Microsoft Fax
Time Written: 20100211131242.000000-300
Event Type: warning
User:

Computer Name: DHTNX7K1
Event Code: 1517
Message: Windows saved user DHTNX7K1\Brad registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 1258
Source Name: Userenv
Time Written: 20100211131150.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 28 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=1c02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-17 22:02:56
Windows 5.1.2600 Service Pack 3
Running: hu7gj6f3.exe; Driver: C:\DOCUME~1\Brad\LOCALS~1\Temp\kwloapog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 86496856

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 18 February 2010 - 10:45 AM

Hi JimG,

Unfortunately your logs show you have a rootkit infection, so you should be aware of the following information.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 19 February 2010 - 11:08 PM

Sylar,

Thanks for the info. The netbook is not now used for anything critical. I've requested XP and the resource DVDs from Dell. I'd like to fix the thing up enough to let my friend use it for a while. When I get some time to spend on it, I'll reload it for him sometime in the near future.

Below is the ComboFix.txt file

ComboFix 10-02-19.03 - Brad 02/19/2010 22:45:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.753 [GMT -5:00]
Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\13965.exe
c:\windows\system32\27927.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-18 02:55 . 2010-02-18 02:56 -------- d-----w- C:\rsit
2010-02-11 19:36 . 2010-02-11 19:36 81920 ----a-w- c:\windows\system32\emp77.exe
2010-02-11 19:26 . 2010-02-11 19:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-11 19:23 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:15 . 2010-02-11 17:15 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 19:26 . 2009-10-18 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 18:27 . 2009-08-26 22:30 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-11 16:22 . 2009-10-06 01:46 -------- d-----w- c:\documents and settings\Brad\Application Data\U3
2010-01-14 22:34 . 2010-01-14 22:34 -------- d-----w- c:\documents and settings\Brad\Application Data\Windows Search
2010-01-06 00:08 . 2010-01-06 00:08 16460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 23:57 . 2010-01-05 23:56 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\program files\iTunes
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-05 23:55 . 2010-01-05 23:55 -------- d-----w- c:\program files\iPod
2010-01-05 23:55 . 2010-01-05 23:47 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 23:54 . 2010-01-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-05 23:54 . 2010-01-05 23:54 -------- d-----w- c:\program files\Bonjour
2010-01-05 23:53 . 2010-01-05 23:51 -------- d-----w- c:\program files\QuickTime
2010-01-05 23:51 . 2010-01-05 23:51 -------- d-----w- c:\program files\Apple Software Update
2010-01-05 23:47 . 2010-01-05 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-09-16 16:10 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-12-12 01:38 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-03-30 01:04 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-30 01:04 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-03-30 01:04 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-14 18:50 17881088 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-26 19:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-11 22:36 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/11/2010 2:23 PM 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/11/2010 2:23 PM 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/26/2009 5:29 PM 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/26/2009 5:29 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 22:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3376)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-19 22:57:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 03:57

Pre-Run: 6,568,157,184 bytes free
Post-Run: 7,230,152,704 bytes free

- - End Of File - - 07BBE0FBBCD9D33FF1F0F02A97217607




#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 20 February 2010 - 12:09 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collect::
c:\windows\system32\emp77.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Download the HostsXpert
  • Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 4.3 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, Aclick on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Then in your next reply, please let me know if you are having any more problems and post back here with the following logs:
  • Combofix.txt
  • Kaspersky report

Thanks

unite.jpg


#7 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 February 2010 - 12:09 AM

Sylar,

The netbook seems to be working OK. I did see that the online Kaspersky scan found some things. It didn't say that it deleted them, though.
The logs are below.

Thanks again.

ComboFix 10-02-19.03 - Brad 02/20/2010 21:31:15.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.722 [GMT -5:00]
Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brad\Desktop\CFScript.txt

file zipped: c:\windows\system32\emp77.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\emp77.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-18 02:55 . 2010-02-18 02:56 -------- d-----w- C:\rsit
2010-02-11 19:26 . 2010-02-11 19:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-11 19:23 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:15 . 2010-02-11 17:15 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 19:26 . 2009-10-18 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 18:27 . 2009-08-26 22:30 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-11 16:22 . 2009-10-06 01:46 -------- d-----w- c:\documents and settings\Brad\Application Data\U3
2010-01-14 22:34 . 2010-01-14 22:34 -------- d-----w- c:\documents and settings\Brad\Application Data\Windows Search
2010-01-06 00:08 . 2010-01-06 00:08 16460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 23:57 . 2010-01-05 23:56 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\program files\iTunes
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-05 23:55 . 2010-01-05 23:55 -------- d-----w- c:\program files\iPod
2010-01-05 23:55 . 2010-01-05 23:47 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 23:54 . 2010-01-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-05 23:54 . 2010-01-05 23:54 -------- d-----w- c:\program files\Bonjour
2010-01-05 23:53 . 2010-01-05 23:51 -------- d-----w- c:\program files\QuickTime
2010-01-05 23:51 . 2010-01-05 23:51 -------- d-----w- c:\program files\Apple Software Update
2010-01-05 23:47 . 2010-01-05 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_03.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-21 02:24 . 2010-02-21 02:24 16384 c:\windows\Temp\Perflib_Perfdata_74c.dat
+ 2008-04-25 20:33 . 2010-02-21 02:28 78252 c:\windows\system32\perfc009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 78252 c:\windows\system32\perfc009.dat
+ 2008-04-25 20:33 . 2010-02-21 02:28 459314 c:\windows\system32\perfh009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 459314 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-09-16 16:10 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-12-12 01:38 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-03-30 01:04 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-30 01:04 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-03-30 01:04 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-14 18:50 17881088 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-26 19:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-11 22:36 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/11/2010 2:23 PM 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/11/2010 2:23 PM 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/26/2009 5:29 PM 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/26/2009 5:29 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-02-20 21:37:47
ComboFix-quarantined-files.txt 2010-02-21 02:37
ComboFix2.txt 2010-02-20 03:57

Pre-Run: 7,224,049,664 bytes free
Post-Run: 7,190,708,224 bytes free

- - End Of File - - 416B6B6DF7565ACE5A0E3EF34F9409D2
Upload was successful

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, February 21, 2010 02:52:49
Records in database: 3601856
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 31517
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:17:49


File name / Threat / Threats count
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: Trojan.JS.Fraud.w 1
C:\qFM1S.bat Infected: Trojan.BAT.Agent.tf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\Qoobox\Quarantine\[4]-Submit_2010-02-20_21.31.09.zip Infected: Trojan.Win32.Qhost.mnu 1

Selected area has been scanned.


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 21 February 2010 - 03:39 PM

Hi JimG156,

That's looking good, we will remove what Kaspersky found, now.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Collect::
C:\Documents and Settings\NetworkService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\qFM1S.bat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please post combofix.txt and a new DDS log.

Cheers

unite.jpg


#9 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 February 2010 - 09:02 PM

Sylar,
Thanks for taking the time on a weekend!

Below are ComboFix.txt and DDS.txt. Attach.txt is attached if you need it.

JimG

ComboFix 10-02-19.03 - Brad 02/21/2010 20:30:30.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.718 [GMT -5:00]
Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brad\Desktop\CFScript.txt

file zipped: c:\documents and settings\NetworkService\Application Data\Microsoft\Internet Explorer\Desktop.htt
file zipped: C:\qFM1S.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Microsoft\Internet Explorer\Desktop.htt
C:\qFM1S.bat

.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-21 03:04 . 2010-02-21 03:04 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 03:03 . 2010-02-21 03:03 503808 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\msvcp71.dll
2010-02-21 03:03 . 2010-02-21 03:03 499712 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\jmc.dll
2010-02-21 03:03 . 2010-02-21 03:03 348160 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\msvcr71.dll
2010-02-21 03:03 . 2010-02-21 03:03 61440 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f2c2e4-n\decora-sse.dll
2010-02-21 03:03 . 2010-02-21 03:03 12800 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f2c2e4-n\decora-d3d.dll
2010-02-21 02:46 . 2010-02-21 02:51 -------- d-----w- C:\HostsXpert
2010-02-18 02:55 . 2010-02-18 02:56 -------- d-----w- C:\rsit
2010-02-11 19:26 . 2010-02-11 19:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-11 19:23 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:15 . 2010-02-11 17:15 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 03:00 . 2009-08-26 19:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-11 19:26 . 2009-10-18 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 18:27 . 2009-08-26 22:30 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-11 16:22 . 2009-10-06 01:46 -------- d-----w- c:\documents and settings\Brad\Application Data\U3
2010-01-14 22:34 . 2010-01-14 22:34 -------- d-----w- c:\documents and settings\Brad\Application Data\Windows Search
2010-01-06 00:08 . 2010-01-06 00:08 16460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 23:57 . 2010-01-05 23:56 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\program files\iTunes
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-05 23:55 . 2010-01-05 23:55 -------- d-----w- c:\program files\iPod
2010-01-05 23:55 . 2010-01-05 23:47 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 23:54 . 2010-01-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-05 23:54 . 2010-01-05 23:54 -------- d-----w- c:\program files\Bonjour
2010-01-05 23:53 . 2010-01-05 23:51 -------- d-----w- c:\program files\QuickTime
2010-01-05 23:51 . 2010-01-05 23:51 -------- d-----w- c:\program files\Apple Software Update
2010-01-05 23:47 . 2010-01-05 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_03.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-22 01:21 . 2010-02-22 01:21 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat
+ 2008-04-25 20:33 . 2010-02-22 01:30 78252 c:\windows\system32\perfc009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 78252 c:\windows\system32\perfc009.dat
+ 2008-04-25 20:33 . 2010-02-22 01:30 459314 c:\windows\system32\perfh009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 459314 c:\windows\system32\perfh009.dat
+ 2010-02-21 03:02 . 2010-02-21 03:00 153376 c:\windows\system32\javaws.exe
+ 2010-02-21 03:02 . 2010-02-21 03:00 145184 c:\windows\system32\javaw.exe
+ 2010-02-21 03:02 . 2010-02-21 03:00 145184 c:\windows\system32\java.exe
- 2009-09-15 01:49 . 2009-08-26 20:02 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-09-15 01:49 . 2010-02-21 02:57 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-02-21 03:04 . 2010-02-21 03:04 178176 c:\windows\Installer\14e61.msi
+ 2010-02-21 03:00 . 2010-02-21 03:00 577536 c:\windows\Installer\14e5c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-09-16 16:10 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-12-12 01:38 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-03-30 01:04 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-30 01:04 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-03-30 01:04 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-14 18:50 17881088 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-11 22:36 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/11/2010 2:23 PM 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/11/2010 2:23 PM 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/26/2009 5:29 PM 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/26/2009 5:29 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-02-21 20:37:22
ComboFix-quarantined-files.txt 2010-02-22 01:37
ComboFix2.txt 2010-02-20 03:57

Pre-Run: 7,008,108,544 bytes free
Post-Run: 7,077,711,872 bytes free

- - End Of File - - 2C3B35DABF668D7D296373500CEE9E7D
Upload was successful


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brad at 20:44:51.68 on Sun 02/21/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.690 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-11 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-11 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-26 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-26 1684736]

=============== Created Last 30 ================

2010-02-21 03:02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-21 02:46:15 0 d-----w- C:\HostsXpert
2010-02-20 03:37:03 0 d-sha-r- C:\cmdcons
2010-02-20 03:34:44 98816 ----a-w- c:\windows\sed.exe
2010-02-20 03:34:44 77312 ----a-w- c:\windows\MBR.exe
2010-02-20 03:34:44 261632 ----a-w- c:\windows\PEV.exe
2010-02-20 03:34:44 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 03:34:02 440 ----a-w- C:\100.js
2010-02-11 19:23:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:34:01 487 ----a-w- C:\77.js
2010-02-11 17:15:22 0 d--h--w- c:\windows\PIF
2010-01-25 16:34:33 648 ----a-w- C:\Internet Security 2010.lnk
2010-01-25 16:34:01 437 ----a-w- C:\44.js

==================== Find3M ====================

2010-02-21 03:00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-11 18:27:25 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-06 00:08:20 16460 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 20:45:03.60 ===============

Attached Files



#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 22 February 2010 - 01:25 PM

Hi JimG,

That looks ok just a few thing I need to check and an AV needs to be added to your machine, you can also delete the following file.

C:\Internet Security 2010.lnk


I don't see an Anti Virus Program running on your machine
  • Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.



Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\100.js
C:\77.js
C:\44.js

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/


Then please post back with the VT link and a new DDS log, no need to post attach.txt this time.

Thanks

Edited by syler, 22 February 2010 - 01:26 PM.

unite.jpg


#11 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 23 February 2010 - 06:55 PM

Syler,

Sorry about last night. I had a bunch of homework. (Teachers have homework, too :-)

I think I did this right. I just copied the URL of the results pages, DDS.txt is also below:

virustotal

100.js
http://www.virustotal.com/analisis/de38498...934f-1266967589

77.js
http://www.virustotal.com/analisis/ecbbff8...90ef-1266967878

44.js
http://www.virustotal.com/analisis/98a86b2...d34e-1264524825



DDS (Ver_09-12-01.01) - NTFSx86
Run by Brad at 18:44:18.07 on Tue 02/23/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.624 [GMT -5:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Brad\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.5.2.11\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.5.2.11\coIEPlg.dll
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
c:\documents and settings\brad\local settings\temp\4.tmp\temp00
c:\documents and settings\brad\local settings\temp\4.tmp\temp00
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.5.2.11\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-23 310320]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-22 329592]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-11 236368]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.0.41\ccSvcHst.exe [2010-2-23 117640]
R3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2010-2-22 259632]
R3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2010-2-22 482432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-22 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-11 19160]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.004\NAVENG.SYS [2010-2-23 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100223.004\NAVEX15.SYS [2010-2-23 1324720]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-8-26 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-26 1684736]

=============== Created Last 30 ================

2010-02-23 23:29:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-23 01:30:08 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-23 01:30:02 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-23 01:30:01 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-23 01:30:01 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-23 01:30:01 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-23 01:30:01 0 d-----w- c:\program files\Symantec
2010-02-23 01:30:01 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-23 01:27:26 0 d-----w- c:\windows\system32\drivers\N360
2010-02-23 01:27:22 0 d-----w- c:\program files\Norton Security Suite
2010-02-23 01:27:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-23 01:26:31 0 d-----w- c:\program files\NortonInstaller
2010-02-23 01:26:31 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-21 03:02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-21 02:46:15 0 d-----w- C:\HostsXpert
2010-02-20 03:37:03 0 d-sha-r- C:\cmdcons
2010-02-20 03:34:44 98816 ----a-w- c:\windows\sed.exe
2010-02-20 03:34:44 77312 ----a-w- c:\windows\MBR.exe
2010-02-20 03:34:44 261632 ----a-w- c:\windows\PEV.exe
2010-02-20 03:34:44 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 03:34:02 440 ----a-w- C:\100.js
2010-02-11 19:23:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:34:01 487 ----a-w- C:\77.js
2010-02-11 17:15:22 0 d--h--w- c:\windows\PIF
2010-01-25 16:34:01 437 ----a-w- C:\44.js

==================== Find3M ====================

2010-02-23 01:29:36 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-23 01:28:48 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-21 03:00:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-11 18:27:25 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-06 00:08:20 16460 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 18:45:01.98 ===============


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 23 February 2010 - 07:12 PM

You did that fine, lets clean them files up.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/295065/dcom-server-process-launcher-terminate/

Collect::
C:\100.js
C:\77.js
C:\44.js
DDS::
c:\documents and settings\brad\local settings\temp\4.tmp\temp00
c:\documents and settings\brad\local settings\temp\4.tmp\temp00


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 JimG156

JimG156
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 23 February 2010 - 08:48 PM

Syler,
Thanks!
Below is the latest ComboFix.txt.

ComboFix 10-02-19.03 - Brad 02/23/2010 20:27:40.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.545 [GMT -5:00]
Running from: c:\documents and settings\Brad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brad\Desktop\CFScript.txt
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

file zipped: C:\100.js
file zipped: C:\44.js
file zipped: C:\77.js
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\100.js
C:\44.js
C:\77.js

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 01:25 . 2010-02-22 18:55 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\NAVENG.SYS
2010-02-24 01:25 . 2010-02-22 18:55 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\NAVENG32.DLL
2010-02-24 01:25 . 2010-02-22 18:55 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\NAVEX32A.DLL
2010-02-24 01:25 . 2010-02-22 18:55 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\NAVEX15.SYS
2010-02-24 01:25 . 2010-02-22 18:55 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\EECTRL.SYS
2010-02-24 01:25 . 2010-02-22 18:55 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\CCERASER.DLL
2010-02-24 01:25 . 2010-02-22 18:55 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\ECMSVR32.DLL
2010-02-24 01:25 . 2010-02-22 18:55 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100223.033\ERASER.SYS
2010-02-23 23:29 . 2010-02-23 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-23 01:42 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-23 01:42 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-23 01:42 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-23 01:42 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-23 01:42 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-23 01:30 . 2010-02-23 01:29 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-02-23 01:30 . 2010-02-23 01:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-23 01:30 . 2010-02-23 01:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-23 01:30 . 2010-02-23 01:30 -------- d-----w- c:\program files\Symantec
2010-02-23 01:30 . 2010-02-23 01:30 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-23 01:29 . 2010-02-23 01:29 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-02-23 01:29 . 2010-02-23 01:29 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-02-23 01:28 . 2010-02-23 01:28 776952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-02-23 01:27 . 2010-02-23 23:28 -------- d-----w- c:\windows\system32\drivers\N360
2010-02-23 01:27 . 2010-02-23 01:28 -------- d-----w- c:\program files\Norton Security Suite
2010-02-23 01:27 . 2010-02-23 01:27 -------- d-----w- c:\program files\Windows Sidebar
2010-02-23 01:27 . 2010-02-23 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-23 01:26 . 2010-02-23 01:26 -------- d-----w- c:\program files\NortonInstaller
2010-02-23 01:26 . 2010-02-23 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-21 03:04 . 2010-02-21 03:04 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 03:03 . 2010-02-21 03:03 503808 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\msvcp71.dll
2010-02-21 03:03 . 2010-02-21 03:03 499712 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\jmc.dll
2010-02-21 03:03 . 2010-02-21 03:03 348160 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-79d9cc1a-n\msvcr71.dll
2010-02-21 03:03 . 2010-02-21 03:03 61440 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f2c2e4-n\decora-sse.dll
2010-02-21 03:03 . 2010-02-21 03:03 12800 ----a-w- c:\documents and settings\Brad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-29f2c2e4-n\decora-d3d.dll
2010-02-21 02:46 . 2010-02-21 02:51 -------- d-----w- C:\HostsXpert
2010-02-18 02:55 . 2010-02-18 02:56 -------- d-----w- C:\rsit
2010-02-11 19:26 . 2010-02-11 19:26 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-11 19:23 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-11 19:23 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 17:15 . 2010-02-11 17:15 -------- d--h--w- c:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 01:30 . 2010-02-23 01:30 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-23 01:30 . 2010-02-23 01:30 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-23 01:29 . 2010-01-05 23:56 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-23 01:28 . 2010-01-05 23:56 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-21 03:00 . 2009-08-26 19:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-11 19:26 . 2009-10-18 14:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-11 18:27 . 2009-08-26 22:30 329752 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-11 16:22 . 2009-10-06 01:46 -------- d-----w- c:\documents and settings\Brad\Application Data\U3
2010-01-14 22:34 . 2010-01-14 22:34 -------- d-----w- c:\documents and settings\Brad\Application Data\Windows Search
2010-01-06 00:08 . 2010-01-06 00:08 16460 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 23:57 . 2010-01-05 23:56 -------- d-----w- c:\documents and settings\Brad\Application Data\Apple Computer
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\program files\iTunes
2010-01-05 23:56 . 2010-01-05 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-05 23:55 . 2010-01-05 23:55 -------- d-----w- c:\program files\iPod
2010-01-05 23:55 . 2010-01-05 23:47 -------- d-----w- c:\program files\Common Files\Apple
2010-01-05 23:54 . 2010-01-05 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-05 23:54 . 2010-01-05 23:54 -------- d-----w- c:\program files\Bonjour
2010-01-05 23:53 . 2010-01-05 23:51 -------- d-----w- c:\program files\QuickTime
2010-01-05 23:51 . 2010-01-05 23:51 -------- d-----w- c:\program files\Apple Software Update
2010-01-05 23:47 . 2010-01-05 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_03.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-23 23:18 . 2010-02-23 23:18 16384 c:\windows\Temp\Perflib_Perfdata_380.dat
+ 2010-02-23 23:17 . 2010-02-23 23:17 16384 c:\windows\Temp\Perflib_Perfdata_308.dat
+ 2008-04-25 20:33 . 2010-02-23 23:21 78252 c:\windows\system32\perfc009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 78252 c:\windows\system32\perfc009.dat
+ 2010-01-05 23:56 . 2010-02-23 01:29 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
- 2010-01-05 23:56 . 2009-05-18 19:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 48688 c:\windows\system32\drivers\N360\0308000.029\symndisv.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 36400 c:\windows\system32\drivers\N360\0308000.029\symndis.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 33072 c:\windows\system32\drivers\N360\0308000.029\symids.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 89904 c:\windows\system32\drivers\N360\0308000.029\symfw.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 43696 c:\windows\system32\drivers\N360\0308000.029\srtspx.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 48688 c:\windows\system32\drivers\N360\0305020.00B\symndisv.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 36400 c:\windows\system32\drivers\N360\0305020.00B\symndis.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 33072 c:\windows\system32\drivers\N360\0305020.00B\symids.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 89904 c:\windows\system32\drivers\N360\0305020.00B\symfw.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 43696 c:\windows\system32\drivers\N360\0305020.00B\srtspx.sys
+ 2008-04-25 20:33 . 2010-02-23 23:21 459314 c:\windows\system32\perfh009.dat
- 2008-04-25 20:33 . 2010-02-20 03:49 459314 c:\windows\system32\perfh009.dat
+ 2010-02-21 03:02 . 2010-02-21 03:00 153376 c:\windows\system32\javaws.exe
+ 2010-02-21 03:02 . 2010-02-21 03:00 145184 c:\windows\system32\javaw.exe
+ 2010-02-21 03:02 . 2010-02-21 03:00 145184 c:\windows\system32\java.exe
+ 2010-01-05 23:56 . 2010-02-23 01:28 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
- 2010-01-05 23:56 . 2008-04-17 18:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2010-02-23 23:30 . 2010-02-23 01:29 217136 c:\windows\system32\drivers\N360\0308000.029\symtdi.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 310320 c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 308272 c:\windows\system32\drivers\N360\0308000.029\srtsp.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 482432 c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys
+ 2010-02-23 23:30 . 2010-02-23 01:29 259632 c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 217136 c:\windows\system32\drivers\N360\0305020.00B\symtdi.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 310320 c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 308272 c:\windows\system32\drivers\N360\0305020.00B\srtsp.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 482432 c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys
+ 2010-02-23 01:29 . 2010-02-23 01:29 259632 c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys
- 2009-09-15 01:49 . 2009-08-26 20:02 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2009-09-15 01:49 . 2010-02-21 02:57 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2010-02-21 03:04 . 2010-02-21 03:04 178176 c:\windows\Installer\14e61.msi
+ 2010-02-21 03:00 . 2010-02-21 03:00 577536 c:\windows\Installer\14e5c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-09-16 16:10 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-12-12 01:38 2220032 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-03-30 01:04 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-03-30 01:04 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-03-30 01:04 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-05-14 18:50 17881088 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-11 22:36 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/23/2010 6:30 PM 310320]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [2/22/2010 8:42 PM 329592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/11/2010 2:23 PM 236368]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe [2/23/2010 6:29 PM 117640]
R3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [2/22/2010 8:29 PM 259632]
R3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [2/22/2010 8:29 PM 482432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/22/2010 1:55 PM 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/11/2010 2:23 PM 19160]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [8/26/2009 5:29 PM 164352]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/26/2009 5:29 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-02-23 20:36:46
ComboFix-quarantined-files.txt 2010-02-24 01:36
ComboFix2.txt 2010-02-22 01:38
ComboFix3.txt 2010-02-20 03:57

Pre-Run: 6,620,549,120 bytes free
Post-Run: 6,696,210,432 bytes free

- - End Of File - - DC598742112CF6DA3A499D4AD3135EC8
Upload was successful


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 24 February 2010 - 11:30 AM

That looks fine, any more problems? please post a new DDS log.

Cheers

unite.jpg


#15 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:06 AM

Posted 27 February 2010 - 10:11 PM

Thanks for the update.

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /uninstall in the run box and click OK. Note the space between the X and the /, it needs to be there.



Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! thumbup.gif

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then click Apply and Ok.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.

http://www.mvps.org/winhelp2002/hosts.htm

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing smile.gif
Syler

Edited by syler, 01 March 2010 - 05:51 PM.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users