Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect, svchost.exe trojan, other issues


  • This topic is locked This topic is locked
28 replies to this topic

#16 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2010 - 09:05 AM

(btw - what does that script do?)

BC AdBot (Login to Remove)

 


#17 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 04 March 2010 - 09:08 AM

Run without the script for now.

The script is a custom fix to remove malware that shows up in your log, but isn't detected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#18 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 04 March 2010 - 10:26 AM

ComboFix ran successfully this time. Detected rootkit activity (7 entries this time), rebooted, and ran to completion. Here's the log. BTW - IE is now able to run again smile.gif.

ComboFix 10-03-03.07 - Owner 03/04/2010 9:59.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1517 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Media Player\pidgen.dll
c:\windows\system32\4DW4R3BlDRJeHYmh.dll
c:\windows\system32\4DW4R3c.dll
c:\windows\system32\4DW4R3ETCjedaAAQ.dll
c:\windows\system32\4DW4R3GeEDbScTbD.dll
c:\windows\system32\4DW4R3ldvdNurXMA.dll
c:\windows\system32\4DW4R3PcSKGtImAy.dll
c:\windows\system32\4DW4R3sv.dat
c:\windows\system32\4DW4R3uhamJumdhw.dll
c:\windows\system32\4DW4R3xsiGYjgECG.dll
c:\windows\system32\drivers\4DW4R3.sys
c:\windows\system32\drivers\4DW4R3EDyvyJVyOL.sys
c:\windows\system32\drivers\4DW4R3gmlgWeIukE.sys
c:\windows\system32\drivers\4DW4R3KSCjxNDtSy.sys
c:\windows\system32\drivers\4DW4R3mgmeOgBsnd.sys
c:\windows\system32\drivers\4DW4R3QBqjtNoOJa.sys
c:\windows\system32\drivers\4DW4R3SWctytOcWi.sys
c:\windows\system32\drivers\4DW4R3TCOmyktkaj.sys
c:\windows\system32\ide.txt
c:\windows\system32\lpd.txt
c:\windows\system32\qks.txt
c:\windows\system32\xef.txt

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_4DW4R3
-------\Legacy_4DW4R3


((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-02-25 19:13 . 2010-02-25 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ooooqi
2010-02-23 21:47 . 2010-02-23 21:47 43520 ----a-w- c:\windows\system32\cfxfbnhad4.dll
2010-02-23 19:07 . 2010-02-23 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 19:07 . 2010-02-24 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-23 19:07 . 2010-02-23 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-23 19:05 . 2010-02-23 19:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 17:22 . 2010-02-24 05:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ybetev
2010-02-18 06:15 . 2010-02-18 06:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-18 02:24 . 2010-02-28 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-17 06:05 . 2010-02-17 06:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-07 05:08 . 2010-02-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-07 05:08 . 2010-02-07 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-06 22:03 . 2010-02-07 02:47 -------- d-----w- c:\windows\BDOSCAN8
2010-02-06 21:55 . 2010-02-06 21:55 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
2010-02-06 17:37 . 2010-02-06 17:37 -------- d-----w- c:\program files\ESET
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-06 11:29 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 11:29 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 19:26 . 2010-02-03 19:26 123 ----a-w- c:\program files\em_175590328.bat
2010-02-03 15:58 . 2010-02-07 07:42 120 ----a-w- c:\windows\Gpuyeyutezezuqu.dat
2010-02-03 15:58 . 2010-02-07 05:12 0 ----a-w- c:\windows\Qyajirojikeha.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 19:07 . 2010-02-23 19:07 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-23 19:07 . 2010-02-23 19:07 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-23 00:46 . 2010-02-23 07:51 632544 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-02-23 00:45 . 2010-02-23 07:51 794808 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-02-20 18:29 . 2008-01-01 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-20 18:18 . 2009-06-26 14:33 -------- d-----w- c:\program files\McAfee
2010-02-18 02:24 . 2003-10-11 06:45 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-14 07:16 . 2007-04-15 04:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-13 05:01 . 2010-01-09 08:18 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-09 01:51 . 2010-02-09 01:51 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-09 01:51 . 2009-12-02 04:52 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-07 05:30 . 2009-10-25 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-01-26 00:38 . 2008-08-10 08:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 10:53 . 2005-05-03 16:33 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-19 10:53 . 2005-05-03 16:33 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-01-18 09:15 . 2008-05-25 07:39 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-01-16 07:33 . 2007-12-29 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\SlimBrowser
2010-01-16 07:25 . 2010-01-16 07:25 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-16 07:19 . 2008-05-25 07:38 -------- d-----w- c:\program files\DVD Flick
2010-01-16 06:40 . 2010-01-15 08:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-01-16 06:19 . 2010-01-16 06:19 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2010-01-16 06:19 . 2010-01-16 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-01-16 06:18 . 2010-01-16 06:16 -------- d-----w- c:\program files\AVS4YOU
2010-01-16 06:18 . 2010-01-16 06:17 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-15 08:20 . 2010-01-15 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-15 08:20 . 2010-01-15 08:20 -------- d-----w- c:\program files\Vuze
2010-01-15 07:32 . 2005-06-06 03:32 -------- d-----w- c:\program files\eMule
2010-01-10 10:03 . 2009-12-17 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Pixela
2010-01-10 05:27 . 2010-01-10 05:27 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
2010-01-10 05:26 . 2010-01-10 05:26 -------- d-----w- c:\program files\TeamViewer
2010-01-09 08:18 . 2010-01-09 08:18 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-09 08:17 . 2010-01-09 08:17 -------- d-----w- c:\program files\Common Files\Skype
2010-01-09 08:17 . 2010-01-09 08:16 -------- d-----r- c:\program files\Skype
2010-01-09 08:16 . 2007-04-15 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-05 10:00 . 2005-05-03 16:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-20 21:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-05-03 16:34 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-05-03 16:33 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-05-03 16:33 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-05-03 16:33 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 00:10 . 2004-12-18 18:27 92528 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 18:22 . 2005-05-03 16:33 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-09-06 03:34 . 2009-09-06 03:33 18015723 ----a-w- c:\program files\vlc-1.0.1-win32.exe
2004-11-20 05:50 . 2004-11-20 05:50 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_20.42.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-04 14:58 . 2010-03-04 14:58 16384 c:\windows\Temp\Perflib_Perfdata_660.dat
+ 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2003-10-11 10:17 . 2010-03-04 12:20 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2003-10-11 10:17 . 2010-02-28 20:03 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-02-28 22:51 . 2010-03-04 12:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-24 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Device Detector"="DevDetect.exe -autorun" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AT&T DSL Service PCA Program"="c:\program files\AT&T\ACP\programs\wnpca.exe" [2002-09-10 196608]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-17 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-20 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"WD Button Manager"="WDBtnMgr.exe" [2009-10-25 331776]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2009-12-17 253952]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57826:TCP"= 57826:TCP:Pando P2P TCP Listening Port
"57826:UDP"= 57826:UDP:Pando P2P UDP Listening Port
"57005:TCP"= 57005:TCP:Pando P2P TCP Listening Port
"57005:UDP"= 57005:UDP:Pando P2P UDP Listening Port

R3 ALABULKO;OLYMPUS USB Media Adapter device driver;c:\windows\system32\drivers\ALABLK2O.SYS [11/9/2002 12:00 PM 34914]
S2 bwcijxrbstjnkic;bwcijxrbstjnkic;\??\c:\windows\system32\drivers\azipi.sys --> c:\windows\system32\drivers\azipi.sys [?]
S2 mrtRate;mrtRate; [x]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/19/2003 9:30 PM 17018]
.
Contents of the 'Scheduled Tasks' folder

2004-05-21 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2003-08-16 05:37]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-26 17:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-26 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=1.90&language=English&module=LU&error=1827&build=Symantec
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: SpSubLSP.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 10:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2010-03-04 10:18:04
ComboFix-quarantined-files.txt 2010-03-04 15:18
ComboFix2.txt 2010-02-28 20:47
ComboFix3.txt 2009-01-19 01:39

Pre-Run: 12,371,611,648 bytes free
Post-Run: 12,748,746,752 bytes free

- - End Of File - - 061D54B85FB6AA3481B2810B0CF91761


#19 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 05 March 2010 - 07:42 AM

Let's try this again.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
Driver::
bwcijxrbstjnkic

File::
c:\windows\system32\drivers\azipi.sys
c:\windows\system32\cfxfbnhad4.dll

Dirlook::
c:\documents and settings\LocalService\Local Settings\Application Data\ooooqi

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#20 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 05 March 2010 - 12:30 PM

just a quick update and check before I run this again. Both the browser redirect issue and svchost.exe issue pegging the cpu seem to have cleared up for the moment (hopefully for good smile.gif ). Are you still seeing other malware from the last ComboFix run?

#21 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 05 March 2010 - 08:19 PM

Yes, the script is designed to remove malware that is still present.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#22 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 06 March 2010 - 06:13 AM

Thanks. It ran successfully using the script, no rootkit activity message this time, rebooted the pc. Here's the log.


ComboFix 10-03-05.03 - Owner 03/06/2010 5:36.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1327 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\cfxfbnhad4.dll"
"c:\windows\system32\drivers\azipi.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cfxfbnhad4.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_bwcijxrbstjnkic


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-02-25 19:13 . 2010-02-25 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ooooqi
2010-02-23 19:07 . 2010-02-23 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-23 19:07 . 2010-02-24 05:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-23 19:07 . 2010-02-23 19:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2010-02-23 19:05 . 2010-02-23 19:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-23 17:22 . 2010-02-24 05:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ybetev
2010-02-18 06:15 . 2010-02-18 06:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-02-18 02:24 . 2010-02-28 04:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-17 06:05 . 2010-02-17 06:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-02-07 05:08 . 2010-02-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-07 05:08 . 2010-02-07 05:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-06 22:03 . 2010-02-07 02:47 -------- d-----w- c:\windows\BDOSCAN8
2010-02-06 21:55 . 2010-02-06 21:55 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan
2010-02-06 17:37 . 2010-02-06 17:37 -------- d-----w- c:\program files\ESET
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-02-06 11:29 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 11:29 . 2010-02-06 11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 11:29 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 18:29 . 2008-01-01 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-20 18:18 . 2009-06-26 14:33 -------- d-----w- c:\program files\McAfee
2010-02-18 02:24 . 2003-10-11 06:45 1648 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-14 07:16 . 2007-04-15 04:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-02-13 05:01 . 2010-01-09 08:18 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-02-07 07:42 . 2010-02-03 15:58 120 ----a-w- c:\windows\Gpuyeyutezezuqu.dat
2010-02-07 05:30 . 2009-10-25 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-02-07 05:12 . 2010-02-03 15:58 0 ----a-w- c:\windows\Qyajirojikeha.bin
2010-02-03 19:26 . 2010-02-03 19:26 123 ----a-w- c:\program files\em_175590328.bat
2010-01-26 00:38 . 2008-08-10 08:53 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 10:53 . 2005-05-03 16:33 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-01-19 10:53 . 2005-05-03 16:33 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-18 09:15 . 2008-05-25 07:39 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-01-16 07:33 . 2007-12-29 04:11 -------- d-----w- c:\documents and settings\Owner\Application Data\SlimBrowser
2010-01-16 07:25 . 2010-01-16 07:25 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-16 07:19 . 2008-05-25 07:38 -------- d-----w- c:\program files\DVD Flick
2010-01-16 06:40 . 2010-01-15 08:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-01-16 06:19 . 2010-01-16 06:19 -------- d-----w- c:\documents and settings\Owner\Application Data\AVS4YOU
2010-01-16 06:19 . 2010-01-16 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-01-16 06:18 . 2010-01-16 06:16 -------- d-----w- c:\program files\AVS4YOU
2010-01-16 06:18 . 2010-01-16 06:17 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-15 08:20 . 2010-01-15 08:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-15 08:20 . 2010-01-15 08:20 -------- d-----w- c:\program files\Vuze
2010-01-15 07:32 . 2005-06-06 03:32 -------- d-----w- c:\program files\eMule
2010-01-10 10:03 . 2009-12-17 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Pixela
2010-01-10 05:27 . 2010-01-10 05:27 -------- d-----w- c:\documents and settings\Owner\Application Data\TeamViewer
2010-01-10 05:26 . 2010-01-10 05:26 -------- d-----w- c:\program files\TeamViewer
2010-01-09 08:18 . 2010-01-09 08:18 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-09 08:17 . 2010-01-09 08:17 -------- d-----w- c:\program files\Common Files\Skype
2010-01-09 08:17 . 2010-01-09 08:16 -------- d-----r- c:\program files\Skype
2010-01-09 08:16 . 2007-04-15 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-05 10:00 . 2005-05-03 16:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-06-20 21:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-05-03 16:34 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2005-05-03 16:33 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-05-03 16:33 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-05-03 16:33 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 00:10 . 2004-12-18 18:27 92528 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-06 03:34 . 2009-09-06 03:33 18015723 ----a-w- c:\program files\vlc-1.0.1-win32.exe
2004-11-20 05:50 . 2004-11-20 05:50 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\LocalService\Local Settings\Application Data\ooooqi ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-08-19 852038]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-24 2012912]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Device Detector"="DevDetect.exe -autorun" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"CamMonitor"="c:\program files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 90112]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"VTTimer"="VTTimer.exe" [2004-10-22 53248]
"AT&T DSL Service PCA Program"="c:\program files\AT&T\ACP\programs\wnpca.exe" [2002-09-10 196608]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-17 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-20 198160]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"WD Button Manager"="WDBtnMgr.exe" [2009-10-25 331776]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSub.exe [2003-10-14 557056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
ImageMixer 3 SE Camera Monitor Ver.5.lnk - c:\program files\PIXELA\ImageMixer 3 SE Ver.5\Transfer Utility\CameraMonitor.exe [2009-12-17 253952]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-30 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Avant Browser\\avant.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57826:TCP"= 57826:TCP:Pando P2P TCP Listening Port
"57826:UDP"= 57826:UDP:Pando P2P UDP Listening Port
"57005:TCP"= 57005:TCP:Pando P2P TCP Listening Port
"57005:UDP"= 57005:UDP:Pando P2P UDP Listening Port

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/26/2009 9:38 AM 93320]
R3 ALABULKO;OLYMPUS USB Media Adapter device driver;c:\windows\system32\drivers\ALABLK2O.SYS [11/9/2002 12:00 PM 34914]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S2 mrtRate;mrtRate; [x]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\PLCNDIS5.SYS [1/19/2003 9:30 PM 17018]
.
Contents of the 'Scheduled Tasks' folder

2004-05-21 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2003-08-16 05:37]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-26 17:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-26 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/servlet/ProductMessages?product=LU&version=1.90&language=English&module=LU&error=1827&build=Symantec
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: SpSubLSP.dll
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hq9b1e3.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{6A3FD6C0-BF13-4A24-9B28-BF4E76336AA0} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 05:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(3516)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\VTTimer.exe
c:\windows\LTMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\ACD Systems\EN\DevDetect.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-03-06 06:06:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 11:06
ComboFix2.txt 2010-03-04 15:18
ComboFix3.txt 2010-02-28 20:47
ComboFix4.txt 2009-01-19 01:39

Pre-Run: 12,720,017,408 bytes free
Post-Run: 12,621,316,096 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=,1,2,3,6,7,8
- - End Of File - - 93C4A2F35F05B87889D7CADAE536F257


#23 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 06 March 2010 - 03:03 PM

There we go, that log looks clean to me. How are things on your end now? Any remaining issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#24 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 07 March 2010 - 03:20 AM

That's great news (clean log) smile.gif. Was not able to be on long today, but everything looks good so far - have not seen any redirects or svchost.exe issues. I'll be sure to post a follow up to confirm all still looks good after I have had a chance to check things out more thoroughly.

A couple questions in the meantime, if you have time to answer:

Should I take any actions regarding system restore points (like delete old ones)? (or did ComboFix already do anything with those?)

Do you have any specifics on what type of malware was removed, and if there is anything I should still be concerned about? (for example any keyloggers or anything else which might make it advisable to change online passwords etc)

Also - I have an external HD for backup. I had run MBAM against it multiple times, but powered it off when the issues got worse. It was still off for the last couple ComboFix runs. Should I run ComboFix again when I power it back on? (do CF scans include external devices?)





#25 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 07 March 2010 - 03:34 AM

Meant to mention regarding the second question - I have two MBAM logs and an ESET log from scans that were run before starting this thread, if you would like to see those. (All of them identified things to be removed or quarantined.)

#26 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 08 March 2010 - 08:17 AM

Once you're certain your computer is clean then yes, you should flush out all the old restore points and set a new clean one. I'll post more about that down below. You had a rootkit infection that causes a redirection when trying to view search results. In addition to that infection you had other malware files that I can't identify. While keyloggers aren't that common I wouldn't take any chances. Your computer was compromised. I do think it's a good idea to change any passwords that you use and take other appropriate precautions, especially if there's finances involved.

Your external drive should be ok, but you'll want to scan it with your antivirus and Malwarebytes to be sure. Combofix isn't something you can use for this purpose. In fact Combofix is a specialized and very powerful tool that should now be removed. Here are some final steps and recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click Start -> Run
  • Now type Combofix /uninstall in the runbox and click OK


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Windows Vista System Restore Guide

    Renable system restore with instructions from the appropriate tutorial above.

  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Install Malwarebytes - Malwarebytes has free and paid versions of the program that that can identify and remove malicious software from your computer.

    Download Malwarebytes from here.

  9. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

thumbup.gif smile.gif



Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#27 OrSWin777

OrSWin777
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 10 March 2010 - 12:33 AM

Thanks for the answers and all the great information. I will work definitely through all of this as soon as I can get a break from my real job : ).

Do you have a personal preference for #2 (Antivirus program)? I have been using McAfee Internet Security for two years, but have been unimpressed by its resource utilization among other things. I have stayed away from Norton for the same reason, but read in a recent review that the 2010 version is vastly improved in that area, and also is way ahead of the pack in detecting malware (although I don't expect any antivirus program to accomplish that task by itself).

BTW - I have tried running S&D with TeaTimer, but I use mostly FireFox for several reasons (better tabbed browsing, better add-ons, better session saving, etc etc), and TeaTimer runs up the cpu with FF running. Would be interested to know if you have seen any fixes for that, since TeaTimer seems to be a good preventative measure to take.

#28 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 11 March 2010 - 05:17 PM

I'm not a big fan of Mcafee or Norton right now, although if I had to chose from the pair of them I'd pick Norton. Right now I'm actually using the free version of Avast on all my computers and I'm very pleased with it. If you did want to purchase a security suite look at Nod32 or Kaspersky.

There is a balancing act between real time protection and performance. You have to find that right balance for your machine. If you're light on memory you may decide not to use Teatimer.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#29 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:01 AM

Posted 19 March 2010 - 08:19 AM

Now that your malware problem appears to be resolved, this topic will be closed.
If you need this topic reopened, please contact a member of the Malware Response Team and we will reopen it for you.
Include the address of this topic in your request.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users