Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Myshovel


  • This topic is locked This topic is locked
14 replies to this topic

#1 DevWillie

DevWillie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 March 2010 - 03:05 PM

Hi Elise,

I had to log in as an administrator to get the CD Emulation shut down to work.
Here's my DDS log and I attached the Attach log.
The gmer ran for almost an hour and rendered my machine useless.
I had to do a cold re-boot to get it back and it wasn't finished so there's no ark file.

Hopefully there is enough data here to identify/resolve the problem.

I guess I could run the gmer overnight but my machine has full cygwin with MANY X-win packages installed so I don't know how long it will take.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 15:01:27.05 on Mon 03/15/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2657 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\TIREMOTE\TIRemoteService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\wlucas\Desktop\Defogger.exe
C:\Documents and Settings\wlucas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
Trusted Zone: eagle_one
Trusted Zone: localhost
Trusted Zone: onyx-cognos
Trusted Zone: onyx-cognos-dr
Trusted Zone: onyx-dr
Trusted Zone: onyx-kbea
Trusted Zone: onyx-oep1
Trusted Zone: onyx-oep2
Trusted Zone: onyx_test
Trusted Zone: tyleronyx
DPF: {2311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://vm-munqaiis/fjs/activex/gdc.cab
DPF: {3311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://qa-munis/dbv81_demo_gdc/mu_gdcax/gdc2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://tylergateway.tylertech.com/dana-cached/sc/JuniperSetupClient.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\qi7cdz98.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 dfbe;dfbe;c:\windows\system32\dfbe.sys [2010-3-4 74752]
R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [2010-1-13 77608]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\tiremote\TIRemoteService.exe [2009-6-23 214016]
S0 cerc6;cerc6; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 myprojectname;myprojectname;"c:/ruby/bin/mongrel_service.exe" single -e development -p 4000 -a 0.0.0.0 -l "log/mongrel.log" -P "log/mongrel.pid" -c "C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname" -t 0 -r "public" -n 1024 --> c:/ruby/bin/mongrel_service.exe [?]

=============== Created Last 30 ================

2010-03-15 19:01:04 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-03-15 14:08:56 0 d-sha-r- C:\cmdcons
2010-03-15 14:07:41 98816 ----a-w- c:\windows\sed.exe
2010-03-15 14:07:41 77312 ----a-w- c:\windows\MBR.exe
2010-03-15 14:07:41 261632 ----a-w- c:\windows\PEV.exe
2010-03-15 14:07:41 161792 ----a-w- c:\windows\SWREG.exe
2010-03-15 14:07:37 0 d-s---w- C:\ComboFix
2010-03-15 13:14:50 204120 -c--a-w- c:\windows\system32\dllcache\wuweb.dll
2010-03-12 22:01:54 230 ----a-w- c:\windows\system32\spupdsvc.inf
2010-03-11 15:14:50 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-03-11 14:34:29 0 d-----w- c:\windows\system32\appmgmt
2010-03-11 14:34:19 0 d-----w- c:\windows\SxsCaPendDel
2010-03-10 19:42:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-10 19:08:47 0 d-----w- c:\program files\TrendMicro
2010-03-04 22:08:36 74752 ----a-w- c:\windows\system32\dfbe.sys
2010-03-01 22:03:33 0 d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2010-02-17 22:19:49 0 d-----w- C:\temp_for_archiving

==================== Find3M ====================

2010-01-18 21:30:52 833536 ----a-w- c:\windows\system32\dxmrtp.dll
2010-01-18 21:30:52 138944 ----a-w- c:\windows\system32\RTCRES.dll
2010-01-18 21:30:52 1055744 ----a-w- c:\windows\system32\RTCDLL.dll
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-06-05 18:30:44 3072 ----a-w- c:\windows\inf\del_mu_gdcax2.exe

============= FINISH: 15:01:35.36 ===============

I've attached the zipped Attach.zip



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 15 March 2010 - 03:13 PM


welcome.gif to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 March 2010 - 03:36 PM

Here's the combofix log:
ComboFix 10-03-15.01 - wlucas 03/15/2010 16:25:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2839 [GMT -4:00]
Running from: z:\temp\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\wlucas\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\AppPatch\AcAdProc.dll
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\dfbe.sys

----- BITS: Possible infected sites -----

hxxp://fal-syscenter:8530
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_dfbe
-------\Service_dfbe


((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-15 18:59 . 2010-03-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-15 13:14 . 2008-01-23 22:35 204120 -c--a-w- c:\windows\system32\dllcache\wuweb.dll
2010-03-15 13:14 . 2008-01-23 22:35 204120 ----a-w- c:\windows\system32\wuweb.dll
2010-03-11 15:14 . 2010-03-11 15:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-11 14:34 . 2010-03-11 14:35 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-10 19:42 . 2010-03-10 19:42 -------- d-----w- c:\documents and settings\wlucas\Application Data\Malwarebytes
2010-03-10 19:42 . 2010-03-10 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 19:08 . 2010-03-10 19:08 388096 ----a-r- c:\documents and settings\wlucas\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 19:08 . 2010-03-10 19:08 -------- d-----w- c:\program files\TrendMicro
2010-03-04 19:26 . 2010-03-05 14:25 -------- d-----w- c:\documents and settings\wlucas\Local Settings\Application Data\Temporary Projects
2010-03-01 22:03 . 2010-03-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-03-01 22:03 . 2010-03-01 22:04 -------- d-----w- c:\documents and settings\wlucas\Application Data\Multi File Downloader
2010-02-17 22:19 . 2010-02-22 17:00 -------- d-----w- C:\temp_for_archiving

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 18:30 . 2009-07-17 20:08 -------- d-----w- c:\documents and settings\wlucas\Application Data\U3
2010-03-12 21:55 . 2009-07-07 16:46 -------- d-----w- c:\program files\Google
2010-03-12 19:50 . 2009-07-30 16:09 -------- d-----w- c:\program files\Common Files\Real
2010-03-11 16:32 . 2009-07-06 15:49 23080 ----a-w- c:\documents and settings\wlucas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 14:34 . 2009-06-24 17:58 -------- d-----w- c:\documents and settings\wlucas\Application Data\ShoreWare Client
2010-03-09 14:57 . 2009-11-09 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 17:16 . 2009-11-13 18:14 165232 ---ha-w- c:\documents and settings\wlucas\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-02-09 18:25 . 2009-09-22 14:22 -------- d-----w- c:\program files\cygwin
2010-02-04 21:59 . 2010-02-04 21:31 -------- d-----w- c:\program files\Gadwin Systems
2010-02-04 16:36 . 2010-02-04 16:36 -------- d-----w- c:\documents and settings\wlucas\Application Data\Xerox
2010-02-01 17:06 . 2010-02-01 17:06 -------- d-----w- c:\program files\FLV Player
2010-01-29 20:53 . 2010-01-29 20:52 -------- d-----w- c:\program files\PDFCreator
2010-01-18 21:30 . 2010-01-18 21:30 833536 ----a-w- c:\windows\system32\dxmrtp.dll
2010-01-18 21:30 . 2010-01-18 21:30 138944 ----a-w- c:\windows\system32\RTCRES.dll
2010-01-18 21:30 . 2010-01-18 21:30 1055744 ----a-w- c:\windows\system32\RTCDLL.dll
2010-01-18 16:49 . 2009-06-23 15:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-13 21:17 . 2010-01-13 21:17 161632 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-01-13 21:17 . 2010-01-13 21:17 291696 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-01-13 21:17 . 2010-01-13 21:17 36948 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\setup\uninstall.exe
2009-12-22 05:21 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-10204\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-1444\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-1447\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [1/13/2010 5:17 PM 77608]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]
R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [6/23/2009 11:58 AM 214016]
S0 cerc6;cerc6; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 myprojectname;myprojectname;"c:/ruby/bin/mongrel_service.exe" single -e development -p 4000 -a 0.0.0.0 -l "log/mongrel.log" -P "log/mongrel.pid" -c "C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname" -t 0 -r "public" -n 1024 --> c:/ruby/bin/mongrel_service.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 12:00]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1606980848-1801674531-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-27 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: eagle_one
Trusted Zone: localhost
Trusted Zone: onyx-cognos
Trusted Zone: onyx-cognos-dr
Trusted Zone: onyx-dr
Trusted Zone: onyx-kbea
Trusted Zone: onyx-oep1
Trusted Zone: onyx-oep2
Trusted Zone: onyx_test
Trusted Zone: tyleronyx
DPF: {2311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://vm-munqaiis/fjs/activex/gdc.cab
DPF: {3311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://qa-munis/dbv81_demo_gdc/mu_gdcax/gdc2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://tylergateway.tylertech.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\extensions\jssh@extensions.mozilla.org\components\jssh.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\myprojectname]
"ImagePath"="\"c:/ruby/bin/mongrel_service.exe\" single -e development -p 4000 -a 0.0.0.0 -l \"log/mongrel.log\" -P \"log/mongrel.pid\" -c \"C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname\" -t 0 -r \"public\" -n 1024"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\myprojectname]
"ImagePath"="\"c:/ruby/bin/mongrel_service.exe\" single -e development -p 4000 -a 0.0.0.0 -l \"log/mongrel.log\" -P \"log/mongrel.pid\" -c \"C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname\" -t 0 -r \"public\" -n 1024"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2010-03-15 16:33:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-15 20:33

Pre-Run: 200,695,369,728 bytes free
Post-Run: 202,246,033,408 bytes free

- - End Of File - - 02CF35173D8E31D0FB27E42311A3729A


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 15 March 2010 - 03:58 PM

Hello again,

Well, we got lucky, Combofix took it out laugh.gif

Can you please post also attach.txt (you said you attached it, but I don't see it). No need to attach it, please copy/paste it into the reply box.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
DDS::
Trusted Zone: eagle_one
Trusted Zone: localhost
Trusted Zone: onyx-cognos
Trusted Zone: onyx-cognos-dr
Trusted Zone: onyx-dr
Trusted Zone: onyx-kbea
Trusted Zone: onyx-oep1
Trusted Zone: onyx-oep2
Trusted Zone: onyx_test
Trusted Zone: tyleronyx

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 March 2010 - 04:24 PM

Here is attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/23/2009 11:09:14 AM
System Uptime: 3/15/2010 9:22:49 AM (6 hours ago)

Motherboard: Dell Inc. | | 0GM819
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | CPU | 2327/1333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 186.949 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP179: 12/13/2009 4:48:54 AM - System Checkpoint
RP180: 12/14/2009 5:36:52 AM - System Checkpoint
RP181: 12/15/2009 6:48:49 AM - System Checkpoint
RP182: 12/16/2009 6:51:58 AM - System Checkpoint
RP183: 12/16/2009 10:48:41 AM - Printer Driver Microsoft Office Document Image Writer Installed
RP184: 12/17/2009 1:39:04 PM - System Checkpoint
RP185: 12/18/2009 2:00:21 AM - Software Distribution Service 3.0
RP186: 12/19/2009 3:05:35 AM - System Checkpoint
RP187: 12/20/2009 4:10:04 AM - System Checkpoint
RP188: 12/21/2009 5:10:01 AM - System Checkpoint
RP189: 12/22/2009 5:48:07 AM - System Checkpoint
RP190: 12/23/2009 6:00:04 AM - System Checkpoint
RP191: 12/24/2009 7:00:03 AM - System Checkpoint
RP192: 12/24/2009 10:31:53 AM - Installed Windows Media Format 9 Series Runtime Setup
RP193: 12/25/2009 10:48:00 AM - System Checkpoint
RP194: 12/26/2009 10:59:57 AM - System Checkpoint
RP195: 12/27/2009 11:59:54 AM - System Checkpoint
RP196: 12/28/2009 12:47:53 PM - System Checkpoint
RP197: 12/29/2009 12:59:49 PM - System Checkpoint
RP198: 12/30/2009 1:59:13 PM - System Checkpoint
RP199: 12/31/2009 2:59:45 PM - System Checkpoint
RP200: 1/1/2010 3:59:42 PM - System Checkpoint
RP201: 1/2/2010 4:59:39 PM - System Checkpoint
RP202: 1/4/2010 2:12:42 PM - System Checkpoint
RP203: 1/5/2010 2:16:36 PM - System Checkpoint
RP204: 1/6/2010 4:22:20 PM - System Checkpoint
RP205: 1/7/2010 6:03:46 PM - System Checkpoint
RP206: 1/8/2010 6:58:03 PM - System Checkpoint
RP207: 1/9/2010 7:58:00 PM - System Checkpoint
RP208: 1/10/2010 8:45:58 PM - System Checkpoint
RP209: 1/11/2010 8:57:56 PM - System Checkpoint
RP210: 1/12/2010 8:59:00 PM - System Checkpoint
RP211: 1/13/2010 9:10:57 PM - System Checkpoint
RP212: 1/14/2010 1:38:48 PM - Installed Four J's Genero Desktop Client 2.21.04
RP213: 1/15/2010 1:58:54 PM - System Checkpoint
RP214: 1/16/2010 2:10:50 PM - System Checkpoint
RP215: 1/17/2010 2:58:48 PM - System Checkpoint
RP216: 1/18/2010 5:53:23 PM - System Checkpoint
RP217: 1/19/2010 6:34:09 PM - System Checkpoint
RP218: 1/20/2010 6:55:11 PM - System Checkpoint
RP219: 1/21/2010 7:07:09 PM - System Checkpoint
RP220: 1/22/2010 8:07:06 PM - System Checkpoint
RP221: 1/23/2010 8:55:04 PM - System Checkpoint
RP222: 1/24/2010 8:58:23 PM - System Checkpoint
RP223: 1/25/2010 9:11:31 AM - Installed Four J's Genero Desktop Client (2.21.0) - ActiveX
RP224: 1/26/2010 9:27:43 AM - Installed Four J's Genero Desktop Client 2.22.00
RP225: 1/27/2010 10:57:05 AM - Installed Four J's Genero Desktop Client (2.21.0) - ActiveX
RP226: 1/28/2010 12:56:37 PM - System Checkpoint
RP227: 1/29/2010 2:13:04 PM - System Checkpoint
RP228: 1/29/2010 3:53:12 PM - Printer Driver PDFCreator Installed
RP229: 1/30/2010 4:08:37 PM - System Checkpoint
RP230: 1/31/2010 4:56:36 PM - System Checkpoint
RP231: 2/1/2010 5:50:50 PM - System Checkpoint
RP232: 2/2/2010 6:41:36 PM - System Checkpoint
RP233: 2/3/2010 7:41:33 PM - System Checkpoint
RP234: 2/4/2010 8:41:33 PM - System Checkpoint
RP235: 2/5/2010 9:29:29 PM - System Checkpoint
RP236: 2/6/2010 10:29:26 PM - System Checkpoint
RP237: 2/7/2010 11:41:22 PM - System Checkpoint
RP238: 2/9/2010 12:37:34 AM - System Checkpoint
RP239: 2/10/2010 1:42:23 AM - System Checkpoint
RP240: 2/11/2010 2:00:16 AM - Software Distribution Service 3.0
RP241: 2/11/2010 2:36:26 PM - Installed Four J's Genero Desktop Client (2.22) - ActiveX
RP242: 2/12/2010 6:00:09 PM - System Checkpoint
RP243: 2/13/2010 6:44:38 PM - System Checkpoint
RP244: 2/14/2010 7:42:30 PM - System Checkpoint
RP245: 2/15/2010 9:16:56 PM - System Checkpoint
RP246: 2/16/2010 11:34:00 AM - Installed Four J's Genero Desktop Client 2.22.02
RP247: 2/17/2010 3:32:45 PM - System Checkpoint
RP248: 2/22/2010 9:45:48 AM - System Checkpoint
RP249: 2/23/2010 9:52:16 AM - System Checkpoint
RP250: 2/24/2010 10:45:19 AM - Software Distribution Service 3.0
RP251: 2/25/2010 1:48:39 PM - System Checkpoint
RP252: 2/26/2010 2:27:30 PM - System Checkpoint
RP253: 2/27/2010 3:15:28 PM - System Checkpoint
RP254: 2/28/2010 3:27:25 PM - System Checkpoint
RP255: 3/1/2010 5:47:31 PM - System Checkpoint
RP256: 3/2/2010 5:55:20 PM - System Checkpoint
RP257: 3/3/2010 6:32:40 PM - System Checkpoint
RP258: 3/4/2010 7:29:32 PM - System Checkpoint
RP259: 3/5/2010 7:34:08 PM - System Checkpoint
RP260: 3/6/2010 8:34:05 PM - System Checkpoint
RP261: 3/7/2010 9:34:02 PM - System Checkpoint
RP262: 3/8/2010 10:22:00 PM - System Checkpoint
RP263: 3/9/2010 9:09:08 AM - Installed ShoreTel Call Manager.
RP264: 3/9/2010 9:57:45 AM - Installed Four J's Genero Desktop Client (1.33.1y) - ActiveX
RP265: 3/10/2010 1:15:41 PM - System Checkpoint
RP266: 3/10/2010 2:08:47 PM - Installed HiJackThis
RP267: 3/11/2010 9:33:37 AM - Removed ShoreTel Call Manager.
RP268: 3/11/2010 10:11:20 AM - Removed ESET NOD32 Antivirus
RP269: 3/11/2010 3:56:21 PM - Installed ESET NOD32 Antivirus
RP270: 3/12/2010 3:32:19 PM - Removed ESET NOD32 Antivirus
RP271: 3/12/2010 5:00:40 PM - Removed Internet Explorer Developer Toolbar
RP272: 3/12/2010 5:00:57 PM - Removed Microsoft Silverlight
RP273: 3/12/2010 5:01:11 PM - Removed MSN Toolbar
RP274: 3/12/2010 5:01:19 PM - Removed pdfforge Toolbar v1.1.2.
RP275: 3/15/2010 9:14:00 AM - Software Distribution Service 3.0
RP276: 3/15/2010 9:21:35 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
ActivePerl 5.10.0 Build 1005
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
ATI Display Driver
CmdHere Powertoy For Windows XP
Compatibility Pack for the 2007 Office system
Consolas Font Family
Coupon Printer for Windows
FLV Player 2.0 (build 25)
Four J's GDC 2.20.15 [17-09-09 11h37m23s]
Four J's Genero Desktop Client (1.33.1y) - ActiveX
Four J's Genero Desktop Client (2.21.0) - ActiveX
Four J's Genero Desktop Client 2.21.02
Four J's Genero Desktop Client 2.21.03
Four J's Genero Desktop Client 2.21.04
Four J's Genero Desktop Client 2.22.00
Four J's Genero Desktop Client 2.22.02
Free Mp3 Wma Converter V 1.81
Gadwin PrintScreen
Gadwin Web Snapshot
Genero Desktop Client (ActiveX) - Version 2
Google Chrome
GPL Ghostscript 8.64
GSview 4.9
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel® PRO Network Connections Drivers
Juniper Networks Secure Application Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Standard Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Notification Services
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Virtual PC 2007
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
Numara Track-It! 8 Agent
PDFCreator
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SQL Server System CLR Types
SQLXML4
Ultr@VNC Release 1.0.0 RC 18 - Win32
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
WinSQL
WinZip
Zune Desktop Theme

==== Event Viewer Messages From Past Week ========

3/12/2010 3:05:27 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/11/2010 9:51:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ehdrv epfwtdir Fips intelppm IPSec MRxSmb NEOFLTR_650_14599 NetBIOS NetBT RasAcd Rdbss Tcpip vmm
3/11/2010 9:15:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ehdrv Fips intelppm vmm
3/11/2010 4:04:42 PM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
3/11/2010 10:52:01 AM, error: Service Control Manager [7038] - The MSSQLServerOLAPService service was unable to log on as TYLER\wlucas with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
3/11/2010 10:52:01 AM, error: Service Control Manager [7038] - The msftesql service was unable to log on as TYLER\wlucas with the currently configured password due to the following error: Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
3/11/2010 10:52:01 AM, error: Service Control Manager [7000] - The SQL Server FullText Search (MSSQLSERVER) service failed to start due to the following error: The service did not start due to a logon failure.
3/11/2010 10:52:01 AM, error: Service Control Manager [7000] - The SQL Server Analysis Services (MSSQLSERVER) service failed to start due to the following error: The service did not start due to a logon failure.
3/11/2010 10:39:15 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/11/2010 10:35:33 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm vmm
3/11/2010 10:14:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NEOFLTR_650_14599 NetBIOS NetBT RasAcd Rdbss Tcpip vmm
3/11/2010 10:14:26 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2010 10:14:26 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2010 10:14:26 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/11/2010 10:14:26 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

==== End Of File ===========================

Here is the combofix log from the CF result:
ComboFix 10-03-15.02 - wlucas 03/15/2010 17:18:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2878 [GMT -4:00]
Running from: z:\temp\ComboFix.exe
Command switches used :: c:\documents and settings\wlucas\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-15 18:59 . 2010-03-15 18:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-03-15 13:14 . 2008-01-23 22:35 204120 -c--a-w- c:\windows\system32\dllcache\wuweb.dll
2010-03-15 13:14 . 2008-01-23 22:35 204120 ----a-w- c:\windows\system32\wuweb.dll
2010-03-11 15:14 . 2010-03-11 15:14 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-11 14:34 . 2010-03-11 14:35 -------- d-----w- c:\windows\SxsCaPendDel
2010-03-10 19:42 . 2010-03-10 19:42 -------- d-----w- c:\documents and settings\wlucas\Application Data\Malwarebytes
2010-03-10 19:42 . 2010-03-10 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-10 19:08 . 2010-03-10 19:08 388096 ----a-r- c:\documents and settings\wlucas\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 19:08 . 2010-03-10 19:08 -------- d-----w- c:\program files\TrendMicro
2010-03-04 19:26 . 2010-03-05 14:25 -------- d-----w- c:\documents and settings\wlucas\Local Settings\Application Data\Temporary Projects
2010-03-01 22:03 . 2010-03-01 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2010-03-01 22:03 . 2010-03-01 22:04 -------- d-----w- c:\documents and settings\wlucas\Application Data\Multi File Downloader
2010-02-17 22:19 . 2010-02-22 17:00 -------- d-----w- C:\temp_for_archiving

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 18:30 . 2009-07-17 20:08 -------- d-----w- c:\documents and settings\wlucas\Application Data\U3
2010-03-12 21:55 . 2009-07-07 16:46 -------- d-----w- c:\program files\Google
2010-03-12 19:50 . 2009-07-30 16:09 -------- d-----w- c:\program files\Common Files\Real
2010-03-11 16:32 . 2009-07-06 15:49 23080 ----a-w- c:\documents and settings\wlucas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 14:34 . 2009-06-24 17:58 -------- d-----w- c:\documents and settings\wlucas\Application Data\ShoreWare Client
2010-03-09 14:57 . 2009-11-09 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-25 17:16 . 2009-11-13 18:14 165232 ---ha-w- c:\documents and settings\wlucas\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2010-02-09 18:25 . 2009-09-22 14:22 -------- d-----w- c:\program files\cygwin
2010-02-04 21:59 . 2010-02-04 21:31 -------- d-----w- c:\program files\Gadwin Systems
2010-02-04 16:36 . 2010-02-04 16:36 -------- d-----w- c:\documents and settings\wlucas\Application Data\Xerox
2010-02-01 17:06 . 2010-02-01 17:06 -------- d-----w- c:\program files\FLV Player
2010-01-29 20:53 . 2010-01-29 20:52 -------- d-----w- c:\program files\PDFCreator
2010-01-18 21:30 . 2010-01-18 21:30 833536 ----a-w- c:\windows\system32\dxmrtp.dll
2010-01-18 21:30 . 2010-01-18 21:30 138944 ----a-w- c:\windows\system32\RTCRES.dll
2010-01-18 21:30 . 2010-01-18 21:30 1055744 ----a-w- c:\windows\system32\RTCDLL.dll
2010-01-18 16:49 . 2009-06-23 15:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-13 21:17 . 2010-01-13 21:17 161632 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
2010-01-13 21:17 . 2010-01-13 21:17 291696 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTR_8.0.50727.762.exe
2010-01-13 21:17 . 2010-01-13 21:17 36948 ----a-w- c:\documents and settings\wlucas\Application Data\Juniper Networks\setup\uninstall.exe
2009-12-22 05:21 . 2008-04-14 12:00 667136 ------w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-10204\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-1444\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1567609011-1781888868-2182618124-1447\Scripts\Logon\0\0]
"Script"=Munis-logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 NEOFLTR_650_14599;Juniper Networks TDI Filter Driver (NEOFLTR_650_14599);c:\windows\system32\drivers\NEOFLTR_650_14599.SYS [1/13/2010 5:17 PM 77608]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]
S0 cerc6;cerc6; [x]
S2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\TIREMOTE\TIRemoteService.exe [6/23/2009 11:58 AM 214016]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 myprojectname;myprojectname;"c:/ruby/bin/mongrel_service.exe" single -e development -p 4000 -a 0.0.0.0 -l "log/mongrel.log" -P "log/mongrel.pid" -c "C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname" -t 0 -r "public" -n 1024 --> c:/ruby/bin/mongrel_service.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 12:00]

2010-03-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1606980848-1801674531-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-27 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: {2311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://vm-munqaiis/fjs/activex/gdc.cab
DPF: {3311DF65-9D1A-4DDA-94AA-90568D989633} - hxxp://qa-munis/dbv81_demo_gdc/mu_gdcax/gdc2.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://tylergateway.tylertech.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\wlucas\Application Data\Mozilla\Firefox\Profiles\8v5ooor0.default\extensions\jssh@extensions.mozilla.org\components\jssh.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-15 17:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\myprojectname]
"ImagePath"="\"c:/ruby/bin/mongrel_service.exe\" single -e development -p 4000 -a 0.0.0.0 -l \"log/mongrel.log\" -P \"log/mongrel.pid\" -c \"C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname\" -t 0 -r \"public\" -n 1024"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\myprojectname]
"ImagePath"="\"c:/ruby/bin/mongrel_service.exe\" single -e development -p 4000 -a 0.0.0.0 -l \"log/mongrel.log\" -P \"log/mongrel.pid\" -c \"C:/cygwin-1.7/usr/will/Projects/my_rails_projects/myprojectname\" -t 0 -r \"public\" -n 1024"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-15 17:21:44
ComboFix-quarantined-files.txt 2010-03-15 21:21
ComboFix2.txt 2010-03-15 20:33

Pre-Run: 202,254,356,480 bytes free
Post-Run: 202,246,991,872 bytes free

- - End Of File - - 0D0E568C11CA21164C4806296EC5B2C0


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 15 March 2010 - 04:28 PM

That looks good, how are things running now (and yes, this is my last post for today, have to catch some sleep now tongue.gif).

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 15 March 2010 - 04:32 PM

Things seem good.
I'll do the malwarebytes install tomorrow and install IE and Chrome.

Thanks so much for your help. Sleep well!

Will

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 16 March 2010 - 03:31 AM

Okay, waiting for the scan result smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 March 2010 - 10:23 AM

Here is the MBAM log
All looks ok.

How do I PREVENT this from happening again?
Is there any way to obtain some pathology on this insidious problem?

Thanks for your help!
**********************************************************************
Malwarebytes' Anti-Malware 1.44
Database version: 3873
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/16/2010 11:18:05 AM
mbam-log-2010-03-16 (11-18-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 479236
Time elapsed: 2 hour(s), 8 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 16 March 2010 - 12:25 PM

Hello again,

I'll give you some prevention advice once we are done here smile.gif

About the pathology of this particular redirector is little know. It installs as a driver and its usually made up by 4 random letters.

INSTALL ANTIVIRUS
---------------------------
I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 March 2010 - 01:01 PM

I already installed ESET as it's what we use at work.
Once the problem (seemed) to be resolved, I re-installed it.

It's running now. 65% complete and hasn't found anything yet.

I'll post any found threats when it finishes. Thanks, Elise!

-Will

#12 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 March 2010 - 01:18 PM

Hi Elise,

ESET said no threats found.
I attached log.

What can I do to prevent this from happening again?

Thanks.

Will

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 16 March 2010 - 01:41 PM

Hi again,

I think most of your questions should be answered reading the information below. However, if you have any more questions, don't hesitate to ask them!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#14 DevWillie

DevWillie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 16 March 2010 - 01:58 PM

Thank you very much for your help, Elise!

I will follow your recommendations.

-Will



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,663 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:34 PM

Posted 16 March 2010 - 03:19 PM

You are welcome smile.gif

This topic will now be closed. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users