Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with rootkit.agent removal needed


  • This topic is locked This topic is locked
17 replies to this topic

#1 superwally

superwally

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 25 March 2010 - 10:03 AM

Hello, first let me thank all of you for this service!

My issue started a few days ago, when logging in to ebay I'd get a fake page asking for personal info and any search conducted from my browser search button gives bogus links. I'm using Windows XP and Mozilla Firefox. After reading several threads here, I determined the most likely source of the problem is that I was running an old version of Java-I updated the Java software as per the recommendations in this thread :http://www.bleepingcomputer.com/forums/t/302521/booting-up-only-in-safe-mode-search-links-redirected/

After finding the issue, I ran Malwarebytes, and it picked up rootkit.agent (I read it as rookit.agent, but assume now that this must be incorrect.) It was removed, but I'm still having the issue and Malwarebytes no longer sees it when doing a full scan. My logs, generated after the Java update and with all Windows updates complete:




DDS (Ver_10-03-17.01) - NTFSx86
Run by Willis at 9:34:47.29 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.114 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Willis\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_16_0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_3_16_0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\documents and settings\willis\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\harmony remote\harmonyClient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Dots - hxxp://download.games.yahoo.com/games/clients/y/dtt1_x.cab
DPF: Yahoo! Klondike Solitaire - hxxp://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
DPF: Yahoo! Literati - hxxp://download.games.yahoo.com/games/clients/y/tt2_x.cab
DPF: Yahoo! MahJong - hxxp://download.games.yahoo.com/games/clients/y/ot0_x.cab
DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/potd_x.cab
DPF: Yahoo! Pyramids - hxxp://download.games.yahoo.com/games/clients/y/pyt1_x.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://mirror.worldwinner.com/games/v45/pool/pool.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094700692046
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} - hxxp://mirror.worldwinner.com/games/shared/dephlp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} - hxxp://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38122.6877777778
DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - hxxp://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup163.cab
TCP: {36AE2580-D9A3-440E-AF53-50CE94D1CFE9} = 68.87.71.230,68.87.73.246
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willis\applic~1\mozilla\firefox\profiles\zrbddph6.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 40b9e87b-db6d-4860-892b-341e99e8dee7;40b9e87b-db6d-4860-892b-341e99e8dee7;c:\windows\iprot\40b9e87b-db6d-4860-892b-341e99e8dee7\PhysMem.sys [2007-9-15 3584]
R1 9c643043-6ca7-486c-8e38-fc82955623fe;9c643043-6ca7-486c-8e38-fc82955623fe;c:\windows\iprot\9c643043-6ca7-486c-8e38-fc82955623fe\PhysMem.sys [2006-10-31 3584]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-12 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-12 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-12 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-12 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-12 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2007-3-31 20608]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-12 34248]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2007-3-31 330240]

=============== Created Last 30 ================

2010-03-25 04:57:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-25 04:01:48 0 d-----w- C:\spoolerlogs
2010-03-25 03:47:15 0 ----a-w- c:\windows\system32\REN7D.tmp
2010-03-10 22:56:17 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 19:40:31 23332 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-05 16:42:49 0 d-----w- c:\program files\iPod
2010-03-05 16:42:33 0 d-----w- c:\program files\iTunes
2010-03-05 16:42:33 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 16:41:34 0 d-----w- c:\program files\Bonjour
2010-03-05 16:33:35 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-03-05 16:33:35 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-03-05 16:07:35 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-03-05 16:07:33 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2010-03-25 04:55:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll

============= FINISH: 9:36:48.93 ===============

Attached Files


Edited by superwally, 25 March 2010 - 10:04 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 28 March 2010 - 12:05 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 28 March 2010 - 07:38 PM

Thank you for the response!

Let me know how to start, depending on when you respond I may be able to work with you for an extended period of time.

Thought I would also mention the computer does not shut down and reboot normally. It stalls on 'saving your settings' and I have to manually power it off to restart.

Edited by superwally, 28 March 2010 - 07:51 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 29 March 2010 - 04:24 PM

It sounds to me like you have been seeing the soldiers but the General is still hiding.


Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 29 March 2010 - 05:39 PM

Thanks for the prompt reply!

My combofix log:

ComboFix 10-03-29.02 - Willis 03/29/2010 18:19:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.248 [GMT -4:00]
Running from: c:\documents and settings\Willis\My Documents\Downloads\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\windows\system32\reboot.txt

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-25 16:53 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Willis\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-25 16:52 . 2010-03-25 16:52 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-03-25 16:44 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-03-25 16:43 . 2010-03-25 16:43 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-25 16:40 . 2010-03-25 16:40 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-25 16:38 . 2010-03-26 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-25 05:00 . 2010-03-25 05:00 348160 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7685f885-n\msvcr71.dll
2010-03-25 05:00 . 2010-03-25 05:00 61440 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c71dba9-n\decora-sse.dll
2010-03-25 05:00 . 2010-03-25 05:00 503808 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7685f885-n\msvcp71.dll
2010-03-25 05:00 . 2010-03-25 05:00 499712 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7685f885-n\jmc.dll
2010-03-25 05:00 . 2010-03-25 05:00 12800 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c71dba9-n\decora-d3d.dll
2010-03-25 04:01 . 2010-03-25 04:01 -------- d-----w- C:\spoolerlogs
2010-03-25 03:44 . 2010-03-25 03:44 152576 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-24 06:00 . 2010-03-24 06:00 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 00:52 . 2010-03-24 00:52 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-24 00:52 . 2010-03-24 00:52 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-24 00:51 . 2010-03-24 00:51 -------- d-----w- c:\documents and settings\HelpAssistant\OngameNetwork
2010-03-10 22:56 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 04:54 . 2010-03-18 01:01 -------- d-----w- c:\documents and settings\Willis\Local Settings\Application Data\Temp
2010-03-06 04:49 . 2010-03-06 04:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-03-05 19:40 . 2010-03-05 19:40 23332 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-05 16:42 . 2010-03-05 16:42 -------- d-----w- c:\program files\iPod
2010-03-05 16:42 . 2010-03-05 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 16:42 . 2010-03-05 16:45 -------- d-----w- c:\program files\iTunes
2010-03-05 16:41 . 2010-03-05 16:41 -------- d-----w- c:\program files\Bonjour
2010-03-05 16:33 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-03-05 16:33 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-03-05 16:30 . 2010-03-05 16:42 -------- d-----w- c:\program files\Common Files\Apple
2010-03-05 16:07 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-03-05 16:07 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 17:45 . 2007-02-17 00:11 -------- d-----w- c:\documents and settings\Willis\Application Data\U3
2010-03-25 16:50 . 2004-05-21 00:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-25 04:59 . 2004-09-10 20:13 -------- d-----w- c:\program files\Common Files\Java
2010-03-25 04:55 . 2009-09-22 23:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-25 03:47 . 2010-03-25 03:47 0 ----a-w- c:\windows\system32\REN7D.tmp
2010-03-25 03:47 . 2004-09-10 20:14 -------- d-----w- c:\program files\Java
2010-03-25 03:43 . 2009-12-22 16:10 79488 ----a-w- c:\documents and settings\Willis\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-24 06:00 . 2009-09-23 22:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 02:24 . 2006-08-11 20:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-07 19:12 . 2009-08-13 00:42 -------- d-----w- c:\program files\McAfee
2010-03-06 04:48 . 2004-05-21 19:30 -------- d-----w- c:\program files\Google
2010-03-05 19:48 . 2004-05-22 02:53 -------- d-----w- c:\documents and settings\Willis\Application Data\Apple Computer
2010-03-05 16:40 . 2004-05-19 23:06 -------- d-----w- c:\program files\QuickTime
2010-03-05 16:34 . 2009-02-25 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-15 23:41 . 2010-02-15 23:41 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-07 20:07 . 2009-09-23 22:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 20:07 . 2009-09-23 22:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2001-08-23 03:00 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2001-08-23 03:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-12-15 155648]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-12-15 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Willis\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-10-10 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Harmony Remote.lnk - c:\program files\Logitech\Harmony Remote\harmonyClient.exe [2005-4-18 1478144]
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-10-12 475136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-aware]
2003-07-13 01:00 684544 ----a-w- c:\program files\Lavasoft\Ad-aware 6\Ad-aware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2005-01-12 18:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-11-07 09:50 19968 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2004-01-27 02:44 286720 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-aware"="c:\program files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
"personalguard"=c:\program files\Personal Guard 2009\personalguard.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /waitstart
"Start WingMan Profiler"=c:\program files\Logitech\Gaming Software\LWEMon.exe /noui

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3977:TCP"= 3977:TCP:Services
"6454:TCP"= 6454:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 40b9e87b-db6d-4860-892b-341e99e8dee7;40b9e87b-db6d-4860-892b-341e99e8dee7;c:\windows\iprot\40b9e87b-db6d-4860-892b-341e99e8dee7\PhysMem.sys [9/15/2007 8:05 PM 3584]
R1 9c643043-6ca7-486c-8e38-fc82955623fe;9c643043-6ca7-486c-8e38-fc82955623fe;c:\windows\iprot\9c643043-6ca7-486c-8e38-fc82955623fe\PhysMem.sys [10/31/2006 8:47 PM 3584]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 12:49 AM 135664]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [3/31/2007 2:29 PM 330240]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 04:48]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-06 04:48]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-13 16:22]

2010-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-13 16:22]

2008-03-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-09-21 19:31]

2010-03-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {36AE2580-D9A3-440E-AF53-50CE94D1CFE9} = 68.87.71.230,68.87.73.246
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Willis\Application Data\Mozilla\Firefox\Profiles\zrbddph6.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 18:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82B50B88]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8745fc3
\Driver\ACPI -> 0x82b50b88
\Driver\atapi -> atapi.sys @ 0xf864a7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0084
ParseProcedure -> ntoskrnl.exe @ 0x8056f07e
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x829b2330
PacketIndicateHandler -> NDIS.sys @ 0xf8563b21
SendHandler -> NDIS.sys @ 0xf854187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4FB880
malicious code @ sector 0x0E4FB883 !
PE file found in sector at 0x0E4FB899 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-03-29 18:35:42
ComboFix-quarantined-files.txt 2010-03-29 22:35

Pre-Run: 68,283,867,136 bytes free
Post-Run: 68,535,013,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - F32F080156D1A68D0DFBE0FCA9143EE5


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 29 March 2010 - 07:28 PM

MBR rootkit. We can complete the clean up by running this command.

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.

Finally you must reboot the system.
Posted Image
m0le is a proud member of UNITE

#7 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 29 March 2010 - 08:03 PM

Sorry if I'm being thick, but I can't seem to find the file C:\mbr.log? I tried searching hidden files and folders, coming up with nothing. I'll keep looking.....


Edit: Found MBR.exe, but still no sign of .log


Edit 2: I took a chance and ran the commands anyway as I could not find the .log file. Everything seemed to work fine, here is the log:



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x82b50b88
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x829b2330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0E4FB880
malicious code @ sector 0x0E4FB883 !
PE file found in sector at 0x0E4FB899 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !



I'll reboot now as suggested.


Edit 3: Everything appears to be working correctly again, normal reboot and no redirects. I'll wait for your response and final approval. Also, any other suggestions you might have about cleaning up/securing my pc would be greatly appreciated. Again thank you for your help.

Edited by superwally, 30 March 2010 - 01:39 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 30 March 2010 - 01:39 PM

Good, that has been dealt with. smile.gif

Please run the ESET online scan to see what that can find

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 30 March 2010 - 03:55 PM

After what seems an eternity, the results of the scan-looks like I had a couple more....

C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Mozilla\Firefox\Profiles\zrbddph6.default\Cache\A18C8F2Ed01 JS/Exploit.Pdfka.NUI trojan cleaned by deleting - quarantined
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\jar_cache4701217468021108339.tmp probably a variant of Win32/Agent trojan deleted - quarantined


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 30 March 2010 - 04:12 PM

HelpAssistant is not good news. We had better make sure this has gone too.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#11 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 30 March 2010 - 04:46 PM

Here is the result:



C:\Documents and Settings\Willis\Desktop\HelpAsst_mebroot_fix.exe
Tue 03/30/2010 at 17:24:55.46

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3977:TCP"=-
"6454:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3977:TCP"=-
"6454:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-515967899-854245398-839522115-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 03/30/2010 at 17:44:13.00

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0E4FB880
malicious code @ sector 0x0E4FB883 !
PE file found in sector at 0x0E4FB899 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 30 March 2010 - 05:53 PM

That nearly sneaked by me whistling.gif

That infection is now disabled and the PC is clean.

How is the PC running?
Posted Image
m0le is a proud member of UNITE

#13 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 30 March 2010 - 06:11 PM

It seems marvelous, much better after combofix. I've not done much since, I wanted to hear from you.

I'm hoping this stuff has only been here since last Thursday or so, but I suspect the HelpAssist has been there longer. Anything in particular I should worry about being compromised? I do a lot of ebay and paypal stuff but no other online banking.

Also, I have SPII, not SPIII. My copy of XP is 'not genuine' according to MS-can I still do the SPIII update?

Thank you again for the help and for this service. As a mechanic of the physical, I can help a friend with a car, but to receive help like this (in the middle of the night!) from someone I don't know is a stunning gesture of goodwill and is no small favor in my mind. I'm only partially employed and my other source of income is ebay, so a clean PC is critical.

Thank you, and if you have any other advice, bring it on.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:15 PM

Posted 30 March 2010 - 06:24 PM

We do have to do some clear-up. Oh, the "Windows not genuine" message - this usually happens because the malware deletes certain files and registry entries just to make it as difficult as possible for you to run the PC.


There is a fix for the message but first I need to check that your copy is legitimate (you understand that right?)

To test the PC please use Internet Explorer to download this program.


Please download MGADiag.exe and Save it to your Desktop.
  1. Double-click on MGADiag.exe then click Continue
  2. When the program has finished, click on Resolve
  3. Follow the prompts and agree to install the ActiveX control.
  4. Click 'Install'. When finished, exit the IE browser window.
  5. Click 'OK' to exit the MGA Diagnostic Tool window.
  6. Double-click on MGADiag.exe again, then click Continue
  7. When the program has finished, click on Copy
Please paste the results in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 superwally

superwally
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 30 March 2010 - 06:55 PM

I would not be surprised at all if the copy is not actually genuine-this is a used PC purchased locally, and I have no XP install disks. I'll run it anyway.

No 'Resolve' option comes up, only 'Copy', nothing seems to happen when I click. I can't highlight and paste, either. Sorry if I'm missing something obvious.

The validation status says 'Blocked VLK' (in red)
Validation code 3







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users