Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is Malware the culprit?


  • Please log in to reply
21 replies to this topic

#16 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:07:48 PM

Posted 23 April 2010 - 02:40 PM

Hi

See if you can run CF in Safemode and lets but sure there is nothing else.



To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode



mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


BC AdBot (Login to Remove)

 


#17 babybrowneyez

babybrowneyez
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 26 April 2010 - 05:54 PM

It worked in safe mode! The program update at the beginning did not work though.

ComboFix 10-04-15.05 - Administrator 04/26/2010 15:43:41.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.247.5 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-26 18:50 . 2010-04-26 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-22 18:17 . 2010-04-22 18:17 -------- d-----w- C:\_OTM
2010-04-12 18:24 . 2010-04-12 18:25 -------- d-----w- C:\rsit
2010-04-12 18:18 . 2010-04-12 18:18 -------- d-----w- c:\documents and settings\new user\Application Data\Malwarebytes
2010-04-12 18:17 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 18:17 . 2010-04-12 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 18:17 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 18:17 . 2010-04-12 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 19:34 . 2010-04-05 19:34 -------- d-----w- c:\program files\Trend Micro
2010-04-05 19:29 . 2010-04-05 19:29 -------- d-----w- c:\documents and settings\new user\Application Data\Apple Computer
2010-04-05 19:14 . 2010-04-05 19:14 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Apple
2010-04-05 19:05 . 2008-02-29 18:46 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2010-04-05 19:05 . 2008-02-29 18:46 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-05 19:05 . 2008-02-29 18:46 1129232 ----a-w- c:\windows\system32\fm20.dll
2010-04-05 19:05 . 2008-02-29 18:46 57344 ----a-w- c:\windows\system32\GamryChartEng.dll
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Common Files\Software FX Shared
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Gamry Instruments
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Common Files\Data Dynamics
2010-04-05 19:01 . 2010-04-05 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamry Instruments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 19:30 . 2005-06-13 16:42 -------- d-----w- c:\program files\iPod
2010-04-05 19:26 . 2004-12-11 18:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 19:26 . 2010-03-23 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-23 19:26 . 2010-03-23 19:26 -------- d-----w- c:\program files\NOS
2010-03-23 19:25 . 2005-01-12 22:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 19:25 . 2008-08-01 20:02 -------- d-----w- c:\documents and settings\new user\Application Data\AdobeUM
2010-03-17 22:42 . 2005-12-09 21:37 -------- d-----w- c:\documents and settings\Owen\Application Data\Lavasoft
2010-03-17 22:37 . 2010-03-17 22:37 -------- d-----w- c:\documents and settings\new user\Application Data\AVG8
2010-03-10 23:32 . 2010-03-10 23:32 -------- d-----w- c:\documents and settings\new user\Application Data\Lavasoft
2010-03-10 23:14 . 2004-12-11 18:02 24872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 1980-01-01 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 1980-01-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 1980-01-01 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 1980-01-01 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 09:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 1980-01-01 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 1980-01-01 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2003-10-28 17:29 . 2005-02-15 19:13 110592 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-08-28 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-08-28 118784]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Pinyin IME Migration]
2006-10-26 21:53 32560 ----a-w- c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 13:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2003-09-30 23:39 36864 ----a-w- c:\program files\IBM\Updater\ucstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\ucsmb.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MDL CrossFire Commander 7.0\\xfdlink.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [4/2/2008 11:48 AM 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [4/2/2008 11:48 AM 38528]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 1:36 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
TCP: {118573F5-67CC-4AF6-8F38-9B43B81884D8} = 169.237.1.250,169.237.250.250
FF - ProfilePath -
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ibmmessages - c:\program files\IBM\Messages By IBM\ibmmessages.exe
MSConfigStartUp-BIE - c:\windows\DOWNLO~1\BDPlugin.dll
MSConfigStartUp-ibmmessages - c:\program files\IBM\Messages By IBM\ibmmessages.exe
MSConfigStartUp-IBMPRC - c:\ibmtools\UTILS\ibmprc.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 15:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\pwdmon.dll

- - - - - - - > 'explorer.exe'(440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-04-26 15:49:31
ComboFix-quarantined-files.txt 2010-04-26 22:49

Pre-Run: 18,545,582,080 bytes free
Post-Run: 20,288,409,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 66F2D0E1EE224BB1EB6C35C0B696B298

Edited by babybrowneyez, 26 April 2010 - 05:55 PM.


#18 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:07:48 PM

Posted 26 April 2010 - 06:58 PM

Hi

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Fcopy::


CODE
FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#19 babybrowneyez

babybrowneyez
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 26 April 2010 - 07:30 PM

Hi! CF didn't work again unless I was in safe mode...got the same access denied message.


ComboFix 10-04-15.05 - new user 04/26/2010 17:13:35.3.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.247.106 [GMT -7:00]
Running from: c:\documents and settings\new user\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\new user\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-26 18:50 . 2010-04-26 18:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-22 18:17 . 2010-04-22 18:17 -------- d-----w- C:\_OTM
2010-04-12 18:24 . 2010-04-12 18:25 -------- d-----w- C:\rsit
2010-04-12 18:18 . 2010-04-12 18:18 -------- d-----w- c:\documents and settings\new user\Application Data\Malwarebytes
2010-04-12 18:17 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-12 18:17 . 2010-04-12 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-12 18:17 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-12 18:17 . 2010-04-12 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-05 19:34 . 2010-04-05 19:34 -------- d-----w- c:\program files\Trend Micro
2010-04-05 19:29 . 2010-04-05 19:29 -------- d-----w- c:\documents and settings\new user\Application Data\Apple Computer
2010-04-05 19:14 . 2010-04-05 19:14 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Apple
2010-04-05 19:05 . 2008-02-29 18:46 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2010-04-05 19:05 . 2008-02-29 18:46 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-04-05 19:05 . 2008-02-29 18:46 1129232 ----a-w- c:\windows\system32\fm20.dll
2010-04-05 19:05 . 2008-02-29 18:46 57344 ----a-w- c:\windows\system32\GamryChartEng.dll
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Common Files\Software FX Shared
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Gamry Instruments
2010-04-05 19:05 . 2010-04-05 19:05 -------- d-----w- c:\program files\Common Files\Data Dynamics
2010-04-05 19:01 . 2010-04-05 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Gamry Instruments

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 19:30 . 2005-06-13 16:42 -------- d-----w- c:\program files\iPod
2010-04-05 19:26 . 2004-12-11 18:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 19:26 . 2010-03-23 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-03-23 19:26 . 2010-03-23 19:26 -------- d-----w- c:\program files\NOS
2010-03-23 19:25 . 2005-01-12 22:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-23 19:25 . 2008-08-01 20:02 -------- d-----w- c:\documents and settings\new user\Application Data\AdobeUM
2010-03-17 22:42 . 2005-12-09 21:37 -------- d-----w- c:\documents and settings\Owen\Application Data\Lavasoft
2010-03-17 22:37 . 2010-03-17 22:37 -------- d-----w- c:\documents and settings\new user\Application Data\AVG8
2010-03-10 23:32 . 2010-03-10 23:32 -------- d-----w- c:\documents and settings\new user\Application Data\Lavasoft
2010-03-10 23:14 . 2004-12-11 18:02 24872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 1980-01-01 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 1980-01-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 1980-01-01 08:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 1980-01-01 08:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 09:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 1980-01-01 08:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 1980-01-01 08:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2003-10-28 17:29 . 2005-02-15 19:13 110592 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-08-28 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-08-28 118784]
"Mouse Suite 98 Daemon"="ICO.EXE" [2003-11-20 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli pwdmon

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk
backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Pinyin IME Migration]
2006-10-26 21:53 32560 ----a-w- c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 13:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
2003-09-30 23:39 36864 ----a-w- c:\program files\IBM\Updater\ucstartup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\ucsmb.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"=
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MDL CrossFire Commander 7.0\\xfdlink.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [4/2/2008 11:48 AM 110848]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [4/2/2008 11:48 AM 38528]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 1:36 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fd828b2-4197-11df-9667-806d6172696f}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9344045-36af-11df-bacd-001125508309}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {118573F5-67CC-4AF6-8F38-9B43B81884D8} = 169.237.1.250,169.237.250.250
FF - ProfilePath - c:\documents and settings\new user\Application Data\Mozilla\Firefox\Profiles\rxclgill.default\
FF - plugin: c:\program files\CambridgeSoft\ChemOffice2006\ChemDraw\NPCDN32.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npSfAppM.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{65F8A3D2-4C22-4A33-9633-73167EAEEC45} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(296)
c:\windows\system32\pwdmon.dll

- - - - - - - > 'explorer.exe'(1636)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
Completion time: 2010-04-26 17:23:08
ComboFix-quarantined-files.txt 2010-04-27 00:22
ComboFix2.txt 2010-04-26 22:49

Pre-Run: 20,285,882,368 bytes free
Post-Run: 20,265,422,848 bytes free

- - End Of File - - 5C98808BA4D2F090FBEB5408929122A8







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:49 PM, on 4/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\sophos_autoupdate1.dir\alupdate.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{118573F5-67CC-4AF6-8F38-9B43B81884D8}: NameServer = 169.237.1.250,169.237.250.250
O20 - AppInit_DLLs: c:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5899 bytes





#20 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:07:48 PM

Posted 26 April 2010 - 07:42 PM

Looking good, how are things running now ?

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#21 babybrowneyez

babybrowneyez
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 27 April 2010 - 11:20 AM

Better actually.....thanks so much for your help!!!

#22 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:07:48 PM

Posted 27 April 2010 - 11:34 AM

Great thumbup2.gif Glad things are better for you


ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK.
Note the space between the X and the /, it needs to be there.

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.



Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.




QUOTE
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .



Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users