Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - smtp connections opened by services.exe


  • This topic is locked This topic is locked
12 replies to this topic

#1 rokkoralph

rokkoralph

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 15 April 2010 - 10:01 PM

Hello, thank you for taking a look.

I've been using scanners to remove malware, but each time I think the coast is clear something comes back. I've used malwarebytes, spybot s&d, and super antispyware to remove malware such as:
ave.exe
wmpscfgs.exe
These seem to be removed but I think something else is persisting that continues to install other malware.

I'm connected to my isp through a wireless router. I notice the malware activity whenever I enable my wireless connection. Netstat shows no connections with it disabled, but as soon as it is, the number of smtp connections continue to grow. It says the originating process is services.exe but this seems to be the system instance and can't be terminated. Windows firewall doesn't seem to do anything and it is sometimes disabled by some of the malware.

Please let me know if you need more info.

Dave


DDS (Ver_10-03-17.01) - NTFSx86
Run by David Krolick at 21:25:51.34 on Thu 04/15/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3327.2661 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GW\GBUSSNet Client 4.6\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\David Krolick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -b
mRun: [NIS] "c:\program files\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis\a5e82d02\16.7.0.30\InstStub.exe" /RELAUNCH /RUNONCE /PRODID NIS
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://download2.citrix.com/files/en/products/client/ica/current/wficac.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170125096841
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c1/v16.629/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.gwu.edu/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://n2o.workscape.com/dana-cached/sc/JuniperSetupClient.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_540_11529;Juniper Networks TDI Filter Driver (NEOFLTR_540_11529);c:\windows\system32\drivers\NEOFLTR_540_11529.sys [2007-1-29 57591]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-8 24652]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-3-14 1390976]
S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-8 189792]
S4 aymvqxjb;aymvqxjb;c:\windows\system32\drivers\ygbeoyk.sys [2010-4-13 54016]
S4 cmuqdekg;cmuqdekg;c:\windows\system32\drivers\ytafs.sys [2010-4-13 54016]
S4 rgyn;rgyn;c:\windows\system32\drivers\qignppyr.sys [2010-4-13 54016]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-04-15 04:52:22 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-15 04:52:15 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-15 04:52:15 0 d-----w- c:\docume~1\davidk~1\applic~1\SUPERAntiSpyware.com
2010-04-15 04:52:02 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-15 01:50:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-15 01:50:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-14 18:50:09 45632 ----a-w- c:\windows\system32\taskswitch.exe
2010-04-14 14:41:00 0 d-----w- c:\program files\TrendMicro
2010-04-14 02:33:24 54016 ----a-w- c:\windows\system32\drivers\ygbeoyk.sys
2010-04-14 02:09:36 54016 ----a-w- c:\windows\system32\drivers\qignppyr.sys
2010-04-14 02:04:10 54016 ----a-w- c:\windows\system32\drivers\ytafs.sys
2010-04-13 23:01:17 823808 ----a-w- c:\windows\system32\drivers\enotclz.sys
2010-04-13 21:40:56 0 d-----w- c:\docume~1\davidk~1\applic~1\Malwarebytes
2010-04-13 21:40:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 21:40:48 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 21:40:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 21:40:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 21:29:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-13 19:55:05 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-04-13 19:55:05 31232 ----a-w- c:\windows\system32\OLDF70.tmp
2010-04-13 19:55:00 31232 ----a-w- c:\windows\system32\OLDF6D.tmp
2010-04-13 19:55:00 15360 -c--a-w- c:\windows\system32\dllcache\ctfmon.exe
2010-04-13 19:55:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
2010-04-13 19:54:31 0 d-----w- C:\spoolerlogs
2010-04-13 19:54:28 0 d-----w- c:\docume~1\davidk~1\applic~1\5FC5B5DBEC4FB6DDBA9E7D50E8371632
2010-04-13 18:17:03 0 d-----w- c:\docume~1\davidk~1\applic~1\Office Genuine Advantage
2010-04-06 22:40:40 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 14:50:43 0 d-----w- c:\program files\No-IP

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 12:31:30 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 13:17:38 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 21:26:38.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 15 April 2010 - 10:53 PM

Hello rokkoralph,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

Cleaning this type of infection may require multiple tools and multiple posts. I will let you know when you are all clean.
Even if your machine acts clean it may not be clean.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    kbdclass.sys
    atapi.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Things to include in your next reply:
Combofix.txt
OLT.txt
Extra.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 rokkoralph

rokkoralph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 April 2010 - 12:59 PM

When enabling the wireless I get the following connections:

Proto Local Address Foreign Address State PID
TCP cracker:1123 192.168.1.38:netbios-ssn TIME_WAIT 0
TCP cracker:1124 192.168.1.38:netbios-ssn TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1082 TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1080 TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1083 TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1077 TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1076 TIME_WAIT 0
TCP cracker:2869 192.168.1.1:1079 TIME_WAIT 0


It seemed to just be the router, but then when I tried a little later I had these:

Proto Local Address Foreign Address State PID
TCP cracker:1160 i104.panamamails.com:http LAST_ACK 1072
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP cracker:1164 i104.panamamails.com:http TIME_WAIT 0
TCP cracker:1168 i104.panamamails.com:http TIME_WAIT 0
TCP cracker:1170 192.168.1.38:netbios-ssn TIME_WAIT 0
TCP cracker:1171 192.168.1.38:netbios-ssn TIME_WAIT 0
TCP cracker:1174 i104.panamamails.com:http TIME_WAIT 0
TCP cracker:1176 68.169.82.147:http TIME_WAIT 0
TCP cracker:1177 68.169.82.147:http TIME_WAIT 0
TCP cracker:1180 i104.panamamails.com:http TIME_WAIT 0


In future calls the connections went back down to nothing again. Before the fixes there were around 20-30 connections through smtp.

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 16 April 2010 - 05:06 PM

Hello,

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

2.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

3.
Print out these instructions to use while in the Recovery Console: (This is for XP only)

1. Restart your computer.
2. Before Windows loads, you will be prompted to choose which Operating System to start.
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5. At the C:\Windows prompt, type the following bolded entries, and press 'Enter' after each one (note the spaces):

cd c:\windows\system32\drivers
ren kbdclass.sys kbdclass.old
copy C:\WINDOWS\ServicePackFiles\i386\kbdclass.sys c:\windows\system32\drivers
exit


You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.
(if you do not see 1 file copied on the screen, even after ensuring the commands are correct, rename the file back to it's original name by typing the following command then hitting Enter.
ren atapi.old atapi.sys
you should NOT be prompted to overwrite an existing file, but if you are, select No then type exit to restart and notify me of your results)

6. Type exit and press 'Enter'. Your computer should reboot.

4.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\system32\OLDF70.tmp
c:\windows\system32\OLDF6D.tmp
C:\Documents and Settings\All Users\Application Data\3694824434
C:\Documents and Settings\David Krolick\Local Settings\Application Data\3694824434
C:\Documents and Settings\David Krolick\Local Settings\Application Data\Iko7jl2FHAai
C:\Documents and Settings\All Users\Application Data\Iko7jl2FHAai
C:\Documents and Settings\David Krolick\Local Settings\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\All Users\Application Data\2509137411
C:\Documents and Settings\NetworkService\Local Settings\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\All Users\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\David Krolick\Local Settings\Application Data\7SkRgtbX5FlAM
C:\Documents and Settings\All Users\Application Data\7SkRgtbX5FlAM
C:\Documents and Settings\David Krolick\Local Settings\Application Data\1040348557
C:\Documents and Settings\All Users\Application Data\1040348557
C:\Documents and Settings\David Krolick\Local Settings\Application Data\4T227ly4
C:\Documents and Settings\All Users\Application Data\4T227ly4

FCopy::
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\ServicePackFiles\i386\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys | c:\windows\$NtServicePackUninstall$\tcpip.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-

Regnull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0C0DD146-A2A6-BFA4-F4B84228CE730E88}\{718890A1-4FA8-4866-06B3B07592C0C36E}\{C0B10667-122D-45CB-48A7F7AE622314D0}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3782D402-1413-2B4D-D5B93EB7648B29D4}\{9536055C-1E13-65AB-BABDBD84391B7DD3}\{70487E18-04C4-4686-6F59FE851A688CA9}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{3B5DF6D1-E5A7-C88F-E124335B2AC10D6E}\{9E45AC21-0624-AFA6-0D9A316C99DC6801}\{4DB4AD3D-4DE2-41AE-499E94A6C8AFFBE1}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9F5A92A2-B329-46CC-1B7090FE4262F142}\{3D41E9B5-DA3D-E370-0314048CD4A11D7E}\{F612533D-2F2D-C745-8F22D9CBAAB0FDB6}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B7C188CC-C656-22D1-E21234AD513F53A3}\{781F7726-F470-BDBE-E3632254F9ABE08C}\{D5A0EB3A-C033-B7E9-DCA15AB75FD5AB8C}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EF6C66C5-6F12-D03C-CBD6A967D3458FDE}\{1BFBC393-D5EA-0E65-643DBB56CFD38894}\{E801FD1E-2051-63AF-31DD653F6F47DAA3}*]

Reglock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 rokkoralph

rokkoralph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 April 2010 - 07:28 PM

On step 3 when I restart, the choice seems to be displaying, but it is skipped over and the boot proceeds without my intervention. Is there another way I can select this?

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 16 April 2010 - 10:46 PM

Hello,

QUOTE
On step 3 when I restart, the choice seems to be displaying, but it is skipped over and the boot proceeds without my intervention. Is there another way I can select this?


Right when you see the choice displaying use up and down arrows to go to Recovery console.

If your have a WindowsXP CD you can boot into Recovery Console using it also

See here

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 18 April 2010 - 07:49 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 2-3 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 rokkoralph

rokkoralph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 19 April 2010 - 10:48 PM

Sorry for the delay. It wasn't pausing at the os screen to let me select the recovery console, but I was able to get there using f5 during boot. Completed all steps in the previous email.

While enabling the wireless, these were the only connections that I didn't recognize:

TCP cracker:1083 65.55.27.219:https ESTABLISHED 1048
c:\windows\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
[svchost.exe]

TCP cracker:1086 cds879.iad.llnw.net:http CLOSE_WAIT 1048
c:\windows\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
[svchost.exe]

All disappeared after a short while and system seems to be running fine.

Attached Files


Edited by rokkoralph, 19 April 2010 - 11:04 PM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 20 April 2010 - 07:27 PM

Hello,

Your logs look good lets do some final checking and update some stuff.

QUOTE
While enabling the wireless, these were the only connections that I didn't recognize:

TCP cracker:1083 65.55.27.219:https ESTABLISHED 1048
c:\windows\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
[svchost.exe]

TCP cracker:1086 cds879.iad.llnw.net:http CLOSE_WAIT 1048
c:\windows\system32\WS2_32.dll
C:\WINDOWS\System32\WINHTTP.dll
[svchost.exe]

All disappeared after a short while and system seems to be running fine.

These are legit program from your Microsoft installation. They are used to link your internet connection and your network.


1.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
MBAM log
ESET log
A new DDS log
No need for Attach.txt
Your machine still running ok?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 rokkoralph

rokkoralph
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 21 April 2010 - 11:22 AM

system is running ok.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

4/21/2010 9:43:12 AM
mbam-log-2010-04-21 (09-43-12).txt

Scan type: Quick scan
Objects scanned: 112428
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files

  • Attached File  eset.txt   26.96KB   7 downloads
  • Attached File  DDS.txt   9.35KB   4 downloads


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:30 AM

Posted 21 April 2010 - 07:08 PM

Hello,

1.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2.
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


3.
Congradulations your log is clean!

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:
  • So How did I get infected?
  • Microsoft - 'Security at home'
  • Miekies' prevention suggestions

    I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
    • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
    • By updating your machine, you have one less headache!
    • Update ALL Critical updates and any other Windows updates for services/programs that you use.
    • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
    • Note that it will download them for you, but you still have to actually click install.
    • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
    It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

    Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
    1. Double-click the Downloaded installer and install the tool to a location of your choice
    2. Via the Startmenu, navigate to HostsMan and run the program.
      [list=a]
    3. Click "Hosts" in the menu
    4. Click "Manage Updates" in the submenu
    5. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    6. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

  • Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

    Simple and easy ways to keep your computer safe and secure on the Internet

    Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

    " Extinguishing Malware from the world"

    The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

    ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-


      userbar_eis_500.gif

    If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


    #12 rokkoralph

    rokkoralph
    • Topic Starter

    • Members
    • 6 posts
    • OFFLINE
    •  
    • Local time:08:30 AM

    Posted 23 April 2010 - 07:51 AM

    Thank you for all of your help and the info above. Much appreciated!

    #13 fireman4it

    fireman4it

      Bleepin' Fireman


    • Malware Response Team
    • 13,512 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Greenup, Ill USA
    • Local time:06:30 AM

    Posted 23 April 2010 - 11:12 AM

    This thread will now be closed since the issue seems to be resolved.

    If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

    " Extinguishing Malware from the world"

    The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

    ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-


      userbar_eis_500.gif

    If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users