Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection: Blocks A-V and Windows Update


  • This topic is locked This topic is locked
18 replies to this topic

#1 Bloodsong

Bloodsong

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 27 April 2010 - 11:24 AM

So my Wife brought out her old computer from school, said "I can't do updates"
So I figure I have to register some DLLs have a look, and before going through the hassle of running a batch script full of regsvr32 commands I decided to check just how bunged up it was.

Found I can't get to any AV sites, ('cept ClamWin, but not ClamAV so no updates)

Switch to safe mode, all signs of the infection are gone, I can go to updates and A-V sites, but of course you can't run Windows Update in safe mode.

Updated my Anti-Virus, switched back to normal mode.

Before running a scan I decide to poke about a bit. Pulled up the ARP table and I could actually watch as the infection one by one spoofed MAC 00000000 to each IP in the subnet seeking responses.

So I use Netstat, find a few suspect things I get rid of, still no updates
So I boot up Rootkit Revealer and run a scan, two suspect Registries, follow and remove them and their associated files.
Run ClamWin with it's updated CVD, find 2 more possitives, remove those, still no updates/AV.

So, I'm at a loss. Here's my HiJack

CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:17 PM, on 27/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ClamAV\1.0.26\agent.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\ClamAV\1.0.26\iptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Jenny\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6070111
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://portal.utoronto.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6070111
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Immunet Protect] "C:\Program Files\ClamAV\1.0.26\iptray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272051525562
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BAT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BAT.exe
O23 - Service: ClamAV for Windows (ImmunetProtect) - Immunet Corporation - C:\Program Files\ClamAV\1.0.26\agent.exe

--
End of file - 4912 bytes



AND, just because I see some DLLs that don't ring bells being called when I do a Netstat, this as well:

CODE
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    JENNY:echo             JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:discard          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:daytime          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:qotd             JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:chargen          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:epmap            JENNY:0                LISTENING       980
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\RPCRT4.dll
  c:\windows\system32\rpcss.dll
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  [svchost.exe]

  TCP    JENNY:microsoft-ds     JENNY:0                LISTENING       4
  [System]

  TCP    JENNY:7597             JENNY:0                LISTENING       108
  [svchost.exe]

  TCP    JENNY:1034             JENNY:0                LISTENING       128
  [alg.exe]

  TCP    JENNY:netbios-ssn      JENNY:0                LISTENING       4
  [System]

  TCP    JENNY:1636             143.215.143.11:http    SYN_SENT        108
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\WININET.dll
  [svchost.exe]

  TCP    JENNY:1637             221.7.91.31:http       SYN_SENT        108
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\WININET.dll
  [svchost.exe]

  TCP    JENNY:1638             74.208.64.145:http     SYN_SENT        108
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\WININET.dll
  [svchost.exe]

  TCP    JENNY:1645             143.215.143.11:http    SYN_SENT        108
  c:\windows\system32\WS2_32.dll
  C:\WINDOWS\system32\WININET.dll
  [svchost.exe]

  TCP    JENNY:1639             localhost:1640         ESTABLISHED     224
  [firefox.exe]

  TCP    JENNY:1640             localhost:1639         ESTABLISHED     224
  [firefox.exe]

  TCP    JENNY:1642             localhost:1643         ESTABLISHED     224
  [firefox.exe]

  TCP    JENNY:1643             localhost:1642         ESTABLISHED     224
  [firefox.exe]

  TCP    JENNY:1641             portal.lms.utoronto.ca:http  ESTABLISHED
4
  [firefox.exe]

  TCP    JENNY:1644             portal.lms.utoronto.ca:https  ESTABLISHED
44
  [firefox.exe]

  TCP    JENNY:echo             JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:discard          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:daytime          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:qotd             JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:chargen          JENNY:0                LISTENING       200
  [tcpsvcs.exe]

  TCP    JENNY:epmap            JENNY:0                LISTENING       980
  -- unknown component(s) --
  [svchost.exe]

  UDP    JENNY:1027             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:chargen          *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:1345             *:*                                    201
  [agent.exe]

  UDP    JENNY:1384             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:isakmp           *:*                                    744
  [lsass.exe]

  UDP    JENNY:microsoft-ds     *:*                                    4
  [System]

  UDP    JENNY:1609             *:*                                    201
  [agent.exe]

  UDP    JENNY:1268             *:*                                    201
  [agent.exe]

  UDP    JENNY:1338             *:*                                    201
  [agent.exe]

  UDP    JENNY:1028             *:*                                    201
  [agent.exe]

  UDP    JENNY:1346             *:*                                    201
  [agent.exe]

  UDP    JENNY:1385             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:discard          *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:daytime          *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:qotd             *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:1312             *:*                                    201
  [agent.exe]

  UDP    JENNY:1378             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:1356             *:*                                    201
  [agent.exe]

  UDP    JENNY:1386             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:1355             *:*                                    201
  [agent.exe]

  UDP    JENNY:1258             *:*                                    201
  [agent.exe]

  UDP    JENNY:1387             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:1173             *:*                                    201
  [agent.exe]

  UDP    JENNY:1398             *:*                                    123
  C:\WINDOWS\system32\mswsock.dll
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\DNSAPI.dll
  c:\windows\system32\dnsrslvr.dll
  C:\WINDOWS\system32\RPCRT4.dll
  [svchost.exe]

  UDP    JENNY:1270             *:*                                    201
  [agent.exe]

  UDP    JENNY:1344             *:*                                    201
  [agent.exe]

  UDP    JENNY:4500             *:*                                    744
  [lsass.exe]

  UDP    JENNY:echo             *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:1900             *:*                                    140
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    JENNY:1900             *:*                                    140
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\ssdpsrv.dll
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    JENNY:netbios-dgm      *:*                                    4
  [System]

  UDP    JENNY:router           *:*                                    108
  c:\windows\system32\WS2_32.dll
  c:\windows\system32\iprip.dll
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\ADVAPI32.dll
  C:\WINDOWS\system32\kernel32.dll
  [svchost.exe]

  UDP    JENNY:netbios-ns       *:*                                    4
  [System]

  UDP    JENNY:daytime          *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:qotd             *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:echo             *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:chargen          *:*                                    200
  [tcpsvcs.exe]

  UDP    JENNY:discard          *:*                                    200
  [tcpsvcs.exe]


Merged posts. ~ OB

Edited by Orange Blossom, 28 April 2010 - 11:40 PM.


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 01 May 2010 - 07:38 PM

Hi Bloodsong
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    Please uncheck the following settings that we do not want in our scan.
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive, which is typically C:\
  • Show All (This one is important, so do not miss it.)
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 Bloodsong

Bloodsong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 03 May 2010 - 01:18 PM

Hey maranatha,

Thanks for helping, the results were too large to paste into the reply so here they are:

http://pastebin.com/9SjHJcX4

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 03 May 2010 - 10:10 PM

Hi
Ok please do this.

Download HAMeb_check.exe to your Desktop and double click it to run the check.
Post the contents of the resulting log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 Bloodsong

Bloodsong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 04 May 2010 - 08:12 PM

C:\Documents and Settings\Jenny\Desktop\HAMeb_check.exe
04/05/2010 at 21:09:44.92

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 04 May 2010 - 11:44 PM

Hi
Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 08 May 2010 - 12:34 AM

Hi
You still need help?

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 11 May 2010 - 11:06 PM

Hi
If you still require help. please respond to this thread or it will be closed in 48 hours.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 Bloodsong

Bloodsong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 13 May 2010 - 05:16 PM

Hi sorry about the delay, it's been a few days since I could get at my wife's PC.

Here's the ComboFix log.
Still no DNS resolution with microsoft.com or anti-virus sites at this time.

CODE
ComboFix 10-05-13.02 - Jenny 13/05/2010  17:39:15.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.958.692 [GMT -4:00]
Running from: c:\documents and settings\Jenny\Desktop\ComboFix.exe
AV: ClamAV for Windows *On-access scanning disabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AbaleZip.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


(((((((((((((((((((((((((   Files Created from 2010-04-13 to 2010-05-13  )))))))))))))))))))))))))))))))
.

2010-05-13 01:49 . 2010-05-13 01:49    --------    d-----w-    c:\documents and settings\Jenny\Local Settings\Application Data\IsolatedStorage
2010-05-13 01:28 . 2010-03-05 23:59    7163904    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\EA7B6B63\2234CE95\GTS08.dll
2010-05-06 18:17 . 2010-05-06 18:17    --------    d-----w-    c:\program files\Foxit Software
2010-05-03 13:57 . 2010-05-12 01:34    --------    d-----w-    c:\documents and settings\Jenny\FreePhoneLine
2010-05-03 13:56 . 2010-05-03 13:56    --------    d-----w-    c:\program files\FreePhoneLine
2010-05-01 02:21 . 2010-05-03 13:23    --------    d-----w-    c:\documents and settings\All Users\Application Data\NOS
2010-04-30 14:27 . 2010-04-30 14:27    --------    d-----w-    c:\documents and settings\Jenny\Application Data\Malwarebytes
2010-04-30 14:27 . 2010-04-29 19:39    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 14:27 . 2010-04-30 14:27    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 14:27 . 2010-04-29 19:39    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2010-04-30 14:27 . 2010-04-30 14:27    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-04-30 13:59 . 2010-04-30 13:59    --------    d-----w-    c:\program files\Common Files\Windows Live
2010-04-30 13:58 . 2010-04-30 14:01    --------    d-----w-    c:\documents and settings\Administrator\Contacts
2010-04-23 21:22 . 2010-04-23 21:22    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2010-04-23 20:11 . 2010-04-23 20:11    --------    d-sh--w-    c:\documents and settings\Jenny\IECompatCache
2010-04-23 20:11 . 2010-04-23 20:11    --------    d-sh--w-    c:\documents and settings\Jenny\PrivacIE
2010-04-23 20:09 . 2010-04-23 20:09    29640    ----a-w-    c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-04-23 20:09 . 2010-04-23 20:09    20040    ----a-w-    c:\windows\system32\drivers\ImmunetMonitor.sys
2010-04-23 20:09 . 2010-04-23 20:09    38856    ----a-w-    c:\windows\system32\drivers\ImmunetProtect.sys
2010-04-23 20:09 . 2010-05-13 21:49    --------    d-----w-    c:\program files\ClamAV
2010-04-23 20:07 . 2010-04-23 20:07    --------    d-sh--w-    c:\documents and settings\Jenny\IETldCache
2010-04-23 20:02 . 2010-04-23 20:02    --------    d-sh--w-    c:\documents and settings\Administrator\IECompatCache
2010-04-23 20:02 . 2010-04-23 20:02    --------    d-sh--w-    c:\documents and settings\Administrator\PrivacIE
2010-04-23 20:01 . 2010-04-23 20:01    --------    d-sh--w-    c:\documents and settings\Administrator\IETldCache
2010-04-23 19:58 . 2010-04-23 19:58    --------    dc-h--w-    c:\windows\ie8
2010-04-23 19:49 . 2010-04-23 19:49    --------    d-----w-    c:\windows\ServicePackFiles
2010-04-23 19:48 . 2010-04-23 19:48    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Talkback
2010-04-23 19:48 . 2010-04-23 19:48    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-23 19:45 . 2010-04-23 19:45    --------    d-----w-    c:\windows\EHome
2010-04-23 19:43 . 2010-04-23 19:43    --------    d-----w-    c:\program files\Attractel
2010-04-23 19:42 . 2010-04-23 19:42    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-23 19:39 . 2010-04-23 19:49    --------    d-----w-    c:\documents and settings\Administrator\Application Data\.clamwin
2010-04-23 19:38 . 2010-04-23 19:38    --------    d-sh--w-    c:\documents and settings\Administrator\UserData
2010-04-22 21:20 . 2010-04-22 21:20    --------    d-----w-    c:\documents and settings\Jenny\Application Data\.clamwin
2010-04-22 21:20 . 2010-04-22 21:20    --------    d-----w-    c:\program files\ClamWin
2010-04-22 21:20 . 2010-04-22 21:20    --------    d-----w-    c:\documents and settings\All Users\.clamwin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 14:39 . 2007-01-30 03:29    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-05-13 01:29 . 2010-05-13 01:29    --------    d-----w-    c:\documents and settings\All Users\Application Data\TaxTron
2010-05-13 01:29 . 2010-05-13 01:28    --------    dc-h--w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}
2010-05-13 01:29 . 2010-05-13 01:29    --------    d-----w-    c:\program files\TaxTron
2010-05-12 00:31 . 2007-01-19 18:54    41664    ----a-w-    c:\documents and settings\Jenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 18:15 . 2007-08-23 19:10    --------    d-----w-    c:\documents and settings\Jenny\Application Data\OpenOffice.org2
2010-05-03 13:56 . 2008-03-10 23:41    --------    d-----w-    c:\program files\Common Files\Java
2010-04-30 13:59 . 2010-04-23 19:34    41664    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 19:45 . 2010-05-13 01:29    2976658    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\TaxTron2009.exe
2010-04-29 04:48 . 2010-05-13 01:28    22175744    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\E12A0A95\57CAE210\TaxElementsEx.dll
2010-04-29 04:46 . 2010-05-13 01:28    1814528    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\9CA8D437\57CAE210\TaxTron.exe
2010-04-29 04:45 . 2010-05-13 01:28    5148672    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\60E6AF5C\57CAE210\TaxElements.dll
2010-04-28 05:38 . 2010-05-13 01:28    28672    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\19E7CFD5\2234CE95\ExtendedTaxFileDialog.dll
2010-04-28 05:38 . 2010-05-13 01:28    16384    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\5F7B727D\2234CE95\ScriptInterface.dll
2010-04-27 14:18 . 2008-01-07 03:11    --------    d-----w-    c:\program files\pixeLoom
2010-04-27 06:38 . 2007-07-10 03:28    --------    d-----w-    c:\program files\MSN Messenger
2010-04-23 20:36 . 2007-01-11 13:44    --------    d-----w-    c:\program files\Roxio
2010-04-23 20:35 . 2007-01-11 13:41    --------    d-----w-    c:\program files\Common Files\Sonic Shared
2010-04-23 20:30 . 2007-01-30 03:30    --------    d-----w-    c:\program files\Sony
2010-04-23 20:27 . 2008-02-21 19:19    --------    d-----w-    c:\program files\HP
2010-04-23 20:27 . 2008-02-21 19:22    --------    d-----w-    c:\documents and settings\All Users\Application Data\HP
2010-04-23 20:14 . 2007-01-20 02:53    --------    d-----w-    c:\documents and settings\All Users\Application Data\Symantec
2010-04-23 19:59 . 2007-01-11 13:45    --------    d-----w-    c:\program files\Google
2010-04-23 19:52 . 2004-08-10 19:03    77423    ----a-w-    c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-22 21:39 . 2007-12-22 06:41    --------    d-----w-    c:\documents and settings\Jenny\Application Data\Skype
2010-04-22 21:07 . 2007-10-30 00:29    --------    d-----w-    c:\documents and settings\Patty\Application Data\OpenOffice.org2
2010-03-13 15:56 . 2010-05-13 01:28    20480    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\B1A9D34C\2234CE95\Hasher.dll
2010-03-12 14:00 . 2010-05-13 01:28    5068800    -c--a-w-    c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\70CA59E7\2234CE95\TallComponents.PDF.Rasterizer.dll
2007-04-16 15:52 . 2004-08-10 18:51    174326    --sha-r-    c:\windows\system32\hbaeyj.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-04-14 86016]
"Immunet Protect"="c:\program files\ClamAV\1.0.26\iptray.exe" [2010-04-23 1338184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Patty\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jenny^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Jenny\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12    94208    ----a-w-    c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50    221184    ----a-w-    c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50    81920    ----a-w-    c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 21:54    127022    ----a-w-    c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 18:12    7630848    ----a-w-    c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-23 18:12    86016    ----a-w-    c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-23 18:12    1617920    ----a-w-    c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13    385024    ----a-w-    c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHPC32]
2001-04-12 17:13    40960    ----a-w-    c:\windows\system32\Shpc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-15 08:38    282624    ----a-w-    c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2005-01-25 00:58    81920    ----a-w-    c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25    144784    ----a-w-    c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"LexBceS"=2 (0x2)
"gusvc"=3 (0x3)
"VVQRLAGJDHY"=3 (0x3)
"BAT"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Attractel\\Zoiper\\Zoiper.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"7597:TCP"= 7597:TCP:uozgwibx

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\drivers\ImmunetMonitor.sys [4/23/2010 4:09 PM 20040]
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [4/23/2010 4:09 PM 38856]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [4/23/2010 4:09 PM 29640]
R2 ImmunetProtect;ClamAV for Windows;c:\program files\ClamAV\1.0.26\agent.exe [4/23/2010 4:09 PM 717552]
S2 ikknmrpf;Manager Helper;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 2:51 PM 14336]
S2 IOPort;IOPort;\??\c:\windows\system32\DRIVERS\IOPORT.SYS --> c:\windows\system32\DRIVERS\IOPORT.SYS [?]
S3 anivgycxm;anivgycxm;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 bborurmc;bborurmc;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 cbvcppqls;cbvcppqls;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gdaiqz;gdaiqz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gexspst;gexspst;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 gohqg;gohqg;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 guciaqnh;guciaqnh;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 jlhoc;jlhoc;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 kkretoy;kkretoy;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 kubtrwc;kubtrwc;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 nabizv;nabizv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 nohtwdp;nohtwdp;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 rvshn;rvshn;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 sxmyjl;sxmyjl;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 tcmbuz;tcmbuz;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 tppntv;tppntv;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 uimlechvh;uimlechvh;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 vbate;vbate;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 vnbsjgk;vnbsjgk;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 ygqtee;ygqtee;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S4 BAT;BAT;c:\docume~1\ADMINI~1\LOCALS~1\Temp\BAT.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\BAT.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc    REG_MULTI_SZ       p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ikknmrpf
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.utoronto.ca/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jenny\Application Data\Mozilla\Firefox\Profiles\v69ri8s3.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.utoronto.ca
FF - plugin: c:\documents and settings\Jenny\Application Data\Mozilla\Firefox\Profiles\v69ri8s3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DLA - c:\windows\System32\DLA\DLACTRLW.EXE
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-LexStart - lexstart.exe
MSConfigStartUp-snpstd - c:\windows\vsnpstd.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
MSConfigStartUp-xkstartup - InstZ82.dll
AddRemove-Burger Shop - f:\burger~1\UNWISE.EXE
AddRemove-HijackThis - c:\docume~1\Jenny\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\anivgycxm]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bborurmc]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbvcppqls]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gdaiqz]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gexspst]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gohqg]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\guciaqnh]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jlhoc]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kkretoy]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kubtrwc]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nabizv]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nohtwdp]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rvshn]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sxmyjl]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tcmbuz]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tppntv]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uimlechvh]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vbate]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vnbsjgk]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ygqtee]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ikknmrpf]
"ServiceDll"="c:\windows\system32\hbaeyj.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3352)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-05-13  17:52:51 - machine was rebooted
ComboFix-quarantined-files.txt  2010-05-13 21:52

Pre-Run: 142,804,766,720 bytes free
Post-Run: 143,087,874,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A9E492061F5F91B9714BA524A513A0B1


#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 13 May 2010 - 11:57 PM

Hi
OK I will need a little time here to go over the log.

Please do this for now.

Enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Please visit Virustotal
  • Click the Browse... button
  • Navigate to the files one at a time. c:\windows\system32\01.tmp
    c:\windows\system32\hbaeyj.dll
    c:\windows\system32\DRIVERS\IOPORT.SYS
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
Please do not put logs in a quote or code box or attach them, it makes them harder to read.

Thanks
maranatha

Edited by maranatha, 14 May 2010 - 07:02 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 14 May 2010 - 11:05 PM

Hi
Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
File::
c:\windows\system32\hbaeyj.dll
c:\windows\system32\01.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\BAT.exe

Drivers::
ikknmrpf
anivgycxm
bborurmc
gdaiqz
gexspst
gohqg
guciaqnh
jlhoc
kkretoy
kubtrwc
nabizv
nohtwdp
rvshn
sxmyjl
tcmbuz
tppntv
uimlechvh
vbate
vnbsjgk
ygqtee
BAT
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7597:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\anivgycxm]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bborurmc]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbvcppqls]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gdaiqz]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gexspst]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gohqg]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\guciaqnh]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jlhoc]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kkretoy]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kubtrwc]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nabizv]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nohtwdp]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rvshn]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sxmyjl]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tcmbuz]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tppntv]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uimlechvh]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vbate]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vnbsjgk]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ygqtee]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ikknmrpf]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VVQRLAGJDHY"=-
"BAT"=-


Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 Bloodsong

Bloodsong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 16 May 2010 - 06:17 PM

To make it work I had to replace the short form file location with full length.
Also I have noticed that 01.tmp recreates itself with the root kit on occasion,
Further I've noticed that when I turn on view hidden files it had been turning itself off at reboot, it looks like that much has been fixed by the other processes I stopped however.

Here's the new log

[Edit:]
Also looks like after this latest ComboFix/reboot I can now access Microsoft.com and Anti-Virus sites.
---------------------------------------------------------------------------------------------


ComboFix 10-05-16.01 - Jenny 16/05/2010 16:59:53.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.692 [GMT -4:00]
Running from: c:\documents and settings\Jenny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jenny\Desktop\CFScript.txt
AV: ClamAV for Windows *On-access scanning disabled* (Updated) {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

FILE ::
"c:\documents and settings\ADMINISTRATOR\LOCAL SETTINGS\Temp\BAT.exe"
"c:\windows\system32\01.tmp"
"c:\windows\system32\hbaeyj.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hbaeyj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ikknmrpf
-------\Service_ikknmrpf


((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 21:06 . 2010-05-16 21:06 -------- d-----w- c:\windows\LastGood
2010-05-15 13:40 . 2010-05-15 13:40 -------- d-sh--w- c:\documents and settings\Patty\IETldCache
2010-05-13 01:49 . 2010-05-13 01:49 -------- d-----w- c:\documents and settings\Jenny\Local Settings\Application Data\IsolatedStorage
2010-05-13 01:28 . 2010-03-05 23:59 7163904 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\EA7B6B63\2234CE95\GTS08.dll
2010-05-06 18:17 . 2010-05-06 18:17 -------- d-----w- c:\program files\Foxit Software
2010-05-03 13:57 . 2010-05-12 01:34 -------- d-----w- c:\documents and settings\Jenny\FreePhoneLine
2010-05-03 13:56 . 2010-05-03 13:56 -------- d-----w- c:\program files\FreePhoneLine
2010-05-01 02:21 . 2010-05-03 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-30 14:27 . 2010-04-30 14:27 -------- d-----w- c:\documents and settings\Jenny\Application Data\Malwarebytes
2010-04-30 14:27 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 14:27 . 2010-04-30 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 14:27 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 14:27 . 2010-04-30 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 13:59 . 2010-04-30 13:59 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-30 13:58 . 2010-04-30 14:01 -------- d-----w- c:\documents and settings\Administrator\Contacts
2010-04-23 21:22 . 2010-04-23 21:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-23 20:11 . 2010-04-23 20:11 -------- d-sh--w- c:\documents and settings\Jenny\IECompatCache
2010-04-23 20:11 . 2010-04-23 20:11 -------- d-sh--w- c:\documents and settings\Jenny\PrivacIE
2010-04-23 20:09 . 2010-04-23 20:09 29640 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2010-04-23 20:09 . 2010-04-23 20:09 20040 ----a-w- c:\windows\system32\drivers\ImmunetMonitor.sys
2010-04-23 20:09 . 2010-04-23 20:09 38856 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2010-04-23 20:09 . 2010-05-16 22:12 -------- d-----w- c:\program files\ClamAV
2010-04-23 20:07 . 2010-04-23 20:07 -------- d-sh--w- c:\documents and settings\Jenny\IETldCache
2010-04-23 20:02 . 2010-04-23 20:02 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-04-23 20:02 . 2010-04-23 20:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-23 20:01 . 2010-04-23 20:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-04-23 19:58 . 2010-04-23 19:58 -------- dc-h--w- c:\windows\ie8
2010-04-23 19:49 . 2010-04-23 19:49 -------- d-----w- c:\windows\ServicePackFiles
2010-04-23 19:48 . 2010-04-23 19:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-04-23 19:48 . 2010-04-23 19:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-23 19:45 . 2010-04-23 19:45 -------- d-----w- c:\windows\EHome
2010-04-23 19:43 . 2010-04-23 19:43 -------- d-----w- c:\program files\Attractel
2010-04-23 19:42 . 2010-04-23 19:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-23 19:39 . 2010-04-23 19:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2010-04-23 19:38 . 2010-04-23 19:38 -------- d-sh--w- c:\documents and settings\Administrator\UserData
2010-04-22 21:20 . 2010-04-22 21:20 -------- d-----w- c:\documents and settings\Jenny\Application Data\.clamwin
2010-04-22 21:20 . 2010-04-22 21:20 -------- d-----w- c:\program files\ClamWin
2010-04-22 21:20 . 2010-04-22 21:20 -------- d-----w- c:\documents and settings\All Users\.clamwin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 14:39 . 2007-01-30 03:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-13 01:29 . 2010-05-13 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxTron
2010-05-13 01:29 . 2010-05-13 01:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}
2010-05-13 01:29 . 2010-05-13 01:29 -------- d-----w- c:\program files\TaxTron
2010-05-12 00:31 . 2007-01-19 18:54 41664 ----a-w- c:\documents and settings\Jenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-06 18:15 . 2007-08-23 19:10 -------- d-----w- c:\documents and settings\Jenny\Application Data\OpenOffice.org2
2010-05-03 13:56 . 2008-03-10 23:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-30 13:59 . 2010-04-23 19:34 41664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 19:45 . 2010-05-13 01:29 2976658 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\TaxTron2009.exe
2010-04-29 04:48 . 2010-05-13 01:28 22175744 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\E12A0A95\57CAE210\TaxElementsEx.dll
2010-04-29 04:46 . 2010-05-13 01:28 1814528 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\9CA8D437\57CAE210\TaxTron.exe
2010-04-29 04:45 . 2010-05-13 01:28 5148672 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\60E6AF5C\57CAE210\TaxElements.dll
2010-04-28 05:38 . 2010-05-13 01:28 28672 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\19E7CFD5\2234CE95\ExtendedTaxFileDialog.dll
2010-04-28 05:38 . 2010-05-13 01:28 16384 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\5F7B727D\2234CE95\ScriptInterface.dll
2010-04-27 14:18 . 2008-01-07 03:11 -------- d-----w- c:\program files\pixeLoom
2010-04-27 06:38 . 2007-07-10 03:28 -------- d-----w- c:\program files\MSN Messenger
2010-04-23 20:36 . 2007-01-11 13:44 -------- d-----w- c:\program files\Roxio
2010-04-23 20:35 . 2007-01-11 13:41 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-04-23 20:30 . 2007-01-30 03:30 -------- d-----w- c:\program files\Sony
2010-04-23 20:27 . 2008-02-21 19:19 -------- d-----w- c:\program files\HP
2010-04-23 20:27 . 2008-02-21 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-23 20:14 . 2007-01-20 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-23 19:59 . 2007-01-11 13:45 -------- d-----w- c:\program files\Google
2010-04-23 19:52 . 2004-08-10 19:03 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-22 21:39 . 2007-12-22 06:41 -------- d-----w- c:\documents and settings\Jenny\Application Data\Skype
2010-04-22 21:07 . 2007-10-30 00:29 -------- d-----w- c:\documents and settings\Patty\Application Data\OpenOffice.org2
2010-03-13 15:56 . 2010-05-13 01:28 20480 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\B1A9D34C\2234CE95\Hasher.dll
2010-03-12 14:00 . 2010-05-13 01:28 5068800 -c--a-w- c:\documents and settings\All Users\Application Data\{6A6581E7-A8C3-4E51-A20A-AFD9427D7DB0}\OFFLINE\70CA59E7\2234CE95\TallComponents.PDF.Rasterizer.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-13_21.49.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-16 21:06 . 2010-05-16 21:16 10436 c:\windows\SoftwareDistribution\EventCache\{2CD79578-1303-424C-BDD1-D699DF075283}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-04-14 86016]
"Immunet Protect"="c:\program files\ClamAV\1.0.26\iptray.exe" [2010-04-23 1338184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Patty\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jenny^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=c:\documents and settings\Jenny\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-10 21:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-23 18:12 7630848 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-23 18:12 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-23 18:12 1617920 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-02-01 03:13 385024 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHPC32]
2001-04-12 17:13 40960 ----a-w- c:\windows\system32\Shpc32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-15 08:38 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2005-01-25 00:58 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SNDSrvc"=3 (0x3)
"SavRoam"=3 (0x3)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"LexBceS"=2 (0x2)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Attractel\\Zoiper\\Zoiper.exe"=
"c:\\Program Files\\FreePhoneLine\\FreePhoneLine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\drivers\ImmunetMonitor.sys [4/23/2010 4:09 PM 20040]
R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [4/23/2010 4:09 PM 38856]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [4/23/2010 4:09 PM 29640]
R2 ImmunetProtect;ClamAV for Windows;c:\program files\ClamAV\1.0.26\agent.exe [4/23/2010 4:09 PM 717552]
S2 ikknmrpf;Manager Helper;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 2:51 PM 14336]
S2 IOPort;IOPort;\??\c:\windows\system32\DRIVERS\IOPORT.SYS --> c:\windows\system32\DRIVERS\IOPORT.SYS [?]
S3 bkeiev;bkeiev;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 iutxycr;iutxycr;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 qxjliiq;qxjliiq;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S4 BAT;BAT;c:\docume~1\ADMINI~1\LOCALS~1\Temp\BAT.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\BAT.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ikknmrpf
.
.
------- Supplementary Scan -------
.
uStart Page = https://portal.utoronto.ca/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jenny\Application Data\Mozilla\Firefox\Profiles\v69ri8s3.default\
FF - prefs.js: browser.startup.homepage - hxxp://portal.utoronto.ca
FF - plugin: c:\documents and settings\Jenny\Application Data\Mozilla\Firefox\Profiles\v69ri8s3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bkeiev]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iutxycr]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qxjliiq]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ikknmrpf]
"ServiceDll"="c:\windows\system32\hbaeyj.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2992)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-05-16 18:15:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-16 22:15
ComboFix2.txt 2010-05-13 21:52

Pre-Run: 143,056,785,408 bytes free
Post-Run: 142,506,295,296 bytes free

- - End Of File - - A35BDFE436851445466A82F6A7AAA6B3

Edited by Bloodsong, 16 May 2010 - 06:18 PM.


#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 17 May 2010 - 01:03 AM

Hi
Please do this and post the results.


Please visit Virustotal
  • Click the Browse... button
  • Navigate to the files one at a time. c:\windows\system32\01.tmp
    c:\documents and settings\ADMINISTRATOR\LOCALSETTINGS\Temp\BAT.exe
    c:\windows\system32\DRIVERS\IOPORT.SYS
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.

Also, please update your anti virus program and run a full scan of the computer. Please take note of anything it finds and deletes/removes.

Thanks
maranatha

Edited by maranatha, 17 May 2010 - 01:08 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 Bloodsong

Bloodsong
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 17 May 2010 - 04:55 PM

It looks like it's gone.
tmp01 didn't come back.

BAT.exe never existed in the directory, or if it did it was gone before we go to using ComboFix.

and I don't see an IOPORT.sys in that directory either
I'm waiting on ClamWin to finish a complete drive scan now.

ClamAV hasn't detected any threats today.
Also, OpenDNS has not noticed suspicious/botnet traffic from my home in the last 24 hours.

I'll edit with the Antivirus report when it's ready.

#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:07:57 AM

Posted 17 May 2010 - 10:23 PM

Hi
OK lets try this again.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
CODE
KillAll::
File::
c:\windows\system32\01.tmp
c:\windows\system32\hbaeyj.dll
c:\docume~1\ADMINISATOR\LOCALSETTINGS\Temp\BAT.exe
RootKit::
ikknmrpf
bkeiev
iutxycr
qxjliiq
BAT
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs]
"ikknmrpf"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bkeiev]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iutxycr]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qxjliiq]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ikknmrpf]


Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users