Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv and Tidserv2 Request Detected


  • This topic is locked This topic is locked
19 replies to this topic

#1 crum23

crum23

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 11 May 2010 - 08:50 AM

Hi, I recently got a virus on my computer at work. I clicked on a link in an email that appeared to be from my sister's email address. Turns out she was attacked by a hacker and what I clicked on was this trojan or virus. This was part of that facebook trojan that people we're reporting where you get a message from someone you know telling you to check out this video they found with you in it. Now IE freezes, search engine results sometimes redirect me to other sites, and pop-ups occur frequently. Since this is my work computer, a wipe and reinstall is a last resort. I can login as an adminstrator if I need to (I had to to run DDS and GMER). The email I provided is my personal email so feel free to send me a message anytime. However, the computer is at work so I will only be able to perform the tasks I am asked during normal business hours 8-5 central time Mon thru Fri. I am also having trouble posting the DDS log to this site. It keeps giving me a "No internet connection detected" when I try to post the entire log. That's why you only see a partial one. I also have the same problem when I try to upload the DDS.txt file.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 8:34:38.62 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1420 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

Attached Files


Edited by crum23, 11 May 2010 - 09:23 AM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 12 May 2010 - 07:08 PM


Hello crum23 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.













Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 08:58 AM

ComboFix 10-05-12.04 - Administrator 05/13/2010 8:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
The following files were disabled during the run:
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{D93C9576-588A-4D1E-8A37-8496078CEF07}
c:\documents and settings\Administrator\Local Settings\Application Data\{D93C9576-588A-4D1E-8A37-8496078CEF07}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{D93C9576-588A-4D1E-8A37-8496078CEF07}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{D93C9576-588A-4D1E-8A37-8496078CEF07}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{D93C9576-588A-4D1E-8A37-8496078CEF07}\install.rdf
c:\documents and settings\JCrummel\Local Settings\Application Data\{FEA00B88-C804-4804-897B-9DADDC08D43F}
c:\documents and settings\JCrummel\Local Settings\Application Data\{FEA00B88-C804-4804-897B-9DADDC08D43F}\chrome.manifest
c:\documents and settings\JCrummel\Local Settings\Application Data\{FEA00B88-C804-4804-897B-9DADDC08D43F}\chrome\content\_cfg.js
c:\documents and settings\JCrummel\Local Settings\Application Data\{FEA00B88-C804-4804-897B-9DADDC08D43F}\chrome\content\overlay.xul
c:\documents and settings\JCrummel\Local Settings\Application Data\{FEA00B88-C804-4804-897B-9DADDC08D43F}\install.rdf
c:\documents and settings\JCrummel\Local Settings\Application Data\Windows Server
c:\documents and settings\JCrummel\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\JCrummel\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\documents and settings\JCrummel\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\JCrummel\nah_cgjh.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\documents and settings\SMiller\System
c:\documents and settings\SMiller\System\win_qs8.jqx
C:\feed.txt
c:\windows\system32\Vb40032.dll
c:\windows\system32\winsys.exe

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 13:34 . 2010-05-13 13:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-05-13 13:34 . 2010-05-13 13:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-05-11 13:01 . 2010-05-11 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-30 19:49 . 2010-04-30 19:49 -------- d-----w- c:\documents and settings\JCrummel\Local Settings\Application Data\Google
2010-04-28 16:57 . 2010-04-28 16:58 -------- d-----w- c:\documents and settings\JCrummel\Application Data\webex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 19:49 . 2007-07-31 20:29 -------- d-----w- c:\program files\Google
2010-04-30 14:32 . 2010-01-28 21:35 -------- d-----w- c:\program files\Sandboxie
2010-04-26 13:09 . 2010-03-26 14:27 -------- d-----w- c:\program files\inFlow Inventory
2010-04-26 13:09 . 2010-03-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\inFlow Inventory
2010-04-26 13:09 . 2010-03-26 14:33 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-26 13:06 . 2007-05-31 12:57 -------- d-----w- c:\program files\Microsoft.NET
2010-03-26 15:13 . 2010-03-26 15:13 -------- d-----w- c:\documents and settings\JCrummel\Application Data\inFlow Inventory
2010-03-26 14:32 . 2010-03-26 14:32 -------- d-----w- c:\program files\Business Objects
2010-03-15 13:02 . 2010-03-08 14:01 0 ----a-w- c:\windows\Iyocupilidarex.bin
2010-03-15 13:02 . 2010-03-08 14:01 120 ----a-w- c:\windows\Qmaziy.dat
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 23:34 . 2010-03-09 23:34 82648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 23:28 . 2010-03-09 23:28 1579520 ----a-w- C:\agent.msi
2010-03-08 13:59 . 2010-03-03 18:18 28 ----a-w- c:\windows\system32\config\systemprofile\Application Data\glchvt.dat
2010-03-05 14:20 . 2010-03-05 14:20 24 ----a-w- c:\documents and settings\LocalService\Application Data\glchvt.dat
2010-03-03 15:41 . 2010-03-03 15:41 24 ----a-w- c:\documents and settings\NetworkService\Application Data\glchvt.dat
2010-02-25 06:24 . 2010-02-25 06:24 9223407 ----a-w- c:\windows\system32\upgierrje.dll
2010-02-25 06:24 . 2010-02-25 06:24 8317520 ----a-w- c:\windows\system32\loniorand.dll
2010-02-25 06:24 . 2010-02-25 06:24 2911493 ----a-w- c:\windows\system32\erryetor.dll
2010-02-25 06:24 . 2010-02-25 06:24 2009281 ----a-w- c:\windows\system32\arcraah.dll
2010-02-25 06:24 . 2010-02-25 06:24 2009279 ----a-w- c:\windows\system32\shecraasuwi.dll
2010-02-25 06:24 . 2010-02-25 06:24 1892603 ----a-w- c:\windows\system32\cowexdo.dll
2010-02-25 06:24 . 2010-02-25 06:24 1707606 ----a-w- c:\windows\system32\orwwinor.dll
2010-02-25 06:24 . 2010-02-25 06:24 1659087 ----a-w- c:\windows\system32\craetapiw.dll
2010-02-25 06:24 . 2010-02-25 06:24 1427060 ----a-w- c:\windows\system32\to32wins.dll
2010-02-25 06:24 . 2010-02-25 06:24 1245473 ----a-w- c:\windows\system32\wiasupa.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:52 . 2010-02-17 16:56 8 ----a-w- c:\windows\system32\nvModes.dat
2010-02-17 20:21 . 2008-11-13 18:51 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-19 19:17 . 2009-02-19 19:17 48128 --sha-w- c:\windows\system32\hideagent.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-11-13 115560]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 22:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
grpcgpwd REG_SZ c:\windows\system32\mpnonsta.dll
AppSecDll REG_SZ c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\SMiller\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PreEngine.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PreGui_ogl.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=
"c:\\Program Files\\ANSYS Inc\\Shared Files\\Licensing\\intel\\ansyslmd.exe"=
"c:\\Program Files\\ANSYS Inc\\Shared Files\\Licensing\\intel\\lmgrd.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PostGui_ogl.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PostEngine.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 3:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 3:07 PM 55024]
R2 JobManagerService110;Ansys JobManager Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [1/16/2007 4:20 PM 20480]
R2 ScriptHostService110;Ansys ScriptHost Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [1/16/2007 4:20 PM 20480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/3/2007 11:21 AM 24652]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [5/25/2007 11:51 PM 34944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/3/2009 11:28 AM 102448]
R3 netmonzMP;netmonzMP;c:\windows\system32\drivers\netmonz.sys [8/17/2009 11:17 AM 18432]
S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [1/29/2010 10:52 AM 1294336]
S2 Flexlm Service 1;Flexlm Service 1;c:\program files\ANSYS Inc\Shared Files\Licensing\intel\lmgrd.exe [1/29/2010 10:52 AM 1294336]
S3 CaptureFileMonitor;CaptureFileMonitor;c:\windows\system32\drivers\CaptureFileMonitor.sys [3/9/2010 6:24 PM 11264]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [11/13/2008 1:51 PM 23888]
S3 netmonz;NetmonZ Service;c:\windows\system32\drivers\netmonz.sys [8/17/2009 11:17 AM 18432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\sasenum.sys [9/3/2008 3:07 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-27 11:29]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe
SafeBoot-Symantec Antvirus
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 08:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-651377827-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,f8,62,d4,8b,e8,56,4a,b6,ba,88,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,f8,62,d4,8b,e8,56,4a,b6,ba,88,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\config\systemprofile\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(424)
c:\windows\system32\WININET.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\brss01a.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-05-13 08:49:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-13 13:49

Pre-Run: 53,874,593,792 bytes free
Post-Run: 54,295,142,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5DCAF0687D460AC4AF075BFBB71C6D5C


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 13 May 2010 - 11:18 AM

I need you to upload a couple of files so I can have them checked. If you recognize any of these let me know.

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/index.php?showtopic=316148&view=findpost&p=1755668
  • Click Browse and select the c:\windows\system32\upgierrje.dll
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.




Please do the same for this file: c:\windows\system32\cowexdo.dll
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 12:33 PM

The cowexdo.dll file uploaded successfully but I've tried twice to upload the upgierrje.dll file you requested and I keep gettting an unknown error. The progress bar slowly creeps toward full and when it gets there I get this message:

There was a problem with your submission. Please Contact Us and let us know the name of the file, the size of the file, and the error code given below.

Unknown error.
Error number

Let me know what you want me to do. By the way, thanks for all your help so far. My computer is working much better after combo fix. I understand I may not be out of the woods yet but at least we are making real progress.

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 13 May 2010 - 12:53 PM

You're welcome, glad to hear things are running better.

Don't worry with that one instead try the one below and if it still won't upload then I posted some alternate instructions below for having it checked. If it uploads disregard the other instructions.



c:\windows\system32\wiasupa.dll





Please visit the online Jotti Virus Scanner <--link
  • Copy and paste the following filepath in the box:

    c:\windows\system32\wiasupa.dll
  • Click on the button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 01:03 PM

ok, wiasupa.dll uploaded successfully.

#8 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 01:15 PM

I ran the upgierrje.dll file on Jotti and this is what it found

Filename: upgierrje.dll
Status: Scan finished. 10 out of 19 scanners reported malware.
Scan taken on: Thu 13 May 2010 20:07:52 (CET) Permalink

2010-05-13 Found nothing 2010-05-13 Backdoor.Generic.298537
2010-05-13 Win32:Malware-gen 2010-05-13 Trojan-Dropper.Win32.Decept
2010-05-13 Generic17.RES 2010-05-13 Found nothing
2010-05-13 DR/Delphi.Gen 2010-05-13 Win32/Delf.PFX
2010-05-13 Backdoor.Generic.298537 2010-05-13 Application/GameVance
2010-05-13 Found nothing 2010-05-13 Found nothing
2010-05-13 Found nothing 2010-05-11 Mal/Pincav-A
2010-05-13 Found nothing 2010-05-12 Trojan.Win32.Pincav.xjs
2010-05-13 Found nothing 2010-05-13 Found nothing

Here is a link to the scan result:
http://virusscan.jotti.org/en/scanresult/5...9ec8b8d32501642





#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 13 May 2010 - 01:18 PM

I would like for you to run one more for me. You can run this one through Jotti if you would like. I don't suspect it as much as the others but it would be good to check it anyway:


c:\windows\system32\wininet.dll
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 01:24 PM

Ran that one through Jotti and it found nothing.

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 13 May 2010 - 02:11 PM

Good job. Let's take care of those entries:


Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Collect::
c:\windows\system32\upgierrje.dll
c:\windows\system32\loniorand.dll
c:\windows\system32\erryetor.dll
c:\windows\system32\arcraah.dll
c:\windows\system32\shecraasuwi.dll
c:\windows\system32\cowexdo.dll
c:\windows\system32\orwwinor.dll
c:\windows\system32\craetapiw.dll
c:\windows\system32\to32wins.dll
c:\windows\system32\wiasupa.dll
c:\windows\system32\mpnonsta.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 13 May 2010 - 03:03 PM

Here is the combofix log. I kept getting an error message while combofix was running. It said on the top of the dialog box "CF10329.cfxxe - Bad Image" and then in the box it said "C:\Documents and Settings\local service\local settings\application data\windows server\rdtjzt.dll is not a valid windows image. Please check against your installation diskette." I'm not sure what this means but it happened at least 5 or 6 times while combofix was running.

ComboFix 10-05-12.04 - Administrator 05/13/2010 14:15:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1382 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

file zipped: c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll
file zipped: c:\windows\system32\arcraah.dll
file zipped: c:\windows\system32\cowexdo.dll
file zipped: c:\windows\system32\craetapiw.dll
file zipped: c:\windows\system32\erryetor.dll
file zipped: c:\windows\system32\loniorand.dll
file zipped: c:\windows\system32\orwwinor.dll
file zipped: c:\windows\system32\shecraasuwi.dll
file zipped: c:\windows\system32\to32wins.dll
file zipped: c:\windows\system32\upgierrje.dll
file zipped: c:\windows\system32\wiasupa.dll
.
The following files were disabled during the run:
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir
C:\feed.txt
c:\windows\system32\arcraah.dll
c:\windows\system32\cowexdo.dll
c:\windows\system32\craetapiw.dll
c:\windows\system32\erryetor.dll
c:\windows\system32\ialmuARA.dll
c:\windows\system32\ialmuARB.dll
c:\windows\system32\ialmuCHS.dll
c:\windows\system32\ialmuCHT.dll
c:\windows\system32\ialmuCSY.dll
c:\windows\system32\ialmuDAN.dll
c:\windows\system32\ialmuDEU.dll
c:\windows\system32\ialmudlg.exe
c:\windows\system32\ialmuELL.dll
c:\windows\system32\ialmuENG.dll
c:\windows\system32\ialmuESP.dll
c:\windows\system32\ialmuFIN.dll
c:\windows\system32\ialmuFRA.dll
c:\windows\system32\ialmuFRC.dll
c:\windows\system32\ialmuHEB.dll
c:\windows\system32\ialmuHUN.dll
c:\windows\system32\ialmuITA.dll
c:\windows\system32\ialmuJPN.dll
c:\windows\system32\ialmuKOR.dll
c:\windows\system32\ialmuNLD.dll
c:\windows\system32\ialmuNOR.dll
c:\windows\system32\ialmuPLK.dll
c:\windows\system32\ialmuPTB.dll
c:\windows\system32\ialmuPTG.dll
c:\windows\system32\ialmuRUS.dll
c:\windows\system32\ialmuSVE.dll
c:\windows\system32\ialmuTHA.dll
c:\windows\system32\ialmuTRK.dll
c:\windows\system32\igfxrara.lrc
c:\windows\system32\igfxrchs.lrc
c:\windows\system32\igfxrcht.lrc
c:\windows\system32\igfxrcsy.lrc
c:\windows\system32\igfxrdan.lrc
c:\windows\system32\igfxrdeu.lrc
c:\windows\system32\igfxrell.lrc
c:\windows\system32\igfxrenu.lrc
c:\windows\system32\igfxresp.lrc
c:\windows\system32\igfxrfin.lrc
c:\windows\system32\igfxrfra.lrc
c:\windows\system32\igfxrheb.lrc
c:\windows\system32\igfxrhun.lrc
c:\windows\system32\igfxrita.lrc
c:\windows\system32\igfxrjpn.lrc
c:\windows\system32\igfxrkor.lrc
c:\windows\system32\igfxrnld.lrc
c:\windows\system32\igfxrnor.lrc
c:\windows\system32\igfxrplk.lrc
c:\windows\system32\igfxrptb.lrc
c:\windows\system32\igfxrptg.lrc
c:\windows\system32\igfxrrus.lrc
c:\windows\system32\igfxrsve.lrc
c:\windows\system32\igfxrtha.lrc
c:\windows\system32\igfxrtrk.lrc
c:\windows\system32\loniorand.dll
c:\windows\system32\orwwinor.dll
c:\windows\system32\shecraasuwi.dll
c:\windows\system32\to32wins.dll
c:\windows\system32\upgierrje.dll
c:\windows\system32\wiasupa.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 19:20 . 2010-05-13 19:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
2010-05-11 13:01 . 2010-05-11 13:01 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-30 19:49 . 2010-04-30 19:49 -------- d-----w- c:\documents and settings\JCrummel\Local Settings\Application Data\Google
2010-04-28 16:57 . 2010-04-28 16:58 -------- d-----w- c:\documents and settings\JCrummel\Application Data\webex

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 19:49 . 2007-07-31 20:29 -------- d-----w- c:\program files\Google
2010-04-30 14:32 . 2010-01-28 21:35 -------- d-----w- c:\program files\Sandboxie
2010-04-26 13:09 . 2010-03-26 14:27 -------- d-----w- c:\program files\inFlow Inventory
2010-04-26 13:09 . 2010-03-26 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\inFlow Inventory
2010-04-26 13:09 . 2010-03-26 14:33 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-26 13:06 . 2007-05-31 12:57 -------- d-----w- c:\program files\Microsoft.NET
2010-03-26 15:13 . 2010-03-26 15:13 -------- d-----w- c:\documents and settings\JCrummel\Application Data\inFlow Inventory
2010-03-26 14:32 . 2010-03-26 14:32 -------- d-----w- c:\program files\Business Objects
2010-03-15 13:02 . 2010-03-08 14:01 0 ----a-w- c:\windows\Iyocupilidarex.bin
2010-03-15 13:02 . 2010-03-08 14:01 120 ----a-w- c:\windows\Qmaziy.dat
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 23:34 . 2010-03-09 23:34 82648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-09 23:28 . 2010-03-09 23:28 1579520 ----a-w- C:\agent.msi
2010-03-08 13:59 . 2010-03-03 18:18 28 ----a-w- c:\windows\system32\config\systemprofile\Application Data\glchvt.dat
2010-03-05 14:20 . 2010-03-05 14:20 24 ----a-w- c:\documents and settings\LocalService\Application Data\glchvt.dat
2010-03-03 15:41 . 2010-03-03 15:41 24 ----a-w- c:\documents and settings\NetworkService\Application Data\glchvt.dat
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:52 . 2010-02-17 16:56 8 ----a-w- c:\windows\system32\nvModes.dat
2010-02-17 20:21 . 2008-11-13 18:51 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-02-19 19:17 . 2009-02-19 19:17 48128 --sha-w- c:\windows\system32\hideagent.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-11-13 115560]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-04-25 954368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 22:28 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
grpcgpwd REG_SZ c:\windows\system32\mpnonsta.dll
AppSecDll REG_SZ c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\SMiller\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PreEngine.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PreGui_ogl.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=
"c:\\Program Files\\ANSYS Inc\\Shared Files\\Licensing\\intel\\ansyslmd.exe"=
"c:\\Program Files\\ANSYS Inc\\Shared Files\\Licensing\\intel\\lmgrd.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PostGui_ogl.exe"=
"c:\\Program Files\\ANSYS Inc\\v110\\CFX\\bin\\winnt\\PostEngine.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/3/2008 3:07 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 3:07 PM 55024]
R2 JobManagerService110;Ansys JobManager Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [1/16/2007 4:20 PM 20480]
R2 ScriptHostService110;Ansys ScriptHost Service V11;c:\program files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [1/16/2007 4:20 PM 20480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/3/2007 11:21 AM 24652]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [5/25/2007 11:51 PM 34944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/3/2009 11:28 AM 102448]
R3 netmonzMP;netmonzMP;c:\windows\system32\drivers\netmonz.sys [8/17/2009 11:17 AM 18432]
S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;c:\progra~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [1/29/2010 10:52 AM 1294336]
S2 Flexlm Service 1;Flexlm Service 1;c:\program files\ANSYS Inc\Shared Files\Licensing\intel\lmgrd.exe [1/29/2010 10:52 AM 1294336]
S3 CaptureFileMonitor;CaptureFileMonitor;c:\windows\system32\drivers\CaptureFileMonitor.sys [3/9/2010 6:24 PM 11264]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [11/13/2008 1:51 PM 23888]
S3 netmonz;NetmonZ Service;c:\windows\system32\drivers\netmonz.sys [8/17/2009 11:17 AM 18432]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\sasenum.sys [9/3/2008 3:07 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-03-27 11:29]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-651377827-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,f8,62,d4,8b,e8,56,4a,b6,ba,88,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,f8,62,d4,8b,e8,56,4a,b6,ba,88,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\brss01a.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-05-13 14:33:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-13 19:33
ComboFix2.txt 2010-05-13 13:49

Pre-Run: 54,221,123,584 bytes free
Post-Run: 54,210,019,328 bytes free

- - End Of File - - EEB2B7F8E6F57C4D98A8FDEB480A4099


#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 13 May 2010 - 03:45 PM

Seems CF was having some problem identifying one of the files. Looks like everything ran OK so I don't believe we have to be concerned about it.

Let's run another scan to see if we can find any leftovers:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 crum23

crum23
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 14 May 2010 - 08:05 AM

Sorry for the delay. Had to go home for the night before the scan finished. The Kapersky Scan did find some threats. Here is the report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, May 14, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 13, 2010 16:46:34
Records in database: 4108533
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 115739
Threats found: 4
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 02:27:08


File name / Threat / Threats count
C:\Documents and Settings\Default User\Local Settings\Application Data\Windows Server\rdtjzt.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\43120580-5df0c8d7 Infected: Exploit.Java.Agent.f 1
C:\Qoobox\Quarantine\C\Documents and Settings\JCrummel\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir Infected: Trojan.Win32.Zapchast.bgq 1
C:\Qoobox\Quarantine\C\Documents and Settings\JCrummel\nah_cgjh.exe.vir Infected: Trojan.Win32.Scar.bzli 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir Infected: Trojan.Win32.Zapchast.bgq 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir.vir Infected: Trojan.Win32.Zapchast.bgq 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\_rdtjzt_.dll.zip Infected: Trojan.Win32.Zapchast.bgq 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\rdtjzt.dll.vir.vir Infected: Trojan.Win32.Zapchast.bgq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\tcpip.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\[4]-Submit_2010-05-13_14.15.11.zip Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021121.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021153.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021199.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021200.exe Infected: Trojan.Win32.Scar.bzli 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021201.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021202.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021209.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021210.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\System Volume Information\_restore{C90345AA-AD05-4632-804D-584617EBF7FA}\RP22\A0021351.dll Infected: Trojan.Win32.Zapchast.bgq 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\rdtjzt.dll Infected: Trojan.Win32.Zapchast.bgq 1

Selected area has been scanned.


#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:31 AM

Posted 14 May 2010 - 12:48 PM

No problem!

Most of that will be gone when we uninstall ComboFix. There are some we need to take off and we should be able to do that manually.




Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK


Use Windows Explorer to find and delete these files:

C:\Documents and Settings\Default User\Local Settings\Application Data\Windows Server\rdtjzt.dll

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Windows Server\rdtjzt.dll


As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Now do the opposite of what you did above to Hide extensions for known file types and
to Hide protected operating system files (Recommended)









Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.






Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.




When completed let me know.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users