Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zeus Banking Virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 rkibler

rkibler

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 04 June 2010 - 03:28 PM

When I use my routine login to Bank of America, the screen displays a "Security Confirmation" request and asks for detailed information (account, social security number, date of birth, credit card number, PIN) etc. I spoke with the bank the they confirmed they are not requesting this information. I found similar situations on the web that leads me to belive this is the Zeus virus/trojan (display the exact same screen shots).

I've tried Trend Micro Office Scan, Malwarebytes Anti-Malware, STOPzilla and SpyHunter 4. None have confirmed the virus.

It was recommended by our IT consultant that I try ComboFix.

Pursuant to the ComboFix instructions, and recommendations on Bleepingcomputer, I am creating a topic in this forum before jumping into ComboFix.

You guys took the time to put together pretty detailed instructions so I am taking the time to follow them. . . .

Here is the DDX.txt., and I've attached the "Attache.txt" and "ark.txt" files

DS (Ver_10-03-17.01) - NTFSx86
Run by rkibler at 13:26:45.30 on Fri 06/04/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.179 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\CCVPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\UGDD7A.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\rkibler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.coppercom.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ireports
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://exact.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rkibler\applic~1\mozilla\firefox\profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-5-11 233552]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2006-5-11 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-5-11 36368]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-3-2 92550]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-5-5 189792]

=============== Created Last 30 ================

2011-08-28 04:00:24 0 d-----w- c:\program files\CCleaner
2010-06-04 17:23:51 0 ----a-w- c:\documents and settings\rkibler\defogger_reenable
2010-06-02 16:09:51 0 d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08:49 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-06-01 20:59:03 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 20:48:18 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-06-01 20:44:01 0 d-----w- c:\program files\common files\iS3
2010-06-01 20:44:00 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-06-01 17:08:35 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-25 20:20:04 59732 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-10 04:33:41 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 04:33:38 1025024 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\vbscript.dll

============= FINISH: 13:27:55.52 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:37 PM

Posted 07 June 2010 - 01:49 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 08 June 2010 - 12:42 PM

Shannon,

Thanks for your attention.

I have created new dds.txt and attach.txt files as suggested (below and attached).

Unfortunately, dispite 5 attempts, I haven't been able to run a new GMER log. The application seems to launch fine and starts the process. A couple of times when the scan has finished, and I select "SAVE" I am given an error message that there are insufficient resources to access my desktop (nothing else is running that I am aware of). Eventually my machine freezes and I receive a blue screen with an "IRQL_NOT_LESS_OR_EQUAL" error. Other times, the scan doesn't seem to finish and it just freezes and gives me the same blue screen and message.

I have attached the GMER log (ark.txt) that I was able to run when I first opened the topic.





DDS (Ver_10-03-17.01) - NTFSx86
Run by rkibler at 10:43:19.35 on Tue 06/08/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.151 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\CCVPN\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\TEMP\VF53A2.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\rkibler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.coppercom.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.com\ireports
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://exact.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rkibler\applic~1\mozilla\firefox\profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\program files\trend micro\officescan client\OfcPfwSvc.exe [2006-5-11 233552]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2006-5-11 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2006-5-11 36368]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-3-2 92550]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-5-5 189792]

=============== Created Last 30 ================

2011-08-28 04:00:24 0 d-----w- c:\program files\CCleaner
2010-06-04 17:23:51 0 ----a-w- c:\documents and settings\rkibler\defogger_reenable
2010-06-02 16:09:51 0 d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08:49 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-06-01 20:59:03 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 20:48:18 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-06-01 20:44:01 0 d-----w- c:\program files\common files\iS3
2010-06-01 20:44:00 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-06-01 17:08:35 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-25 20:20:04 59732 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 10:44:05.75 ===============

Attached Files



#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 10 June 2010 - 06:22 AM

Hello rkibler

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy.

As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains.

If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.
Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Again, keep in mind that it may take a couple of days or more before I can reply but once we get started the process should speed up.

Thank you for your patience!!
PW

#5 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 10 June 2010 - 09:25 AM

pwgib-

Thank you for your message.

I have noted your comments regarding the word wrap in notepad, and pasting (rather than attaching) logs.

As instructed, I will not be making any changes to the system, nor running any tools.

I am running Windows XP Professional, Version 5.1 (Service Pack 3) and I am able to view hidden files and folders.

I'll check the topic daily, and I have noted that you are unavailable on Saturday, June 12.

I look forward to the next steps.

rkibler



#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 13 June 2010 - 12:14 PM

Hi rkibler,

I see you have TrendMicro OfficeScan installed. I'm not familiar with this product. Does it always run in the background and provide real time protection unless disabled?

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. <----Important
    Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


In your next reply please include the following:

ComboFix.txt

Thanks!!
PW

#7 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 June 2010 - 01:39 PM

pw -

Thanks for the next steps.

With regard to the TrendMicro OfficeScan, I am not very familiar with this product either. We used to have an IT team here on staff, but we had to let them go about 18 months ago due to budget cuts. The IT team installed the TrendMicro OfficeScan a few years ago. I do not launch the application myself so yes, I believe it always runs in the background and is intended to provide real time protection unless disabled. Unfortunately, my controls are very limited (although I am the administrator on my machine). I believe the application is client-server based, and I am only a client so my control is limited. There is an icon on the taskbar for the application. When I right click on the icon, my options are "Office Scan Main", "Update Now" and "Unload OfficeScan". I ran the "Update Now" function prior to opening a topic on Bleepingcomputer so I believe I have the current version running but it was unable to fix the issue. Unfortunately, when I select "Unload OfficeScan", I am prompted for a password to "Unload OfficeScan Client". However, I do not have the password. I will speak someone in the office to obtain the password to unload the OfficeScan client, then proceed with the Combofix process, unless you instruct otherwise.

Thanks,

rkibler



#8 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 14 June 2010 - 01:55 PM

pw

I was able to uninstall the TrendMicro OfficeScan application and run combofix.

It seemed to run successfully, and did force a re-boot as expected. Combofix automatically resumed after the reboot and finished with the combofix.txt file.

I wasn't sure if you wanted me to paste the combofix.txt text or attach the file, so I have done both.

Please let me know what the next steps are, if any . . .

Thank you again for your efforts.

rkibler
-----------------------------------------------------------------------------

ComboFix 10-06-14.01 - rkibler 06/14/2010 14:20:40.1.1 - x86
Running from: c:\documents and settings\rkibler\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HelpAssistant\g2mdlhlpx.exe
c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
c:\documents and settings\HelpAssistant\PNPrint3.exe
c:\documents and settings\rkibler\g2mdlhlpx.exe
c:\documents and settings\rkibler\GoToAssistDownloadHelper.exe
c:\documents and settings\rkibler\PNPrint3.exe
c:\windows\system32\drivers\fad.sys
c:\windows\system32\SHELLLNK.TLB

.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2011-08-28 04:00 . 2011-08-28 04:00 -------- d-----w- c:\program files\CCleaner
2010-06-02 16:09 . 2010-06-02 16:09 -------- d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08 . 2010-06-02 17:50 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08 . 2010-06-02 16:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-01 20:48 . 2010-06-01 20:48 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45 . 2010-06-01 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-01 20:44 . 2010-06-01 20:44 262144 ----a-w- c:\documents and settings\ntuser.dat
2010-06-01 20:44 . 2010-06-01 20:44 -------- d-----w- c:\program files\Common Files\iS3
2010-06-01 20:44 . 2010-06-02 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-01 17:08 . 2010-06-01 17:08 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 15:59 . 2005-07-13 18:47 -------- d-----w- c:\documents and settings\rkibler\Application Data\AdobeUM
2010-06-01 21:01 . 2010-06-01 20:59 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 16:48 . 2010-04-08 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 04:02 . 2009-04-16 00:23 -------- d-----w- c:\documents and settings\rkibler\Application Data\Apple Computer
2010-04-20 05:30 . 2004-08-11 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-11 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 13:57 . 2010-04-16 13:55 -------- d-----w- c:\program files\iTunes
2010-04-16 13:57 . 2010-04-16 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-16 13:56 . 2006-06-20 03:11 -------- d-----w- c:\program files\iPod
2010-04-16 13:56 . 2009-04-16 00:19 -------- d-----w- c:\program files\Common Files\Apple
2010-04-16 13:46 . 2010-04-16 13:45 -------- d-----w- c:\program files\QuickTime
2010-04-16 13:39 . 2010-04-16 13:38 -------- d-----w- c:\program files\Bonjour
2010-04-16 13:33 . 2010-04-16 13:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-13 03:29 . 2005-07-13 18:15 73776 ----a-w- c:\documents and settings\rkibler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 18:05 . 2010-04-09 18:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-30 04:46 . 2010-04-08 02:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-08 02:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 13:49 . 2010-03-26 13:49 0 ----a-w- c:\windows\nsreg.dat
2010-03-25 20:20 . 2010-03-25 20:20 59732 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-17 15:44 . 2010-03-17 15:44 552 ----a-w- c:\windows\system32\d3d8caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Vital\\POS2000\\BIN\\vAppCon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"2354:TCP"= 2354:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"6076:TCP"= 6076:TCP:Services
"6077:TCP"= 6077:TCP:Services
"9789:TCP"= 9789:TCP:Services
"9788:TCP"= 9788:TCP:Services

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/2/2005 5:59 PM 92550]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.coppercom.com/
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: adp.com\ireports
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
FF - ProfilePath - c:\documents and settings\rkibler\Application Data\Mozilla\Firefox\Profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 14:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8210978A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf883af28
\Driver\ACPI -> ACPI.sys @ 0xf87adcb8
\Driver\atapi -> ntoskrnl.exe @ 0x805c7abe
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> 0x8216f8a0
PacketIndicateHandler -> NDIS.sys @ 0xf861ca0d
SendHandler -> NDIS.sys @ 0xf8630b40
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1492)
c:\windows\system32\CSGina.dll
c:\windows\system32\VPNAPI.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-06-14 14:40:32
ComboFix-quarantined-files.txt 2010-06-14 18:40

Pre-Run: 11,425,964,032 bytes free
Post-Run: 11,456,008,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 32C610C6AE5EF82780456760C8BF2834

Attached Files



#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 15 June 2010 - 09:44 AM

Hello rkibler,

QUOTE
I wasn't sure if you wanted me to paste the combofix.txt text or attach the file, so I have done both.

You posted the log correctly. There is no need to attach any logs unless asked to. thumbup2.gif

QUOTE
I was able to uninstall the TrendMicro OfficeScan application and run combofix.

I've been doing some reading about OfficeScan. I'm impressed. clapping.gif

Please read the following directions carefully and don't miss any steps. smile.gif

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Please copy/paste the log in your next reply.

Thanks!!
PW

#10 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 15 June 2010 - 02:31 PM

pw -

Downloaded and ran HelpAsst_mebroot_fix.exe as instructed.

An mbr infection was found and I allowed the computer to shut down.

Restarted and waited a few minutes to run helpasst -mbrt.

Here is the text from HelpAsst.log . .

-----------------------------------------------------
C:\Documents and Settings\rkibler\Desktop\HelpAsst_mebroot_fix.exe
Tue 06/15/2010 at 14:26:11.69

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"2354:TCP"=-
"3389:TCP"=-
"6077:TCP"=-
"6076:TCP"=-
"9789:TCP"=-
"9788:TCP"=-
"6358:TCP"=-
"3929:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"2354:TCP"=-
"3389:TCP"=-
"6076:TCP"=-
"6077:TCP"=-
"9789:TCP"=-
"9788:TCP"=-
"6358:TCP"=-
"3929:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-295119278-1843110020-758930575-1004
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 06/15/2010 at 15:25:54.50

Account active No
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A8143F
malicious code @ sector 0x04A81442 !
PE file found in sector at 0x04A81458 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Thanks again for your attention, look forward to next steps.

rkibler.

#11 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 15 June 2010 - 07:27 PM

Hello rkibler,

Good Job!! smile.gif

Step 1.

I see you have MBAM installed.

I need you to run another MBAM scan.
    Open MBAM
  • Click on the UpdateTab before performing a scan. Click on the Check for Updates button. If an update is found, the program will automatically update itself. After the update press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Step 2.

We need to run Combofix again.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs. http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Double click on combofix.exe & follow the prompts. If Combofix prompts you to update the program please allow it to do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" in your next reply
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

In your next reply please include the following:

MBAM log
ComboFix.txt


Thanks!!
PW

#12 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 16 June 2010 - 10:28 AM

Hi pw,

Updated MBAM and ran Quick Scan.
The scan completed normally and didn't report finding any malware.
MBAM log pasted below.

Updated and ran Combofix again.
Combofix ran normally without any requests for restarts, etc.
Combofix.txt pasted below.

Looking forward to next steps.

rkibler

==============
MBAM Log
==============
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4204

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/16/2010 10:54:55 AM
mbam-log-2010-06-16 (10-54-55).txt

Scan type: Quick scan
Objects scanned: 167944
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===================
Combofix.txt
===================
ComboFix 10-06-15.03 - rkibler 06/16/2010 11:03:21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.268 [GMT -4:00]
Running from: c:\documents and settings\rkibler\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2011-08-28 04:00 . 2011-08-28 04:00 -------- d-----w- c:\program files\CCleaner
2010-06-15 18:26 . 2010-06-15 18:26 -------- d-----w- C:\HelpAsst_backup
2010-06-02 16:09 . 2010-06-02 16:09 -------- d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08 . 2010-06-02 17:50 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08 . 2010-06-02 16:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-01 20:48 . 2010-06-01 20:48 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45 . 2010-06-01 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-01 20:44 . 2010-06-01 20:44 262144 ----a-w- c:\documents and settings\ntuser.dat
2010-06-01 20:44 . 2010-06-01 20:44 -------- d-----w- c:\program files\Common Files\iS3
2010-06-01 20:44 . 2010-06-02 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-01 17:08 . 2010-06-01 17:08 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-15 13:17 . 2005-07-13 18:47 -------- d-----w- c:\documents and settings\rkibler\Application Data\AdobeUM
2010-06-01 21:01 . 2010-06-01 20:59 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 16:48 . 2010-04-08 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 04:02 . 2009-04-16 00:23 -------- d-----w- c:\documents and settings\rkibler\Application Data\Apple Computer
2010-04-20 05:30 . 2004-08-11 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-11 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 13:33 . 2010-04-16 13:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-13 03:29 . 2005-07-13 18:15 73776 ----a-w- c:\documents and settings\rkibler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 18:05 . 2010-04-09 18:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-30 04:46 . 2010-04-08 02:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-08 02:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 13:49 . 2010-03-26 13:49 0 ----a-w- c:\windows\nsreg.dat
2010-03-25 20:20 . 2010-03-25 20:20 59732 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-06-14_18.34.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-16 12:49 . 2010-06-16 12:49 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
+ 2005-07-13 18:46 . 2010-06-15 13:09 3817472 c:\windows\Installer\74771.msi
- 2005-07-13 18:46 . 2010-06-09 15:58 3817472 c:\windows\Installer\74771.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Vital\\POS2000\\BIN\\vAppCon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/2/2005 5:59 PM 92550]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.coppercom.com/
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: adp.com\ireports
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
FF - ProfilePath - c:\documents and settings\rkibler\Application Data\Mozilla\Firefox\Profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\windows\system32\CSGina.dll
c:\windows\system32\VPNAPI.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-06-16 11:16:57
ComboFix-quarantined-files.txt 2010-06-16 15:16
ComboFix2.txt 2010-06-14 18:40

Pre-Run: 11,339,067,392 bytes free
Post-Run: 11,325,411,328 bytes free

- - End Of File - - 4B3C00BBEEB6F594DDB71BA3EE138BBB



#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 16 June 2010 - 02:22 PM

Hello rkibler,

Step 1.

We need to update your FireFox's Java to the latest version:
  1. Open FireFox
  2. Click on Tools from the menu bar
  3. Click on Add-Ons then click on the Find Updates button on the bottom right part of the Add-Ons window
  4. Install the updates found for Java
Note: The latest update is JRE 6 Update 20. Please remove any earlier versions of Java listed in Add-Ons. Earlier versions also can be found and removed from the C:\Program Files\Mozillla Firefox\plugins folder.

Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

CODE
DDS::
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
Trusted Zone: adp.com\ireports

File::
c:\windows\system32\vsdatant.sys

Driver::
vsdatant

Regnull::
[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Microsoft\SystemCertificates\AddressBook*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Step 4.

You should still have DDS on your desktop. If not,
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

In your next reply please include the following:

ComboFix.txt
ESET scan results Note: If nothing is found there will be no log.
DDS logs
<
Thanks!!
PW

#14 rkibler

rkibler
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 17 June 2010 - 08:25 AM

Hi pw-

I see you are unavailable the 17th.

As instructed, I have . . . .

1. Updated FireFox with JRE 6 Update 20. I didn't find it in Tools/Add-ons/Find Updates, but was able to download and install the update from java.com. It is now listed in Tools/Add-ons/Plugins;

2. Pasted script into and ran updated Combofix. Combofix caused a reboot, which executed normally and resumed on boot up and finished normally;

3. Ran EST OnlineScan, which seemed to find several potential viruses and produced a log; and

4. Ran DDS scan.

I have attached the Attach.txt log from DDS, and following you will find the text from . .
Combofix.text
Eset Scan Results
DDS.txt

==============
Combofix.txt
==============
ComboFix 10-06-15.04 - rkibler 06/16/2010 17:17:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.283 [GMT -4:00]
Running from: c:\documents and settings\rkibler\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\rkibler\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\vsdatant.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VSDATANT
-------\Service_vsdatant


((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2011-08-28 04:00 . 2011-08-28 04:00 -------- d-----w- c:\program files\CCleaner
2010-06-16 21:11 . 2010-06-16 21:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-15 18:26 . 2010-06-15 18:26 -------- d-----w- C:\HelpAsst_backup
2010-06-02 16:09 . 2010-06-02 16:09 -------- d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08 . 2010-06-02 17:50 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08 . 2010-06-02 16:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-01 20:48 . 2010-06-01 20:48 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45 . 2010-06-01 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-06-01 20:44 . 2010-06-01 20:44 262144 ----a-w- c:\documents and settings\ntuser.dat
2010-06-01 20:44 . 2010-06-01 20:44 -------- d-----w- c:\program files\Common Files\iS3
2010-06-01 20:44 . 2010-06-02 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-06-01 17:08 . 2010-06-01 17:08 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 21:11 . 2005-03-02 22:18 -------- d-----w- c:\program files\Common Files\Java
2010-06-16 21:11 . 2010-06-16 21:11 503808 ----a-w- c:\documents and settings\rkibler\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6eb4a511-n\msvcp71.dll
2010-06-16 21:11 . 2010-06-16 21:11 499712 ----a-w- c:\documents and settings\rkibler\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6eb4a511-n\jmc.dll
2010-06-16 21:11 . 2010-06-16 21:11 348160 ----a-w- c:\documents and settings\rkibler\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6eb4a511-n\msvcr71.dll
2010-06-16 21:11 . 2010-06-16 21:11 61440 ----a-w- c:\documents and settings\rkibler\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-689083ca-n\decora-sse.dll
2010-06-16 21:11 . 2010-06-16 21:11 12800 ----a-w- c:\documents and settings\rkibler\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-689083ca-n\decora-d3d.dll
2010-06-16 21:10 . 2005-03-02 22:18 -------- d-----w- c:\program files\Java
2010-06-15 13:17 . 2005-07-13 18:47 -------- d-----w- c:\documents and settings\rkibler\Application Data\AdobeUM
2010-06-01 21:01 . 2010-06-01 20:59 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 16:48 . 2010-04-08 02:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 05:22 . 2004-08-11 23:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-21 04:02 . 2009-04-16 00:23 -------- d-----w- c:\documents and settings\rkibler\Application Data\Apple Computer
2010-04-20 05:30 . 2004-08-11 23:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2004-08-11 23:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 13:33 . 2010-04-16 13:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-13 03:29 . 2005-07-13 18:15 73776 ----a-w- c:\documents and settings\rkibler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-09 18:05 . 2010-04-09 18:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-30 04:46 . 2010-04-08 02:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-08 02:19 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 13:49 . 2010-03-26 13:49 0 ----a-w- c:\windows\nsreg.dat
2010-03-25 20:20 . 2010-03-25 20:20 59732 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-06-14_18.34.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-16 21:28 . 2010-06-16 21:28 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
+ 2010-06-16 21:28 . 2010-06-16 21:28 16384 c:\windows\Temp\Perflib_Perfdata_4e4.dat
+ 2010-06-16 21:11 . 2010-06-16 21:11 153376 c:\windows\system32\javaws.exe
+ 2010-06-16 21:11 . 2010-06-16 21:11 145184 c:\windows\system32\javaw.exe
+ 2010-06-16 21:11 . 2010-06-16 21:11 145184 c:\windows\system32\java.exe
+ 2010-06-16 21:11 . 2010-06-16 21:11 180224 c:\windows\Installer\1cb1ec0.msi
+ 2010-06-16 21:10 . 2010-06-16 21:10 577536 c:\windows\Installer\1cb1ebb.msi
- 2005-07-13 18:46 . 2010-06-09 15:58 3817472 c:\windows\Installer\74771.msi
+ 2005-07-13 18:46 . 2010-06-15 13:09 3817472 c:\windows\Installer\74771.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-01 339968]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-2 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Vital\\POS2000\\BIN\\vAppCon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/2/2005 5:59 PM 92550]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.coppercom.com/
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
FF - ProfilePath - c:\documents and settings\rkibler\Application Data\Mozilla\Firefox\Profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1919767138-1250492916-1093625069-3514\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (S-1-5-21-1919767138-1250492916-1093625069-3514)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1492)
c:\windows\system32\CSGina.dll
c:\windows\system32\VPNAPI.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\basfipm.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CCVPN\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft Analysis Services\Bin\msmdsrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-06-16 17:37:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-16 21:37
ComboFix2.txt 2010-06-16 15:16
ComboFix3.txt 2010-06-14 18:40

Pre-Run: 11,141,697,536 bytes free
Post-Run: 11,016,105,984 bytes free

- - End Of File - - 87CAB301F00816B1FCE7B393219987BC
===============
ESET Scan Results
===============
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-69e37b8b.zip probably a variant of Win32/Agent trojan deleted - quarantined
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Application Data\Mozilla\Firefox\Profiles\ca2dgz66.default\Cache\178C6C6Bd01 JS/TrojanDownloader.Iframe.NHY trojan cleaned by deleting - quarantined
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Application Data\Mozilla\Firefox\Profiles\ca2dgz66.default\Cache\1C6DB960d01 JS/TrojanDownloader.Iframe.NHY trojan cleaned by deleting - quarantined
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantined
C:\WINDOWS\Downloaded Program Files\WebEx\424\atpdmod.dll probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
===============
DDS.txt
===============

DDS (Ver_10-03-17.01) - NTFSx86
Run by rkibler at 8:49:32.69 on Thu 06/17/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.233 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\CCVPN\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\rkibler\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.coppercom.com/
mStart Page = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {99C7B1B6-C556-4BA2-BBF6-4E19394A260B} - hxxps://coppercom.custhelp.com:/rnt/rnw/client_files/RNTProcMan.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://exact.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rkibler\applic~1\mozilla\firefox\profiles\ca2dgz66.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.coppercom.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2005-3-2 92550]

=============== Created Last 30 ================

2011-08-28 04:00:24 0 d-----w- c:\program files\CCleaner
2010-06-16 21:41:54 0 d-----w- c:\program files\ESET
2010-06-16 21:11:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-16 21:11:23 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-15 18:26:13 0 d-----w- C:\HelpAsst_backup
2010-06-14 18:07:23 0 d-sha-r- C:\cmdcons
2010-06-14 18:02:31 98816 ----a-w- c:\windows\sed.exe
2010-06-14 18:02:31 77312 ----a-w- c:\windows\MBR.exe
2010-06-14 18:02:31 256512 ----a-w- c:\windows\PEV.exe
2010-06-14 18:02:31 161792 ----a-w- c:\windows\SWREG.exe
2010-06-04 17:23:51 0 ----a-w- c:\documents and settings\rkibler\defogger_reenable
2010-06-02 16:09:51 0 d-----w- c:\program files\Enigma Software Group
2010-06-02 16:08:49 0 d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-02 16:08:43 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-06-01 20:59:03 1080 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-01 20:48:18 16384 ---ha-w- C:\SZKGFS.dat
2010-06-01 20:45:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-06-01 20:44:01 0 d-----w- c:\program files\common files\iS3
2010-06-01 20:44:00 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-06-01 17:08:35 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\dllcache\atmfd.dll
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-04-16 16:09:08 627712 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-04-16 16:09:07 3073024 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-04-16 16:09:07 1509888 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-04-16 16:09:05 251904 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-04-16 16:09:05 1025024 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-04-03 07:33:56 2365288 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-25 20:20:04 59732 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 8:50:13.91 ===============

Thanks for your continued efforts.

rkibler

Attached Files



#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:37 PM

Posted 18 June 2010 - 09:56 AM

Hello rkibler,

Your logs look good! thumbup2.gif

Now we need to do a litlle cleaning up.

Step 1.
  • Click "start" on the taskbar and then click on the "Control Panel" icon.
  • Please doubleclick the "Add or Remove Programs" icon
  • A list of programs installed will be "populated" this may take a bit of time.
  • If they exist, uninstall the following by clicking on the following entries and selecting "remove":
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_03


Step 2.
  • Click Start | Run
  • Copy/paste the following in the Run Box. Do not include the word Code
  • CODE
    helpasst -cleanup

  • Click OK
Step 3.

You should still have Defogger on your desktop

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Step 4.

Uninstall ComboFix

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall Note the space between the X and the /U.

If Combofix prompts you to update the program please allow it to do so.

Please advise if this step is missed for any reason as it performs some important functions.

Step 5.

Here are some more steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of them, however by following the rest of them you will reduce the risk of becoming re-infected.

It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. Microsoft has released the latest upgrades to the XP OS platform, which can be referenced here

New viruses come out every minute, so it is essential that you keep your antivirus program updated and have the latest signatures to provide you with the best possible protection from malicious software. Two good free Antivirus solutions are Avira Antivir and Avast
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

For most users the built in Windows Firewall is sufficient. If you use a third party firewall make sure you have only one firewall installed at a time.

Install Spyware Blaster and update it regularly
If you wish, the commercial version provides automatic updating.

Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
SuperAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide
a resident and do not nag if you purchase the paid versions. I personally prefer and highly recommend the licensed version of MBAM

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please read and follow How did I get infected?, With steps so it does not happen again! as well as How to prevent Malware by Miekiemoes

Any Problems or questions?

Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users