Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware or possible Rootkit? Windows XP


  • This topic is locked This topic is locked
11 replies to this topic

#1 naholt01

naholt01

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 09 June 2010 - 08:49 PM

My PC has numerous problems at this point. Google Chrome will open but cannot load pages (I have resorted to using Firefox), my desktop theme settings have changed and will not return to my previous settings, and my scheduled tasks folder is cluttered with entries such as: At101, At42, At 139...etc. Also, Internet explorer keeps opening in the background, I cannot see the windows on my desktop or taskbar but they are visible as processes in taskmanager. I have been previously infected with some sort of virus or trojan that I thought was remedied using a combination of Malwarebytes and TrendMicro, however it seems to have returned or gotten worse. Any help would be greatly appreciated.

Thanks,
Nick

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:40:14 PM, on 6/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\windows\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\windows\stsystra.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Application Data\A0BS0NF7.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\zauninst.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ewbvesfv] C:\Documents and Settings\NetworkService\Local Settings\Application Data\gfbfohtpu\mynratttssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ewbvesfv] C:\Documents and Settings\NetworkService\Local Settings\Application Data\gfbfohtpu\mynratttssd.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - C:\Program Files\Evernote\Evernote3\enbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247423112656
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 8285 bytes


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 09 June 2010 - 08:56 PM

Hi and welcome.gif

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    set /c
    %SYSTEMDRIVE%\*.*
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 naholt01

naholt01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 09 June 2010 - 10:38 PM

Sorry it took so long to reply. I tried to run GMER and after I started the scan I got a blue screen with the following error:
***STOP: 0X0000008E (0XC0000005, 0XF72E3FD2, 0XF79DC494, 0X00000000)
*** IASTOR.SYS - ADDRESS F72E3FD2 base at F72DF000, Datestamp 44ad174b

I'm not sure if that information even matters, but I figured it couldn't hurt to include. Needless to say then, I couldn't get a GMER log. Attached are the OTL logs you requested.

Thanks

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 10 June 2010 - 12:25 AM

Hi, naholt01 smile.gif

There is a Nasty Vundo infection in your system.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 naholt01

naholt01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 10 June 2010 - 07:10 PM

Here is the ComboFix.txt log.

Thanks


ComboFix 10-06-10.03 - Richard 06/10/2010 17:22:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.587 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\A0BS0NF7.exe
c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
c:\program files\Intel\WiFi\bin\ZCfgSvc.exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\windows\ehome\ehtray.exe
c:\windows\system32\service
c:\windows\system32\service\04062010_TIS17_SfFniAU.log
c:\windows\system32\service\06012010_TIS17_SfFniAU.log
c:\windows\system32\service\17072009_TIS17_SfFniAU.log
c:\windows\system32\service\17112009_TIS17_SfFniAU.log
c:\windows\system32\service\18052010_TIS17_SfFniAU.log
c:\windows\system32\service\18072009_TIS17_SfFniAU.log
c:\windows\system32\service\20072009_TIS17_SfFniAU.log
c:\windows\system32\service\21042010_TIS17_SfFniAU.log
c:\windows\system32\service\23042010_TIS17_SfFniAU.log
c:\windows\system32\service\24052010_TIS17_SfFniAU.log
c:\windows\system32\service\27042010_TIS17_SfFniAU.log
c:\windows\system32\Settings
c:\windows\Tasks\At1.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job

CODE
<pre>
c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk .exe --->c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
c:\program files\Intel\WiFi\bin\ZCfgSvc .exe --->c:\program files\Intel\WiFi\bin\ZCfgSvc.exe
c:\program files\QuickTime\qttask                 .exe --->c:\program files\QuickTime\qttask.exe
c:\windows\ehome\ehtray .exe --->c:\windows\ehome\ehtray.exe
</pre>

.
Infected copy of c:\windows\system32\drivers\sym_hi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-10 02:31 . 2010-06-10 02:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-07 20:36 . 2010-04-07 09:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-18 04:51 . 2010-05-18 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\gfbfohtpu
2010-05-17 21:00 . 2010-05-17 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-05-17 16:08 . 2010-05-17 16:08 -------- d-----w- c:\documents and settings\Richard\Interactive
2010-05-17 15:53 . 2010-05-17 15:53 140288 ----a-w- c:\windows\system32\drivers\ethmbntd.sys
2010-05-14 18:12 . 2010-05-14 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 23:49 . 2009-09-10 17:23 -------- d-----w- c:\program files\QuickTime
2010-06-10 02:38 . 2009-07-15 16:23 -------- d-----w- c:\documents and settings\Richard\Application Data\uTorrent
2010-06-10 02:30 . 2009-07-11 03:07 28384 ----a-w- c:\windows\system32\drivers\sym_hi.sys
2010-06-10 02:19 . 2010-05-06 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-10 02:19 . 2010-06-10 01:09 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-10 02:01 . 2010-05-16 23:38 112 ----a-w- c:\documents and settings\All Users\Application Data\Rh8Jsl0G.dat
2010-06-10 01:09 . 2010-06-10 01:09 -------- d-----w- c:\program files\MSECACHE
2010-06-09 02:47 . 2010-03-15 16:57 -------- d-----w- c:\documents and settings\Richard\Application Data\vlc
2010-06-08 19:12 . 2009-07-11 03:07 0 ----a-w- c:\windows\system32\drivers\sym_hi(3).sys
2010-05-26 21:23 . 2009-09-26 13:48 -------- d-----w- c:\program files\iTunes
2010-05-17 16:16 . 2010-04-28 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-10 04:36 . 2009-12-13 05:48 -------- d-----w- c:\program files\Google
2010-05-05 14:51 . 2010-05-05 14:51 -------- d-----w- c:\documents and settings\Richard\Application Data\QuosaDDM
2010-04-29 14:54 . 2010-04-29 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 06:56 . 2009-07-15 16:07 -------- d-----w- c:\program files\Trend Micro
2010-04-28 05:58 . 2010-04-28 05:58 -------- d-----w- c:\program files\Opera
2010-04-28 05:57 . 2010-04-28 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-04-28 05:46 . 2010-04-28 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-04-27 04:43 . 2009-08-31 15:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 02:25 . 2010-04-27 02:25 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-27 02:25 . 2010-04-27 02:25 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-27 02:18 . 2010-04-25 22:54 -------- d-----w- c:\program files\Free Window Registry Repair
2010-04-25 23:12 . 2010-04-25 23:12 -------- d-----w- c:\documents and settings\Richard\Application Data\Malwarebytes
2010-04-25 22:45 . 2010-04-25 22:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-25 22:42 . 2010-04-25 22:42 -------- d-----w- c:\program files\Zone Labs
2010-04-23 17:35 . 2010-04-23 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 17:32 . 2010-04-23 17:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 14:21 . 2010-03-08 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-20 21:37 . 2009-07-15 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-30 04:46 . 2010-04-28 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-28 00:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 06:35 . 2009-12-18 06:35 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
CODE
<pre>
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Motorola\SMSERIAL\sm56hlpr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-18 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-18 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-18 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]

c:\documents and settings\Richard\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-7-29 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Richard\\My Documents\\Downloads\\utorrent.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [7/15/2009 12:17 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/14/2009 11:01 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [7/15/2009 12:17 PM 677128]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S1 ethmbntd;ethmbntd;c:\windows\system32\drivers\ethmbntd.sys [5/17/2010 11:53 AM 140288]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/13/2009 1:48 AM 135664]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2009 2:35 AM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/27/2010 8:09 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 19:57]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 19:57]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1694513607-3490440325-3003256851-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-20 18:52]

2010-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1694513607-3490440325-3003256851-1006UA.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-20 18:52]

2010-06-10 c:\windows\Tasks\Norton Security Scan for Richard.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\q1mdms8k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.moreheadstate.edu
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Richard\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,b6,db,bd,21,70,90,4a,96,4f,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,b6,db,bd,21,70,90,4a,96,4f,e9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-06-10 20:02:33
ComboFix-quarantined-files.txt 2010-06-11 00:00

Pre-Run: 29,467,308,032 bytes free
Post-Run: 29,545,861,120 bytes free

- - End Of File - - 5644D9D34A9B1A7E817662A146C3E106

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 10 June 2010 - 08:22 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
CODE
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-
"iTunesHelper"=-

Renv::
c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk .exe
c:\program files\Intel\WiFi\bin\ZCfgSvc .exe
c:\program files\QuickTime\qttask                 .exe
c:\windows\ehome\ehtray .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Motorola\SMSERIAL\sm56hlpr .exe

Driver::
ethmbntd




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 naholt01

naholt01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 11 June 2010 - 02:51 PM

Here is the new combofix.txt

ComboFix 10-06-10.03 - Richard 06/11/2010 8:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.559 [GMT -4:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ethmbntd


((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-10 02:31 . 2010-06-10 02:31 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-07 20:36 . 2010-04-07 09:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-05-18 04:51 . 2010-05-18 18:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\gfbfohtpu
2010-05-17 21:00 . 2010-05-17 21:00 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-05-17 16:08 . 2010-05-17 16:08 -------- d-----w- c:\documents and settings\Richard\Interactive
2010-05-17 15:53 . 2010-05-17 15:53 140288 ----a-w- c:\windows\system32\drivers\ethmbntd.sys
2010-05-14 18:12 . 2010-05-14 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 12:33 . 2010-04-28 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 12:33 . 2009-09-26 13:48 -------- d-----w- c:\program files\iTunes
2010-06-10 23:49 . 2009-09-10 17:23 -------- d-----w- c:\program files\QuickTime
2010-06-10 02:38 . 2009-07-15 16:23 -------- d-----w- c:\documents and settings\Richard\Application Data\uTorrent
2010-06-10 02:30 . 2009-07-11 03:07 28384 ----a-w- c:\windows\system32\drivers\sym_hi.sys
2010-06-10 02:19 . 2010-05-06 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-10 02:19 . 2010-06-10 01:09 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-10 02:01 . 2010-05-16 23:38 112 ----a-w- c:\documents and settings\All Users\Application Data\Rh8Jsl0G.dat
2010-06-10 01:09 . 2010-06-10 01:09 -------- d-----w- c:\program files\MSECACHE
2010-06-09 02:47 . 2010-03-15 16:57 -------- d-----w- c:\documents and settings\Richard\Application Data\vlc
2010-06-08 19:12 . 2009-07-11 03:07 0 ----a-w- c:\windows\system32\drivers\sym_hi(3).sys
2010-05-10 04:36 . 2009-12-13 05:48 -------- d-----w- c:\program files\Google
2010-05-05 14:51 . 2010-05-05 14:51 -------- d-----w- c:\documents and settings\Richard\Application Data\QuosaDDM
2010-04-29 14:54 . 2010-04-29 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 06:56 . 2009-07-15 16:07 -------- d-----w- c:\program files\Trend Micro
2010-04-28 05:58 . 2010-04-28 05:58 -------- d-----w- c:\program files\Opera
2010-04-28 05:57 . 2010-04-28 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-04-28 05:46 . 2010-04-28 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2010-04-27 04:43 . 2009-08-31 15:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 02:25 . 2010-04-27 02:25 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-27 02:25 . 2010-04-27 02:25 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-27 02:18 . 2010-04-25 22:54 -------- d-----w- c:\program files\Free Window Registry Repair
2010-04-25 23:12 . 2010-04-25 23:12 -------- d-----w- c:\documents and settings\Richard\Application Data\Malwarebytes
2010-04-25 22:45 . 2010-04-25 22:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-25 22:42 . 2010-04-25 22:42 -------- d-----w- c:\program files\Zone Labs
2010-04-23 17:35 . 2010-04-23 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 17:32 . 2010-04-23 17:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 14:21 . 2010-03-08 01:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-20 21:37 . 2009-07-15 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-30 04:46 . 2010-04-28 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2010-04-28 00:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-18 06:35 . 2009-12-18 06:35 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-18 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-18 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-18 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-11-03 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-11-03 1202448]

c:\documents and settings\Richard\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-7-29 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Richard\\My Documents\\Downloads\\utorrent.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:*:Disabled:Adobe CSI CS4

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/14/2009 11:01 PM 36368]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/13/2009 1:48 AM 135664]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [7/15/2009 12:17 PM 50192]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [7/15/2009 12:17 PM 677128]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/18/2009 2:35 AM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/27/2010 8:09 PM 38224]
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 19:57]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 19:57]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1694513607-3490440325-3003256851-1006Core.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-20 18:52]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1694513607-3490440325-3003256851-1006UA.job
- c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-20 18:52]

2010-06-10 c:\windows\Tasks\Norton Security Scan for Richard.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-03-07 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.windstream.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\q1mdms8k.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.moreheadstate.edu
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Richard\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Richard\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,b6,db,bd,21,70,90,4a,96,4f,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,b6,db,bd,21,70,90,4a,96,4f,e9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(1940)
c:\windows\system32\WININET.dll
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-06-11 15:48:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 19:48
ComboFix2.txt 2010-06-11 00:02

Pre-Run: 29,553,549,312 bytes free
Post-Run: 29,392,207,872 bytes free

- - End Of File - - 556F655596E0F56CE7301BB2F8D14BA9


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 11 June 2010 - 06:24 PM

The log looks clear. Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20 .
  • Click the JDK 6 Update 20 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 naholt01

naholt01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 13 June 2010 - 10:07 AM

Sorry it took so long to reply. Kaspersky was running the scan nearly all day yesterday. Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, June 13, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, June 12, 2010 15:22:51
Records in database: 4261753
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 284074
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 07:37:17


File name / Threat / Threats count
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP258\A0138249.exe Infected: Trojan-Downloader.Win32.Agent.dqzw 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP259\A0143764.exe Infected: Trojan-Downloader.Win32.Agent.dqzw 1
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP264\A0145302.exe Infected: Trojan-Downloader.Win32.Agent.dqzw 1

Selected area has been scanned.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 13 June 2010 - 12:22 PM

The detections are files backed up by Windows.

Reset and Re-enable your System Restore to remove these files. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.
Launch OTL and click on the Cleanup button. Follow the prompts.

Manually remove any tool left.

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 naholt01

naholt01
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 14 June 2010 - 06:42 PM

It is much better than before! Chrome will run now and everything is more or less back to normal. Thank you so much for all of the help!

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:23 PM

Posted 14 June 2010 - 10:40 PM

Congratulations.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users