Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Connection Reset on windowsupdate, browser redirects, rootkit infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 blackappy

blackappy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 25 June 2010 - 08:27 AM

Please help with this stubborn problem I'm having on my Desktop running XP Home.

I am unable to open a browser for windows update (windowsupdate.microsoft.com) and attempts to visit certain sites cause my browser to visit random pages, e.g.
hxxp://mcallenphotographer.com/result.php?Keywords=%22combo+fix%22r=7cae032a17c886f3317a06231ca0b87accd1030c1580a5a19ff4ef697fab08e732b5fa1b3cd1b44f9ee2df62eda16ca3&Submit=Go

hxxp://ultraberry.com/result.php?Keywords=%22combo+fix%22&r=7cae032a17c886f3317a06231ca0b87accd1030c1580a5a19ff4ef697fab08e732b5fa1b3cd1b44f9ee2df62eda16ca3&Submit=Go

Against your advice, I ran ComboFix, which alerted me of a rootkit infection. I have attached the log of it as well.


Here are my log files:

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by steve at 21:30:06.76 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.552 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccess.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\steve\Desktop\Defogger.exe
C:\Documents and Settings\steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYUS&fl=0&ptb=bVsdhhRCZLC8BRGdJk8PWg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Embarq Toolbar: {4e7bd74f-2b8d-469e-92be-bf2dfe9aae2c} - c:\progra~1\embarq~1\EMBARQ~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.837
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\EMBARQ Help.lnk.disabled
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\u4r7x9ws.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - component: c:\documents and settings\steve\application data\mozilla\firefox\profiles\u4r7x9ws.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\steve\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-10-16 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-31 24652]
R4 AVGIDSDriverxpx;AVG9IDSDriver;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsdriver.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [?]
R4 AVGIDSFilterxpx;AVG9IDSFilter;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsfilter.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [?]
R4 AVGIDSShimxpx;AVG9IDSShim;\??\c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\avgidsshim.sys --> c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [?]
R4 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
R4 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
RUnknown Avgfwdx;Avgfwdx; [x]
S0 wjrrqptq;wjrrqptq; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-19 136176]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-12-29 247808]
S4 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-12-5 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-12-5 234888]
UnknownUnknown Avgfwfd;Avgfwfd; [x]

=============== Created Last 30 ================

2010-06-25 01:29:31 0 ----a-w- c:\documents and settings\steve\defogger_reenable
2010-06-25 00:39:12 0 d-----w- c:\docume~1\steve\applic~1\AVG9
2010-06-24 22:57:19 0 d-sha-r- C:\cmdcons
2010-06-24 22:48:44 98816 ----a-w- c:\windows\sed.exe
2010-06-24 22:48:44 77312 ----a-w- c:\windows\MBR.exe
2010-06-24 22:48:44 256512 ----a-w- c:\windows\PEV.exe
2010-06-24 22:48:44 161792 ----a-w- c:\windows\SWREG.exe
2010-06-22 13:40:37 12536 ------w- c:\windows\system32\avgrsstx.dll.install_backup
2010-06-22 02:57:46 0 d-----w- C:\$AVG
2010-06-22 02:44:02 0 d-----w- c:\program files\AVG
2010-06-22 02:43:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-21 18:03:50 54156 ---ha-w- c:\windows\QTFont.qfn
2010-06-21 18:03:50 1409 ----a-w- c:\windows\QTFont.for
2010-06-21 16:40:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 16:40:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 13:43:53 0 d-sh--w- c:\documents and settings\steve\IECompatCache
2010-06-20 01:25:02 19569 ----a-w- c:\windows\000001_.tmp
2010-06-19 23:55:10 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 00:26:21 0 d-----w- c:\program files\Belkin
2010-06-01 19:20:08 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-01 19:20:08 23 ----a-w- c:\windows\system32\bcdadac7.xml
2010-06-01 19:19:54 0 d-----w- c:\program files\jv16 PowerTools 2009
2010-06-01 17:45:00 0 d-----w- c:\windows\system32\NtmsData
2010-06-01 15:57:14 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-06-01 15:45:23 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-06-01 15:40:39 3109 ----a-w- c:\windows\lsrslt.ini
2010-05-31 12:48:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-05-27 15:43:43 44 ----a-w- c:\windows\iltwain.ini
2010-05-27 15:42:05 0 d-----w- C:\SIMSOL

==================== Find3M ====================

2010-06-21 16:35:39 0 ----a-w- C:\UnInstall.dat
2010-05-17 19:52:46 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2010-05-17 19:52:27 5652144 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-04-09 20:48:18 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-04 17:25:39 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-24 12:28:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042420090425\index.dat

============= FINISH: 21:31:46.84 ===============




GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-25 08:15:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\steve\LOCALS~1\Temp\uwriqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys ZwOpenProcess [0xEE456670]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys ZwTerminateProcess [0xEE456720]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys ZwTerminateThread [0xEE4567C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys ZwWriteVirtualMemory [0xEE456860]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? avgrkx86.sys The system cannot find the file specified. !
init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7BC3760]
? system32\DRIVERS\avgfwdx.sys The system cannot find the path specified. !
? System32\Drivers\avgtdix.sys The system cannot find the path specified. !
? C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys The system cannot find the file specified. !
? C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys The system cannot find the file specified. !
? C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys The system cannot find the file specified. !
? C:\DOCUME~1\steve\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[740] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[740] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[740] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2828] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2828] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DD000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\avgrsstx.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [936] 0x6C1B0000

---- EOF - GMER 1.0.15 ----


ComboFix Log is attached:

Attached Files

  • Attached File  log.txt   24.77KB   8 downloads

Edited by Orange Blossom, 25 June 2010 - 02:43 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 27 June 2010 - 09:14 AM

Interestingly enough, a different computer on my network -a Toshiba Satellite- refuses to start after running Malwarebytes. Perhaps unrelated, but alarming, at any rate.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 29 June 2010 - 04:07 AM

Hi blackappy,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#4 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 29 June 2010 - 04:05 PM

Hi farbar,

I'm still having the same problems as I state in my original post. What next?

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 29 June 2010 - 04:14 PM

We will take care of the rootkit infection first and then attend to some security problems later on.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
    Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
    proxycfg -d

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate fix.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A window flashes, this is normal.

  3. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#6 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 30 June 2010 - 03:40 PM

Hi farbar,

Thanks so much!

TDSS Killer ran and required a reboot.

Here is the requested log file:

Attached Files



#7 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 30 June 2010 - 03:45 PM

Incidentally, Windows update is working now. smile.gif

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 30 June 2010 - 04:18 PM

The rootkit is taken care of and that is the reason Windows update is working again. thumbup2.gif
  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Delete you copy of ComboFix and download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

  3. Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 04 July 2010 - 06:00 AM

Are you still there?

#10 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 04 July 2010 - 03:34 PM

Yes I am. Sorry for the delay. I am using my uncle's computer and am only able to work on this occasionally. I am completing the remaining steps now. smile.gif

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 04 July 2010 - 04:31 PM

Very Well. The reason I wanted to speed it up is that I'm going on vacation from Juli 8 and wanted to finish it earlier.

#12 blackappy

blackappy
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:47 PM

Posted 05 July 2010 - 05:21 PM

Okay.....so sorry about the delays!!

Here you go:

ComboFix 10-07-04.01 - steve 07/04/2010 16:46:27.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.542 [GMT -4:00]
Running from: c:\documents and settings\steve\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-06-28 13:51 . 2010-06-28 13:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-25 00:39 . 2010-06-25 00:39 -------- d-----w- c:\documents and settings\steve\Application Data\AVG9
2010-06-23 02:58 . 2010-06-23 13:08 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-23 01:54 . 2010-06-24 22:41 0 ----a-w- c:\documents and settings\steve\Local Settings\Application Data\prvlcl.dat
2010-06-22 13:41 . 2010-06-22 13:41 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-22 13:41 . 2010-06-22 13:41 74760 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\UniversalDD.sys
2010-06-22 13:41 . 2010-06-22 13:41 30216 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSFilter.sys
2010-06-22 13:41 . 2010-06-22 13:41 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-22 13:41 . 2010-06-22 13:41 26120 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSShim.sys
2010-06-22 13:41 . 2010-06-22 13:41 25096 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSxx.sys
2010-06-22 13:41 . 2010-06-22 13:41 122376 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\AVGIDSDriver.sys
2010-06-22 13:41 . 2010-06-22 13:41 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-06-22 13:31 . 2010-06-22 13:31 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-06-22 13:31 . 2010-06-22 13:31 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-06-22 13:31 . 2010-06-22 13:31 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-06-22 13:31 . 2010-06-22 13:31 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-06-22 02:57 . 2010-06-22 02:57 -------- d-----w- C:\$AVG
2010-06-22 02:44 . 2010-06-22 02:44 -------- d-----w- c:\program files\AVG
2010-06-22 02:43 . 2010-06-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-21 18:11 . 2010-06-21 18:11 439816 ----a-w- c:\documents and settings\steve\Application Data\Real\Update\setup3.10\setup.exe
2010-06-21 16:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-21 16:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-21 16:38 . 2010-06-21 16:39 -------- d-----w- c:\documents and settings\Administrator.BIGDADDY\Local Settings\Application Data\Adobe
2010-06-21 13:43 . 2010-06-21 13:43 -------- d-sh--w- c:\documents and settings\steve\IECompatCache
2010-06-20 01:44 . 2010-06-20 01:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-06-19 23:55 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-04 20:34 . 2010-04-21 14:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 03:46 . 2007-10-15 17:14 -------- d-----w- c:\program files\Picasa2
2010-06-30 21:03 . 2010-03-23 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-30 20:36 . 2002-08-29 10:00 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS
2010-06-25 01:04 . 2009-04-28 19:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-24 22:46 . 2009-04-28 19:12 198336 ----a-w- c:\documents and settings\Administrator.BIGDADDY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-23 02:58 . 2005-10-17 00:07 -------- d-----w- c:\program files\Google
2010-06-22 02:38 . 2007-10-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-06-21 18:06 . 2007-10-15 17:36 -------- d-----w- c:\documents and settings\steve\Application Data\StarOffice8
2010-06-21 16:58 . 2007-03-11 21:37 -------- d-----w- c:\program files\Are You Man Enough
2010-06-21 16:45 . 2010-06-01 14:57 -------- d-----w- c:\documents and settings\Administrator.BIGDADDY\Application Data\U3
2010-06-21 16:35 . 2007-03-08 02:02 0 ----a-w- C:\UnInstall.dat
2010-06-21 16:32 . 2008-08-23 04:00 -------- d-----w- c:\program files\CityPoker
2010-06-21 14:58 . 2006-06-08 07:16 -------- d-----w- c:\documents and settings\steve\Application Data\U3
2010-06-11 22:19 . 2004-11-19 13:58 -------- d-----w- c:\documents and settings\steve\Application Data\MSN6
2010-06-07 03:06 . 2010-05-31 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-02 00:26 . 2010-06-02 00:26 -------- d-----w- c:\program files\Belkin
2010-06-01 19:20 . 2010-06-01 19:20 23 --sha-w- c:\windows\system32\edacded0.dat
2010-06-01 19:20 . 2010-06-01 19:19 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-05-22 03:27 . 2010-04-09 14:24 -------- d-----w- c:\documents and settings\steve\Application Data\uTorrent
2010-05-17 19:52 . 2010-05-17 19:52 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2010-05-17 19:52 . 2010-05-17 19:52 -------- d-----w- c:\documents and settings\steve\Application Data\AccurateRip
2010-05-17 19:52 . 2010-05-17 19:52 -------- d-----w- c:\program files\Illustrate
2010-05-17 19:52 . 2010-05-17 19:52 5652144 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-05-17 19:50 . 2010-05-17 19:50 -------- d-----w- c:\documents and settings\steve\Application Data\ImgBurn
2010-05-17 19:44 . 2010-05-17 19:44 -------- d-----w- c:\program files\ImgBurn
2010-05-17 19:36 . 2010-05-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\winLAME
2010-05-17 19:36 . 2010-05-17 19:36 -------- d-----w- c:\program files\winLAME
2010-05-17 16:42 . 2008-12-27 14:06 -------- d-----w- c:\documents and settings\steve\Application Data\vlc
2010-05-16 18:09 . 2004-10-07 00:43 198336 ----a-w- c:\documents and settings\steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-13 07:02 . 2010-05-12 18:53 -------- d-----w- c:\program files\Microsoft SQL Server
2010-05-12 19:03 . 2010-05-12 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Xactware
2010-05-12 19:01 . 2010-05-12 19:01 -------- d-----w- c:\program files\Xactware
2010-05-12 18:58 . 2010-05-12 18:58 -------- d-----w- c:\program files\Microsoft.NET
2010-05-12 18:56 . 2010-05-12 18:56 -------- d-----w- c:\program files\MSXML 6.0
2010-05-12 18:52 . 2010-05-12 18:52 -------- d-----w- c:\program files\MSBuild
2010-05-12 18:47 . 2010-05-12 18:47 -------- d-----w- c:\program files\Reference Assemblies
2010-05-06 10:41 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-07-15 21:01 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 21:14 . 2010-04-23 23:28 50354 ----a-w- c:\documents and settings\steve\Application Data\Facebook\uninstall.exe
2010-04-20 05:30 . 2002-08-29 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-04 17:25 . 2004-10-25 10:07 848 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-06-25_01.11.30 )))))))))))))))))))))))))))))))))))))))))

.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stratas"="lockx.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-10 118784]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"stratas"="lockx.exe" [BU]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EMBARQ Help.lnk.disabled [2008-11-21 1717]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk.disabled
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk.disabled
backup=c:\windows\pss\HP Image Zone Fast Start.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^steve^Start Menu^Programs^Startup^StarOffice 8.lnk]
path=c:\documents and settings\steve\Start Menu\Programs\Startup\StarOffice 8.lnk
backup=c:\windows\pss\StarOffice 8.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2005-08-02 19:33 159832 ----a-w- c:\program files\Common Files\AOL\1128813350\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-03-29 03:37 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"MyWebSearchService"=2 (0x2)
"rpcapd"=2 (0x2)
"AffinegyService"=2 (0x2)
"dlbt_device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"stratas"=lockx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Motive SmartBridge"=c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"stratas"=lockx.exe
"mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
"Microsoft Windows DLL Services Configuration"=windir32.exe
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"stratas"=lockx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
R2 SVKP;SVKP;c:\windows\SYSTEM32\SVKP.sys [10/16/2005 7:42 PM 2368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/31/2009 3:50 PM 24652]
S0 wjrrqptq;wjrrqptq; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/19/2010 10:35 PM 136176]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\SYSTEM32\DRIVERS\netr73.sys [12/29/2006 1:49 AM 247808]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [12/5/2009 3:28 PM 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [12/5/2009 3:28 PM 234888]
.
Contents of the 'Scheduled Tasks' folder

2010-06-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:34]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-20 02:34]

2010-07-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-03 16:24]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYUS&fl=0&ptb=bVsdhhRCZLC8BRGdJk8PWg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\u4r7x9ws.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.myembarq.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - component: c:\documents and settings\steve\Application Data\Mozilla\Firefox\Profiles\u4r7x9ws.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\steve\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 16:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\NTEVT]
@DACL=(02 0000)
"File"="c:\\WINDOWS\\system32\\WBEM\\Logs\\NTEVT.log"

[HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\WBEMSNMP]
@DACL=(02 0000)
"Level"=dword:00000000
"File"="c:\\WINDOWS\\system32\\WBEM\\Logs\\\\WBEMSNMP.log"
"MaxFileSize"=dword:0000ffff
"Type"="File"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Illustrate\dBpoweramp\dBShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-04 16:55:23
ComboFix-quarantined-files.txt 2010-07-04 20:55
ComboFix2.txt 2010-06-25 01:19

Pre-Run: 111,928,193,024 bytes free
Post-Run: 112,101,371,904 bytes free

- - End Of File - - 3E0F4685DAB6D4F8EF2EE77732CC23FE

Attached Files


Edited by farbar, 05 July 2010 - 05:39 PM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:47 PM

Posted 05 July 2010 - 06:00 PM

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  1. I see on the log Ask Toolbar is installed on your computer.

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Vuze toolbar from Vuze

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis

  2. Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    CODE
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "stratas"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "stratas"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
    "stratas"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "stratas"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "stratas"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "stratas"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MyWebSearchService"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "SearchMigratedDefaultURL"=-
    Driver::
    MyWebSearchService
    wjrrqptq
    DDS::
    uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYUS&fl=0&ptb=bVsdhhRCZLC8BRGdJk8PWg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = iexplore
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\NTEVT]
    [HKEY_LOCAL_MACHINE\software\Microsoft\WBEM\PROVIDERS\Logging\WBEMSNMP]


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by farbar, 05 July 2010 - 06:00 PM.


#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 08 July 2010 - 03:29 PM

Hi, smile.gif

I will assist you while farbar is away.
Do you still desire assistance?

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 PM

Posted 10 July 2010 - 10:40 PM

Are you still there? Do you still desire assistance?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users