Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!inf and IE redirects/popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 leenyd

leenyd

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 25 June 2010 - 06:32 PM

(So sorry if you get this twice. I tried to send it from the infected computer, but when I hit "post new topic" it went to the internet connection problem page with the "diagnose connection" button. My post seemed to have disappeared, so I'm resending it from a different computer.)

Hello and thank you for your help.

My Symantec Corporate Edition 7.5 found Backdoor.Tidserv!inf but couldn't remove it. I ran TFC, CCleaner, and Emirisoft's ASquared and Malwareybytes Anti-Malware in safe mode. Symantec didn't find Backdoor.Tidserv!inf after I ran those programs, so I thought I cleaned it out. But now I get redirects and popups in Internet Explorer so I guess I'm still infected with something.

I have copied the DDS file below and attached the Attach and Ark files. The Ark file, however, is not from the GMER version which you have available for download in your Preparation Guide. I could not get that version to run completely. It froze three times. So I found an earlier version of GMER--version 1.0.14. It ran completely and I have attached its log. I hope it's okay that it's from version 1.0.14.

Thank you for your help.


DDS (Ver_10-03-17.01) - NTFSx86
Run by rbenning at 10:22:57.53 on Fri 06/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.186 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\rbenning\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://money.cnn.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~4.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.mesopotamia.co.uk/tombs/challenge/cha_main.html"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking10\Ereg.ini
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: cadaretgrant.com\clients
Trusted Zone: cadaretgrant.com\www
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
DPF: {0DAE2660-E5A0-11D1-9223-00C04FB62F94} - hxxp://clients.cadaretgrant.com/BrServer/gv.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {5EDFB065-B6CB-11D2-9481-00C04FA89D4D} - hxxp://clients.cadaretgrant.com/BRSERVER/BreuHook.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196614211921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196618627406
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v50/dinerdash/dinerdash.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/cnma/default/cinematycoon.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://hartfordwebseminars.webex.com/client/T23L/event/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-6-25 1872320]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2007-7-5 539936]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-21 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 36608]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100623.002\naveng.sys [2010-6-23 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100623.002\navex15.sys [2010-6-23 1347504]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2007-7-5 47616]
S0 amikv;amikv;c:\windows\system32\drivers\vqkj.sys --> c:\windows\system32\drivers\vqkj.sys [?]
S0 inoby;inoby;c:\windows\system32\drivers\rlowbps.sys --> c:\windows\system32\drivers\rlowbps.sys [?]
S2 AtiTlntSvr;Ati HotKey Poller AtiTlntSvr;c:\windows\system32\amcompats.exe srv --> c:\windows\system32\amcompats.exe srv [?]
S2 SNDSrvcccSetMgr;Symantec Network Drivers Service SNDSrvcccSetMgr;c:\windows\system32\1031f.exe srv --> c:\windows\system32\1031f.exe srv [?]
S2 srserviceImapiService Driver HPZ12;System Restore Service srserviceImapiService srserviceImapiService Driver HPZ12;c:\windows\system32\12520850y.exe srv --> c:\windows\system32\12520850y.exe srv [?]
S2 TermServiceDot3svc;Terminal Services TermServiceDot3svc;c:\windows\system32\activedsi.exe srv --> c:\windows\system32\activedsi.exe srv [?]
S2 WMPNetworkSvcSysmonLog;Windows Media Player Network Sharing Service WMPNetworkSvcSysmonLog;c:\windows\system32\1031fn.exe srv --> c:\windows\system32\1031fn.exe srv [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2010-06-25 14:19:56 0 ----a-w- c:\documents and settings\rbenning\defogger_reenable
2010-06-25 13:30:15 0 d-----w- c:\program files\Cobian Backup 10
2010-06-25 02:10:16 114688 ----a-w- c:\windows\system32\chg.exe
2010-06-23 14:20:54 0 d-----w- c:\program files\Sophos
2010-06-23 12:38:58 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-20 01:25:25 0 d-----w- c:\docume~1\rbenning\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-20 00:52:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 22:37:56 0 d-----w- c:\program files\a-squared Free
2010-06-19 19:50:51 0 d-----w- c:\windows\system32\Registry Patrol
2010-06-19 19:50:40 0 d-----w- c:\program files\Registry Patrol
2010-06-17 23:33:59 0 d-----w- C:\Chart
2010-06-16 16:16:11 2058 ----a-w- c:\windows\system32\adptifq.sys
2010-06-14 21:27:30 306 --s-a-w- c:\windows\system32\2951593427.dat
2010-06-11 12:56:16 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 22:00:44 325 --s-a-w- c:\windows\system32\144286121.dat
2010-06-10 13:33:31 4 ----a-w- c:\docume~1\rbenning\applic~1\dhxiuw.dat

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 01:26:40 20 ----a-w- c:\docume~1\rbenning\applic~1\qvjsge.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-13 20:20:55 72080 ----a-w- c:\documents and settings\rbenning\g2mdlhlpx.exe
2010-04-06 08:52:46 2462720 ----a-w- c:\windows\system32\dllcache\WMVCore.dll
2010-04-04 22:53:18 23101 ----a-w- c:\windows\hpqins15.dat
2010-04-04 22:44:11 157657 ----a-w- c:\windows\hpoins28.dat
2008-08-22 13:14:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 10:34:17.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 08:20 AM

Hi leenyd,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 02:36 PM

Hello Farbar,

Thank you so much for your help.

Originally, Symantec picked up Backdoor.Tidserv!inf, but couldnít remove it. Soon thereafter Symantec found Trojan.Zbot and Trojan.Zefarch, which it got rid of. A- Squared got rid of Backdoor.Tidserv!inf which Symantec said was hiding in C:\WINDOWS\system32\drivers\serial.sys.

So now Iím getting no warnings about viruses anymore, but within a few seconds of first opening Internet Explorer and going to my homepage, a new page pops up. Itís not always the same site, but a few times itís been the News 11 site that others on the forum have mentioned. One time the popup page was blocked and labeled unsafe. The last time it was Business Advantage Gold.

So currently I am having popups, and also a new problem that started on June 27. When I start my computer, a message appears that says this:

To help protect your computer, Windows has closed this program.
Name: GenericHost Process for Win32 Services
Publisher: Microsoft Corp.

When I click this box away, another message appears:

You chose to end a nonresponsive program.
Run a DLL as an App.

So my computerís current condition is that Iím having popups and redirects in Internet Explorer and a problem with GernericHost Process for Win32 Services.

Also, you said I shouldnít make any changes to my computer. Iíve disabled Windows updates, but I donít know how to stop Symantec from running. I have Symantec Corporate Edition 7.5. Is it okay if this still runs? If not, do you know how to turn the scans off? I have ďenable auto-protectĒ which can be checked or unchecked, but wonít that come back on after awhile?

Thanks.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 02:51 PM

Thanks for the feedback.

Run GMER, uncheck all boxes but let the box next to Sections and C drive remain checked. Click Scan.
When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

#5 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 03:00 PM

Hello farbar,

Here is the gmer log, thanks.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 15:57:35
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\rbenning\LOCALS~1\Temp\fwryrfob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF6707F94]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[308] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\a-squared Free\a2service.exe[400] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00454E05 C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[848] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\System32\svchost.exe[1580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0073000C
.text C:\WINDOWS\System32\svchost.exe[1580] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1580] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EC000A
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1948] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A4000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3172] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 03:23 PM

The log shows the rootkit infection is still there.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 04:08 PM

Hello Farbar,

1. TDSSKiller.exe did have to reboot. Txt file is attached.
2. Ran CCleaner successfully.
3. Ran Malwarebytes. Log pasted below.

Thanks.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4258

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/29/2010 5:02:57 PM
mbam-log-2010-06-29 (17-02-57).txt

Scan type: Quick scan
Objects scanned: 163425
Time elapsed: 8 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 04:27 PM

Hi leenyd,

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised.
Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.

Removal Instructions

The rootkit infection is taken care of and Malwarebytes found some baddies. We have to go after the rest.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#9 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 05:35 PM

Hi Farbar,

Here is the ComboFix log.
ComboFix 10-06-29.02 - rbenning 06/29/2010 18:03:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.408 [GMT -4:00]
Running from: c:\documents and settings\rbenning\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\awerner\g2mdlhlpx.exe
c:\documents and settings\rbenning\g2mdlhlpx.exe
c:\documents and settings\rbenning\My Documents\backup registry.reg
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\144286121.dat
c:\windows\system32\2951593427.dat
Z:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SNDSRVCCCSETMGR
-------\Legacy_TERMSERVICEDOT3SVC
-------\Legacy_WMPNETWORKSVCSYSMONLOG
-------\Service_SNDSrvcccSetMgr
-------\Service_TermServiceDot3svc
-------\Service_WMPNetworkSvcSysmonLog


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-29 20:49 . 2010-06-29 20:49 -------- d-----w- c:\program files\CCleaner
2010-06-28 14:23 . 2010-06-28 14:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-25 13:31 . 2010-06-25 13:31 -------- d-----w- c:\documents and settings\rbenning\Local Settings\Application Data\Safe mirror
2010-06-25 13:30 . 2010-06-25 14:09 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-23 14:20 . 2010-06-23 14:20 -------- d-----w- c:\program files\Sophos
2010-06-23 12:38 . 2010-06-23 12:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-23 12:24 . 2010-06-23 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-23 00:57 . 2010-06-23 00:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-06-22 21:45 . 2010-06-22 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-22 21:34 . 2010-06-22 21:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-20 01:25 . 2010-06-20 01:25 -------- d-----w- c:\documents and settings\rbenning\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-20 01:07 . 2010-06-20 01:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-20 01:03 . 2010-06-20 01:03 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-20 01:03 . 2010-06-20 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-20 00:52 . 2010-06-20 00:52 503808 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\msvcp71.dll
2010-06-20 00:52 . 2010-06-20 00:52 499712 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\jmc.dll
2010-06-20 00:52 . 2010-06-20 00:52 348160 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\msvcr71.dll
2010-06-20 00:52 . 2010-06-20 00:52 61440 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ef45426-n\decora-sse.dll
2010-06-20 00:52 . 2010-06-20 00:52 12800 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ef45426-n\decora-d3d.dll
2010-06-20 00:52 . 2010-06-20 00:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 22:37 . 2010-06-25 12:51 -------- d-----w- c:\program files\a-squared Free
2010-06-19 19:50 . 2010-06-19 19:50 -------- d-----w- c:\windows\system32\Registry Patrol
2010-06-19 19:50 . 2010-06-19 19:53 -------- d-----w- c:\program files\Registry Patrol
2010-06-17 23:33 . 2010-06-17 23:33 -------- d-----w- C:\Chart
2010-06-16 16:16 . 2010-06-18 14:11 2058 ----a-w- c:\windows\system32\adptifq.sys
2010-06-11 12:56 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 12:28 . 2010-06-02 12:28 -------- d-----w- c:\documents and settings\rbenning\Local Settings\Application Data\{69E13F35-3B6B-431D-8F13-DC3CFAC92C7E}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 22:12 . 2008-10-28 22:10 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-29 20:39 . 2007-07-05 08:29 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-28 14:22 . 2010-01-09 12:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-25 23:18 . 2009-02-05 22:56 -------- d-----w- c:\documents and settings\rbenning\Application Data\U3
2010-06-25 10:40 . 2007-07-05 09:27 -------- d-----w- c:\program files\Java
2010-06-21 10:46 . 2010-05-04 00:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-06-20 00:52 . 2007-07-05 09:27 -------- d-----w- c:\program files\Common Files\Java
2010-06-19 17:04 . 2010-05-04 01:34 120 ----a-w- c:\windows\Xfacevocogir.dat
2010-06-19 10:43 . 2010-05-04 01:34 0 ----a-w- c:\windows\Xvacufuqosejefiq.bin
2010-06-18 14:03 . 2009-10-05 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-13 18:02 . 2008-01-08 14:14 273 ---h--r- c:\windows\WINFPP.dat
2010-06-10 13:33 . 2010-06-10 13:33 4 ----a-w- c:\documents and settings\rbenning\Application Data\dhxiuw.dat
2010-06-04 21:43 . 2009-06-27 22:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-18 16:23 . 2010-04-04 22:53 -------- d-----w- c:\documents and settings\rbenning\Application Data\HPAppData
2010-05-08 23:01 . 2009-02-21 13:16 -------- d-----w- c:\program files\Watchtower
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 14:07 . 2008-10-28 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-04 14:07 . 2007-07-05 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-04 10:09 . 2009-02-05 22:56 -------- d-----w- c:\documents and settings\rbenning\Application Data\Pershing
2010-05-04 01:26 . 2010-05-04 01:26 20 ----a-w- c:\documents and settings\rbenning\Application Data\qvjsge.dat
2010-05-02 05:22 . 2004-08-04 08:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-10-05 17:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-10-05 17:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-04 22:53 . 2010-04-04 22:50 23101 ----a-w- c:\windows\hpqins15.dat
2010-04-04 22:44 . 2010-04-04 22:24 157657 ----a-w- c:\windows\hpoins28.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-1146\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-1160\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-500\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 18:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-02-26 10:34 155648 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 19:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWWANGSAssistant]
2007-02-26 19:07 3946040 ----a-w- c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-02-26 10:34 131072 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-02-20 21:48 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-02-26 10:33 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-03-05 22:54 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 06:28 1040384 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\rbenning\\My Documents\\Copy of files 12-24-2009\\Old C Drive\\Tams11\\Games\\UR\\ur.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/25/2010 6:53 AM 1872320]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/5/2007 5:05 AM 539936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 8:13 PM 292384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 9:06 AM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 3:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/5/2007 4:24 AM 47616]
S0 amikv;amikv;c:\windows\system32\drivers\vqkj.sys --> c:\windows\system32\drivers\vqkj.sys [?]
S0 inoby;inoby;c:\windows\system32\drivers\rlowbps.sys --> c:\windows\system32\drivers\rlowbps.sys [?]
S2 AtiTlntSvr;Ati HotKey Poller AtiTlntSvr;c:\windows\system32\amcompats.exe srv --> c:\windows\system32\amcompats.exe srv [?]
S2 srserviceImapiService Driver HPZ12;System Restore Service srserviceImapiService srserviceImapiService Driver HPZ12;c:\windows\system32\12520850y.exe srv --> c:\windows\system32\12520850y.exe srv [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\User_Feed_Synchronization-{17C5AA62-C785-44D6-A5FC-A82A65777AFE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-06-29 c:\windows\Tasks\User_Feed_Synchronization-{2C09FFE3-1847-4924-93AF-07C0D608E884}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://money.cnn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: cadaretgrant.com\clients
Trusted Zone: cadaretgrant.com\www
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
DPF: {0DAE2660-E5A0-11D1-9223-00C04FB62F94} - hxxp://clients.cadaretgrant.com/BrServer/gv.cab
DPF: {5EDFB065-B6CB-11D2-9481-00C04FA89D4D} - hxxp://clients.cadaretgrant.com/BRSERVER/BreuHook.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
SafeBoot-klmdb.sys
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\rbenning\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(3992)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-29 18:31:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 22:31

Pre-Run: 81,096,282,112 bytes free
Post-Run: 81,294,536,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CA8FA7B36A1C3C958BB1305186F4E1D6

Thanks.



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 06:08 PM

Well don. thumbup2.gif
  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/327121/backdoortidservinf-and-ie-redirectspopups/

    Collect::
    c:\windows\system32\adptifq.sys
    c:\windows\system32\drivers\vqkj.sys
    c:\windows\system32\drivers\rlowbps.sys
    c:\windows\Xfacevocogir.dat
    c:\windows\Xvacufuqosejefiq.bin
    Driver::
    amikv
    inoby
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  2. Run GMER, uncheck all boxes but let the box next to Registry and C drive remain checked. Click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.


#11 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 06:59 PM

Hello Farbar,

Here is the log CFScript.txt and ComboFix.exe produced.

Also, I ran GMER twice. Both times it produced no log. Instead, a message popped up saying, "GMER hasn't found any system modification."

The CFScript.txt/ComboFix log is below.

Thanks.

ComboFix 10-06-29.02 - rbenning 06/29/2010 19:21:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.415 [GMT -4:00]
Running from: c:\documents and settings\rbenning\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\rbenning\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\windows\system32\adptifq.sys
file zipped: c:\windows\Xfacevocogir.dat
file zipped: c:\windows\Xvacufuqosejefiq.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\adptifq.sys
c:\windows\Xfacevocogir.dat
c:\windows\Xvacufuqosejefiq.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_amikv
-------\Service_inoby


((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-29 20:49 . 2010-06-29 20:49 -------- d-----w- c:\program files\CCleaner
2010-06-28 14:23 . 2010-06-28 14:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-25 13:31 . 2010-06-25 13:31 -------- d-----w- c:\documents and settings\rbenning\Local Settings\Application Data\Safe mirror
2010-06-25 13:30 . 2010-06-25 14:09 -------- d-----w- c:\program files\Cobian Backup 10
2010-06-23 14:20 . 2010-06-23 14:20 -------- d-----w- c:\program files\Sophos
2010-06-23 12:38 . 2010-06-23 12:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-23 12:24 . 2010-06-23 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-23 00:57 . 2010-06-23 00:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-06-22 21:45 . 2010-06-22 21:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-22 21:34 . 2010-06-22 21:34 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-20 01:25 . 2010-06-20 01:25 -------- d-----w- c:\documents and settings\rbenning\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-20 01:07 . 2010-06-20 01:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-20 01:03 . 2010-06-20 01:03 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-20 01:03 . 2010-06-20 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-20 00:52 . 2010-06-20 00:52 503808 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\msvcp71.dll
2010-06-20 00:52 . 2010-06-20 00:52 499712 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\jmc.dll
2010-06-20 00:52 . 2010-06-20 00:52 348160 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4bd0f22d-n\msvcr71.dll
2010-06-20 00:52 . 2010-06-20 00:52 61440 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ef45426-n\decora-sse.dll
2010-06-20 00:52 . 2010-06-20 00:52 12800 ----a-w- c:\documents and settings\rbenning\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2ef45426-n\decora-d3d.dll
2010-06-20 00:52 . 2010-06-20 00:52 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 22:37 . 2010-06-25 12:51 -------- d-----w- c:\program files\a-squared Free
2010-06-19 19:50 . 2010-06-19 19:50 -------- d-----w- c:\windows\system32\Registry Patrol
2010-06-19 19:50 . 2010-06-19 19:53 -------- d-----w- c:\program files\Registry Patrol
2010-06-17 23:33 . 2010-06-17 23:33 -------- d-----w- C:\Chart
2010-06-11 12:56 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-02 12:28 . 2010-06-02 12:28 -------- d-----w- c:\documents and settings\rbenning\Local Settings\Application Data\{69E13F35-3B6B-431D-8F13-DC3CFAC92C7E}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 23:33 . 2008-10-28 22:10 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-29 20:39 . 2007-07-05 08:29 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-06-28 14:22 . 2010-01-09 12:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-25 23:18 . 2009-02-05 22:56 -------- d-----w- c:\documents and settings\rbenning\Application Data\U3
2010-06-25 10:40 . 2007-07-05 09:27 -------- d-----w- c:\program files\Java
2010-06-21 10:46 . 2010-05-04 00:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\HPAppData
2010-06-20 00:52 . 2007-07-05 09:27 -------- d-----w- c:\program files\Common Files\Java
2010-06-18 14:03 . 2009-10-05 17:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-13 18:02 . 2008-01-08 14:14 273 ---h--r- c:\windows\WINFPP.dat
2010-06-10 13:33 . 2010-06-10 13:33 4 ----a-w- c:\documents and settings\rbenning\Application Data\dhxiuw.dat
2010-06-04 21:43 . 2009-06-27 22:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-18 16:23 . 2010-04-04 22:53 -------- d-----w- c:\documents and settings\rbenning\Application Data\HPAppData
2010-05-08 23:01 . 2009-02-21 13:16 -------- d-----w- c:\program files\Watchtower
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 14:07 . 2008-10-28 22:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-04 14:07 . 2007-07-05 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-04 10:09 . 2009-02-05 22:56 -------- d-----w- c:\documents and settings\rbenning\Application Data\Pershing
2010-05-04 01:26 . 2010-05-04 01:26 20 ----a-w- c:\documents and settings\rbenning\Application Data\qvjsge.dat
2010-05-02 05:22 . 2004-08-04 08:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-10-05 17:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-10-05 17:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-04 22:53 . 2010-04-04 22:50 23101 ----a-w- c:\windows\hpqins15.dat
2010-04-04 22:44 . 2010-04-04 22:24 157657 ----a-w- c:\windows\hpoins28.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-06-29_22.27.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-29 23:31 . 2010-06-29 23:31 16384 c:\windows\Temp\Perflib_Perfdata_5b8.dat
+ 2004-08-07 13:14 . 2010-06-29 22:30 99224 c:\windows\system32\perfc009.dat
- 2004-08-07 13:14 . 2010-06-29 21:58 99224 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:14 . 2010-06-29 22:30 518292 c:\windows\system32\perfh009.dat
- 2004-08-07 13:14 . 2010-06-29 21:58 518292 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-1146\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-1160\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2025429265-1450960922-725345543-500\Scripts\Logon\0\0]
"Script"=Map_Drives.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 05:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2007-05-03 18:52 57344 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-02-26 10:34 155648 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 19:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWWANGSAssistant]
2007-02-26 19:07 3946040 ----a-w- c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-02-26 10:34 131072 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2007-02-20 21:48 331552 ----a-w- c:\program files\PDF Complete\pdfsty.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-02-26 10:33 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTHOSTTR]
2007-01-09 22:52 145184 ----a-w- c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-03-05 22:54 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 18:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 14:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 16:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 06:28 1040384 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2007-05-23 19:00 192512 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\rbenning\\My Documents\\Copy of files 12-24-2009\\Old C Drive\\Tams11\\Games\\UR\\ur.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [6/25/2010 6:53 AM 1872320]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 4:00 AM 14336]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/5/2007 5:05 AM 539936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 8:13 PM 292384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/21/2010 9:06 AM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 3:13 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/5/2007 4:24 AM 47616]
S2 AtiTlntSvr;Ati HotKey Poller AtiTlntSvr;c:\windows\system32\amcompats.exe srv --> c:\windows\system32\amcompats.exe srv [?]
S2 srserviceImapiService Driver HPZ12;System Restore Service srserviceImapiService srserviceImapiService Driver HPZ12;c:\windows\system32\12520850y.exe srv --> c:\windows\system32\12520850y.exe srv [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Cognizance REG_MULTI_SZ ASBroker ASChannel
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\User_Feed_Synchronization-{17C5AA62-C785-44D6-A5FC-A82A65777AFE}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-06-29 c:\windows\Tasks\User_Feed_Synchronization-{2C09FFE3-1847-4924-93AF-07C0D608E884}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://money.cnn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: cadaretgrant.com\clients
Trusted Zone: cadaretgrant.com\www
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
DPF: {0DAE2660-E5A0-11D1-9223-00C04FB62F94} - hxxp://clients.cadaretgrant.com/BrServer/gv.cab
DPF: {5EDFB065-B6CB-11D2-9481-00C04FA89D4D} - hxxp://clients.cadaretgrant.com/BRSERVER/BreuHook.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 19:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(568)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\msi.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2010-06-29 19:38:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 23:38
ComboFix2.txt 2010-06-29 22:32

Pre-Run: 81,319,014,400 bytes free
Post-Run: 81,298,059,264 bytes free

- - End Of File - - 71B40D968BB22F6745584D6EFE67A8ED


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 29 June 2010 - 07:06 PM

We have cleaned all we could see on the logs and the active malware is taken care of. To prevent reinfection we need do look for any potential thread too.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

#13 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 29 June 2010 - 09:19 PM

Hello Farbar,

The ESET scan is finished. Here is the log. Thanks.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=96767228fbb57f4990f483f54ed3b0e1
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-30 02:08:46
# local_time=2010-06-29 10:08:46 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=114626
# found=1
# cleaned=1
# scan_time=4835
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\0\55208680-7d599211 probably a variant of Win32/TrojanDownloader.Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 30 June 2010 - 04:00 AM

It looks good and you are good to go. thumbup2.gif
  1. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. You may delete any tool or log we used from your computer.

  4. I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing leenyd. smile.gif

#15 leenyd

leenyd
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:25 AM

Posted 30 June 2010 - 07:10 AM

Hello Farbar,

Thank you so very much for your help! The computer is running wonderfully.

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users