Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Atapi.sys rootkit, google redirect, virtumonde, and backdoor.bot


  • This topic is locked This topic is locked
2 replies to this topic

#1 jppianoguy

jppianoguy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 30 June 2010 - 11:04 AM

For some reason, this post didn't work last time. I don't have time to go over everything I tried the first time, so here's the stripped down version.

Running Windows XP SP3.

When clicking on a Youtube video, Avira anitivirus gave me a popup saying it was blocking an incoming attack.

After that, google chrome crashed.

I ran an avira scan with no results, then followed up with malwarebytes antimalware. It found a backdoor.bot infection in a Movenetworks mediaplayer file. I let it clean the infection, then uninstalled that program anyway since I don't remember installing it. I also ran ccleaner to clean the registry.

After that, I used IE and got 60% of my search results redirected when I clicked the links. Also, the just in time script debugger kept popping up, even when I restarted before logging in.

I installed Avast, and ran a full scan and a boot scan. Boot scan found some corrupted zips, which I deleted.
Still having the problem, I installed spybot and ran some scans there, it found 2 virtumonde.* and 1 windows security center firewall bypass.

no luck.

I ran GMER and it found 2 suspicious atapi.sys entries (sorry, I didn't save the log from this).

I skipped protocol, (Sorry!) and ran Combofix without being told to do so.

I've run several hijackthis logs along the way and disabled a few items that I deemed unnecessary/dangerous.

That seems to have fixed most of the problem except one: at some point during the infected period, I clicked a link in an email that tried to run an exe that, luckily, crashed (I know what you're going to say, but I have to download files that people send to me using these services that require me to click links in emails as part of my job.).

Now when I try to run outlook and open that email, it crashes. I'm wondering if it's a residual from those infections and the whole cleanup process. I am posting a combofix log below:


***********************************************************
***********************************************************

Combofix:


ComboFix 10-06-29.04 - Jarrett 06/30/2010 10:09:40.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1499 [GMT -4:00]
Running from: c:\documents and settings\Jarrett\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jarrett\Favorites\Games.url
c:\documents and settings\Jarrett\g2mdlhlpx.exe
c:\documents and settings\Jarrett\Local Settings\Temporary Internet Files\plot.log
C:\Install.exe
c:\windows\Downloaded Program Files\image
c:\windows\Downloaded Program Files\panorama
c:\windows\Downloaded Program Files\panorama\1\c_cr_p_1_2.jpg
c:\windows\Downloaded Program Files\panorama\1\c_cr_p_1_2.jpg.html
c:\windows\Downloaded Program Files\panorama\1\cr_p_1_2.jpg
c:\windows\Downloaded Program Files\panorama\1\cr_p_1_2.jpg.html
c:\windows\Downloaded Program Files\panorama\1\p_1_1.jpg
c:\windows\Downloaded Program Files\panorama\1\p_1_1.jpg_1.html
c:\windows\Downloaded Program Files\panorama\1\p_1_2.jpg
c:\windows\Downloaded Program Files\panorama\1\p_1_2.jpg_1.html
c:\windows\Downloaded Program Files\panorama\1\t_c_cr_p_1_2.jpg
c:\windows\Downloaded Program Files\panorama\1\t_c_cr_p_1_2.jpg.html
c:\windows\Downloaded Program Files\panorama\2\c_cr_p_2_2.jpg
c:\windows\Downloaded Program Files\panorama\2\c_cr_p_2_2.jpg.html
c:\windows\Downloaded Program Files\panorama\2\cr_p_2_2.jpg
c:\windows\Downloaded Program Files\panorama\2\cr_p_2_2.jpg.html
c:\windows\Downloaded Program Files\panorama\2\p_2_1.jpg
c:\windows\Downloaded Program Files\panorama\2\p_2_1.jpg_2.html
c:\windows\Downloaded Program Files\panorama\2\p_2_2.jpg
c:\windows\Downloaded Program Files\panorama\2\p_2_2.jpg_2.html
c:\windows\Downloaded Program Files\panorama\2\t_c_cr_p_2_2.jpg
c:\windows\Downloaded Program Files\panorama\2\t_c_cr_p_2_2.jpg.html
c:\windows\Downloaded Program Files\panorama\2008059_123211\1\1.jpg
c:\windows\Downloaded Program Files\panorama\2008059_123211\1\1.xml
c:\windows\Downloaded Program Files\panorama\2008059_123211\1\1_local.html
c:\windows\Downloaded Program Files\panorama\2008059_123211\1\panoramas.xml
c:\windows\Downloaded Program Files\panorama\2008059_123211\1\t_1.jpg
c:\windows\Downloaded Program Files\panorama\2008059_123211\2\2.jpg
c:\windows\Downloaded Program Files\panorama\2008059_123211\2\2.xml
c:\windows\Downloaded Program Files\panorama\2008059_123211\2\2_local.html
c:\windows\Downloaded Program Files\panorama\2008059_123211\2\t_2.jpg
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-29 20:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 20:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 20:12 . 2010-06-29 20:12 -------- d-----w- c:\program files\FileASSASSIN
2010-06-29 17:47 . 2010-06-29 17:47 -------- d-----w- C:\New Folder (2)
2010-06-29 16:47 . 2010-06-29 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-29 16:47 . 2010-06-29 16:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-29 13:36 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-29 13:33 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-29 13:33 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-29 13:33 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-29 13:33 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-29 13:33 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-29 13:33 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-29 13:33 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-29 13:33 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-29 13:20 . 2010-06-29 13:20 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-29 13:18 . 2010-06-29 13:18 -------- d-----w- c:\documents and settings\Jarrett\Application Data\Avira
2010-06-29 13:18 . 2010-06-29 13:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-29 13:18 . 2010-06-29 13:18 -------- d-----w- c:\program files\Avira
2010-06-28 19:01 . 2010-06-28 19:01 -------- d-----w- c:\program files\Alwil Software
2010-06-28 19:01 . 2010-06-28 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-21 19:42 . 2010-05-23 21:50 73216 ----a-w- c:\documents and settings\Jarrett\Application Data\Mozilla\Firefox\Profiles\uba8405v.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-06-21 19:42 . 2010-04-18 18:33 307200 ----a-w- c:\documents and settings\Jarrett\Application Data\Mozilla\Firefox\Profiles\uba8405v.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-06-21 19:42 . 2010-04-18 18:33 172032 ----a-w- c:\documents and settings\Jarrett\Application Data\Mozilla\Firefox\Profiles\uba8405v.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-06-11 13:13 . 2010-06-11 13:13 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 13:47 . 2009-01-29 16:04 -------- d-----w- c:\documents and settings\Jarrett\Application Data\Skype
2010-06-30 13:45 . 2009-01-29 16:06 -------- d-----w- c:\documents and settings\Jarrett\Application Data\skypePM
2010-06-30 10:11 . 2008-03-26 16:19 -------- d-----w- c:\program files\LogMeIn
2010-06-29 20:14 . 2010-02-01 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 16:37 . 2009-03-20 17:55 -------- d-----w- c:\program files\OpenOffice.org 3
2010-06-29 16:33 . 2008-05-23 13:31 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-29 16:33 . 2009-03-09 18:18 -------- d-----w- c:\program files\Windows Media Bonus Pack for Windows XP
2010-06-29 16:32 . 2007-12-14 17:09 -------- d-----w- c:\documents and settings\Jarrett\Application Data\Move Networks
2010-06-29 16:31 . 2007-03-08 20:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-29 16:31 . 2009-05-14 16:24 -------- d-----w- c:\program files\Citrix
2010-06-29 16:30 . 2006-11-24 08:59 -------- d-----w- c:\program files\Google
2010-06-29 13:23 . 2006-11-24 09:01 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-09 18:44 . 2007-08-03 19:04 13408 ----a-w- c:\windows\system32\drivers\radpms.sys
2010-06-09 18:44 . 2008-03-26 16:20 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 18:44 . 2008-03-26 16:20 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 18:44 . 2008-03-26 16:19 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-04 18:42 . 2008-04-04 14:21 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-31 16:55 . 2010-05-17 15:26 -------- d-----w- c:\documents and settings\Jarrett\Application Data\HpUpdate
2010-05-25 20:00 . 2009-01-16 18:27 256 ----a-w- c:\windows\system32\pool.bin
2010-05-21 18:14 . 2009-10-02 20:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-17 19:30 . 2010-04-28 20:03 -------- d-----w- c:\documents and settings\Jarrett\Application Data\FileZilla
2010-05-17 15:28 . 2010-02-03 20:44 -------- d-----w- c:\program files\HP
2010-05-14 14:27 . 2007-10-30 17:04 -------- d-----w- c:\documents and settings\Jarrett\Application Data\gtk-2.0
2010-05-13 14:12 . 2010-05-13 14:12 256 ----a-w- c:\documents and settings\Jarrett\pool.bin
2010-05-06 15:16 . 2007-12-19 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\OsaSync
2010-05-05 18:13 . 2010-05-05 18:13 -------- d-----w- c:\program files\Common Files\KIP
2010-05-05 18:13 . 2010-05-05 18:13 -------- d-----w- c:\program files\KIP
2010-05-04 17:20 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-05-08 14:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-04-30 06:55 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-03 15:40 . 2009-10-09 16:49 123134 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-05-03 15:40 . 2009-10-09 16:49 -------- d-----w- c:\program files\File Renamer
2010-05-02 05:22 . 2006-04-30 06:55 1851264 ------w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2006-04-30 06:55 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 49152 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
2010-04-05 15:50 . 2010-02-22 19:29 49152 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-04-05 15:50 . 2010-02-22 19:29 49152 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
2010-04-05 15:50 . 2010-02-22 19:29 69632 ----a-r- c:\documents and settings\Jarrett\Application Data\Microsoft\Installer\{205A5182-EFC8-4C25-B61D-C164F8FF4048}\DesktopMgr.exe
2001-12-03 21:09 . 2009-07-10 19:19 90112 ----a-w- c:\program files\internet explorer\plugins\DjVuControl.dll
2009-12-04 20:11 . 2009-12-04 20:11 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-06-25 13:24 . 2007-02-06 20:11 168 -csh--r- c:\windows\system32\B8D9BE6CEF.sys
2007-06-25 13:24 . 2007-02-06 20:11 6686 --sh--w- c:\windows\system32\KGyGaAvL.sys
2010-02-03 21:16 . 2010-02-03 20:54 608 --sha-w- c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]
"QuickGammaLoader"="c:\program files\QuickGamma\QuickGammaLoader.exe" [2009-08-15 98816]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 18:44 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=c:\windows\pss\BlackBerry Desktop Redirector.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jarrett^Start Menu^Programs^Startup^E-mail.lnk]
path=c:\documents and settings\Jarrett\Start Menu\Programs\Startup\E-mail.lnk
backup=c:\windows\pss\E-mail.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 07:06 40048 -c----w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-03-11 02:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2006-07-15 02:13 2341632 ------w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2007-07-17 16:03 868352 ------w- c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-02-26 06:01 437160 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-12-04 20:11 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 -c----w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-08-14 06:41 114688 ------w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-08-14 06:39 98304 ------w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2008-10-24 14:14 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2008-10-24 14:14 206112 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2008-10-24 14:14 79136 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2006-07-03 16:11 110592 -c----w- c:\progra~1\Lenovo\LENOVO~2\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-08-14 06:38 94208 ------w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-08 17:31 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-11-19 20:02 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2008-01-10 16:13 53248 ----a-w- c:\program files\HP\ToolboxFX\bin\HPTLBXFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2006-07-15 02:05 503808 -c----w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Apple Mobile Device"=2 (0x2)
"WSearch"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\HP\\hp laserjet m1522\\Fax Config utility1.exe"=
"c:\\Program Files\\HP\\hp laserjet m1522\\hppfaxnc1.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13364:UDP"= 13364:UDP:Print Server Utility
"13107:UDP"= 13107:UDP:Print Server Utility
"69:UDP"= 69:UDP:Print Server Utility

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/29/2010 9:33 AM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/29/2010 9:33 AM 17744]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 2:00 AM 316992]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [8/3/2007 3:04 PM 13408]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/15/2009 11:54 AM 135336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/31/2009 4:45 AM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/4/2009 4:11 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2007-05-07 c:\windows\Tasks\dfrg.job
- c:\windows\system32\dfrg.msc [2006-04-30 12:00]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 08:45]

2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-31 08:45]

2010-06-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-06-30 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2010-06-30 c:\windows\Tasks\User_Feed_Synchronization-{ADFC6ACC-B79D-48CB-A72C-4A5138091C07}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: isqft.com\www
Trusted Zone: isqft.com\www
FF - ProfilePath - c:\documents and settings\Jarrett\Application Data\Mozilla\Firefox\Profiles\uba8405v.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwbe.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
MSConfigStartUp-DiskeeperSystray - c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
MSConfigStartUp-Google Update - c:\documents and settings\Jarrett\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-IJNetworkScanUtility - c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-jubofoles - c:\windows\system32\gasahamo.dll
MSConfigStartUp-Mouse Suite 98 Daemon - ICO.EXE
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-06-30 10:17:47
ComboFix-quarantined-files.txt 2010-06-30 14:17

Pre-Run: 19,984,764,928 bytes free
Post-Run: 20,770,086,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1BEFDD121C19FA7F9B1455DE817C543C


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,958 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:06:59 AM

Posted 04 July 2010 - 11:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

PW

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 AM

Posted 12 July 2010 - 08:00 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users