Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Selace.K Trojan Horse


  • This topic is locked This topic is locked
3 replies to this topic

#1 baseballfan

baseballfan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 16 July 2010 - 08:11 AM

According to Microsoft's One Care Safety Scanner, I was infected with two trojan horses. The scanner claimed to have deleted the Redirector.DC trojan horse but could not delete the Selace.K trojan horse. I ran Malwarebytes which allegedly quarantined two infected files. Malawarebytes asked me to rebott and my infection appears to have regenerated. Now it will not let me run Malwarebytes and it scrambles badly anything I try to print. I did download and run Combofix and here below is the log from it:

ComboFix 10-07-15.03 - Pete 07/16/2010 8:43.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1366 [GMT -4:00]
Running from: c:\documents and settings\Pete\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\windows\patch.exe
c:\windows\system32\service
c:\windows\system32\service\03042010_TIS17_SfFniAU.log
c:\windows\system32\service\03122009_TIS17_SfFniAU.log
c:\windows\system32\service\05032010_TIS17_SfFniAU.log
c:\windows\system32\service\05112009_TIS17_SfFniAU.log
c:\windows\system32\service\06032010_TIS17_SfFniAU.log
c:\windows\system32\service\08012010_TIS17_SfFniAU.log
c:\windows\system32\service\09052010_TIS17_SfFniAU.log
c:\windows\system32\service\09112009_TIS17_SfFniAU.log
c:\windows\system32\service\10012010_TIS17_SfFniAU.log
c:\windows\system32\service\10062010_TIS17_SfFniAU.log
c:\windows\system32\service\10092009_TIS17_SfFniAU.log
c:\windows\system32\service\11012010_TIS17_SfFniAU.log
c:\windows\system32\service\12032010_TIS17_SfFniAU.log
c:\windows\system32\service\12072010_TIS17_SfFniAU.log
c:\windows\system32\service\12092009_TIS17_SfFniAU.log
c:\windows\system32\service\13042010_TIS17_SfFniAU.log
c:\windows\system32\service\21032010_TIS17_SfFniAU.log
c:\windows\system32\service\21082009_TIS17_SfFniAU.log
c:\windows\system32\service\23062010_TIS17_SfFniAU.log
c:\windows\system32\service\24022010_TIS17_SfFniAU.log
c:\windows\system32\service\26102009_TIS17_SfFniAU.log
c:\windows\system32\service\26122009_TIS17_SfFniAU.log
c:\windows\system32\service\27032010_TIS17_SfFniAU.log
c:\windows\system32\service\27042010_TIS17_SfFniAU.log
c:\windows\system32\service\30012010_TIS17_SfFniAU.log
c:\windows\system32\service\30032010_TIS17_SfFniAU.log
c:\windows\system32\service\30082009_TIS17_SfFniAU.log
c:\windows\system32\service\30102009_TIS17_SfFniAU.log
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-14 22:51 . 2010-07-14 22:51 -------- d-----w- c:\program files\FrameShots3
2010-07-14 22:50 . 2010-07-14 22:50 1871917 ----a-w- c:\program files\fssetup.exe
2010-07-14 20:11 . 2010-07-14 20:11 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2010-07-14 19:51 . 2010-07-14 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-07-14 19:50 . 2010-07-16 11:56 -------- d-----w- c:\documents and settings\Pete\Application Data\NCH Software
2010-07-14 19:49 . 2010-07-14 19:50 445632 ----a-w- c:\program files\debutsetup.exe
2010-07-14 19:16 . 2010-07-14 19:16 53319 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe
2010-07-14 16:12 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-14 03:18 . 2010-07-14 03:18 -------- d-----w- c:\documents and settings\Pete\Application Data\playitall
2010-07-14 03:15 . 2010-07-14 03:15 -------- d-----w- c:\program files\PlayItAll Media Player
2010-07-14 03:05 . 2010-07-14 03:05 252176 ----a-w- c:\program files\PlayItAll-Setup-win32_2.exe
2010-07-14 00:43 . 2010-07-14 03:21 -------- d-----w- C:\VideoOutput
2010-07-14 00:43 . 2010-07-14 00:43 -------- d-----w- c:\program files\WMV Converter
2010-07-14 00:41 . 2010-07-14 00:41 4468309 ----a-w- c:\program files\wmvconverter_setup.exe
2010-07-06 01:31 . 2010-07-14 00:03 -------- d-----w- c:\program files\XVideoConverter
2010-07-06 01:31 . 2010-07-06 01:31 6005108 ----a-w- c:\program files\XVideoConverter.exe
2010-07-05 19:51 . 2010-07-05 19:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2010-07-05 19:50 . 2010-07-05 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon
2010-07-05 19:50 . 2010-07-05 19:50 -------- d-----w- c:\program files\Amazon
2010-07-05 19:49 . 2010-07-05 19:49 4502832 ----a-w- c:\program files\AmazonUnboxVideo.exe
2010-06-29 20:40 . 2010-06-29 20:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2010-06-22 20:45 . 2010-06-22 20:45 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb13.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 12:35 . 2009-12-11 19:51 -------- d-----w- c:\documents and settings\Pete\Application Data\Orbit
2010-07-16 03:54 . 2010-04-03 21:27 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-16 03:53 . 2010-04-03 21:25 6082368 ----a-w- c:\program files\HitmanPro35.exe
2010-07-15 22:54 . 2009-02-18 02:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-14 19:18 . 2008-01-14 17:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 19:16 . 2009-12-09 20:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-07-14 19:16 . 2009-12-09 20:48 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-07-14 03:20 . 2008-03-23 19:48 -------- d-----w- c:\program files\Zoom Player
2010-07-14 03:19 . 2009-12-09 17:26 -------- d-----w- c:\documents and settings\Pete\Application Data\vlc
2010-06-29 15:39 . 2008-01-23 01:20 -------- d-----w- c:\program files\EarthLink TotalAccess
2010-06-15 21:18 . 2010-06-15 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-15 21:18 . 2010-03-04 19:01 -------- d-----w- c:\program files\iTunes
2010-06-15 21:17 . 2010-06-15 21:17 -------- d-----w- c:\program files\iPod
2010-06-15 21:17 . 2009-09-20 02:56 -------- d-----w- c:\program files\Common Files\Apple
2010-06-15 21:13 . 2009-06-16 21:52 -------- d-----w- c:\program files\QuickTime
2010-06-15 21:08 . 2010-06-15 21:08 -------- d-----w- c:\program files\Bonjour
2010-06-15 20:44 . 2010-06-15 20:44 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-14 14:31 . 2004-08-10 19:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 19:25 . 2008-01-14 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-01 00:08 . 2010-05-24 00:27 -------- d-----w- c:\program files\donkeykong
2010-05-29 19:03 . 2010-05-24 00:27 -------- d-----w- c:\program files\centipede_millenipede
2010-05-24 00:27 . 2010-05-24 00:27 -------- d-----w- c:\program files\pcbert
2010-05-24 00:27 . 2010-05-24 00:27 -------- d-----w- c:\program files\ms_pacman
2010-05-24 00:26 . 2010-05-24 00:26 -------- d-----w- c:\program files\elevator
2010-05-24 00:26 . 2010-05-24 00:26 -------- d-----w- c:\program files\galaxian_2
2010-05-24 00:20 . 2010-05-24 00:20 2081840 ----a-w- c:\program files\galaxian_2.zip
2010-05-24 00:19 . 2010-05-24 00:19 796776 ----a-w- c:\program files\elevator.zip
2010-05-24 00:19 . 2010-05-24 00:19 1216060 ----a-w- c:\program files\donkeykong.zip
2010-05-24 00:17 . 2010-05-24 00:17 1039454 ----a-w- c:\program files\ms_pacman.zip
2010-05-24 00:16 . 2010-05-24 00:16 706526 ----a-w- c:\program files\pcbert.zip
2010-05-24 00:14 . 2010-05-24 00:14 1813364 ----a-w- c:\program files\centipede_millenipede.zip
2010-05-06 10:41 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 18:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-11-09 16:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-11-09 16:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-10 18:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-10 00:12 . 2010-04-10 00:10 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-04-03 20:38 . 2010-04-03 20:38 1748881 ----a-w- c:\program files\ProcessExplorer.zip
2010-04-03 20:25 . 2010-04-03 20:25 50477 ----a-w- c:\program files\Defogger.exe
2010-04-03 18:05 . 2010-04-03 18:05 42281152 ----a-w- c:\program files\avira_antivir_personal_en.exe
2010-03-21 01:51 . 2010-03-21 01:50 961204 ----a-w- c:\program files\extractnow.exe
2010-03-17 15:13 . 2010-03-17 15:13 13114520 ----a-w- c:\program files\ATT_DIAL.exe
2010-03-04 18:57 . 2010-03-04 18:58 98181416 ----a-w- c:\program files\iTunesSetup.exe
2010-01-09 00:58 . 2010-01-09 00:58 103684760 ----a-w- c:\program files\PowerDVD9_Standard.1719D_DVD090514-06.exe
2009-12-11 19:49 . 2009-12-11 19:49 2556048 ----a-w- c:\program files\OrbitDownloaderSetup.exe
2009-12-09 20:46 . 2009-12-09 20:46 134514912 ----a-w- c:\program files\CyberLink.2201(BDTrial)_DVD090929-03.exe
2009-12-09 17:25 . 2009-12-09 17:25 20834816 ----a-w- c:\program files\vlc-us.exe
2009-12-03 02:41 . 2009-12-03 02:41 1962544 ----a-w- c:\program files\install_flash_player_ax.exe
2009-11-18 01:18 . 2009-11-18 01:17 939956 ----a-w- c:\program files\7z465.exe
2009-01-03 04:23 . 2009-01-03 04:23 874578 ----a-w- c:\program files\cuzsetup.exe
2009-01-03 04:07 . 2009-01-03 04:07 5068543 ----a-w- c:\program files\Pazera_Free_FLV_to_AVI_Converter.zip
2008-09-25 00:26 . 2008-09-25 00:26 1658550 ----a-w- c:\program files\Batch FLV.zip
2008-05-29 02:48 . 2008-05-29 02:48 23700784 ----a-w- c:\program files\QuickTimeInstaller.exe
2008-03-23 19:47 . 2008-03-23 19:47 1521904 ----a-w- c:\program files\zp502std.exe
2003-11-01 14:36 . 2008-04-05 01:28 858179 ----a-w- c:\program files\Neave Space Invaders.exe
2003-01-09 23:37 . 2008-12-28 23:43 4067 ----a-w- c:\program files\Readme.rtf
2008-01-14 17:44 . 2008-01-14 17:44 76 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-14 68856]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2006-08-04 952088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-10 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AT&T Dial Connection Manager"="c:\program files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" [2009-12-21 1461352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-3-4 97384]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-14 50688]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-12-11 1785104]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 22:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-01-14 18:01 1838592 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-01-14 18:00 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-11-11 03:26 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [8/15/2009 9:04 PM 181584]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [8/15/2009 9:03 PM 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/15/2009 3:09 PM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [8/15/2009 9:03 PM 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [8/15/2009 3:09 PM 335376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 1:38 PM 135664]
.
Contents of the 'Scheduled Tasks' folder

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:38]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 08:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1300)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-07-16 08:53:11
ComboFix-quarantined-files.txt 2010-07-16 12:53

Pre-Run: 156,474,249,216 bytes free
Post-Run: 156,891,533,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8576A975930F02281132872375EEA111

I would appreciate any help anyone can offer.

I ran the Microsoft One Care safety scan again and it came up with the following five severe issues that it could not clean:

1. Exploit: Java/CVE-2008-53
53.HL
C:\documents and settings\pete\application data\sun\java\deployment\cache\javapi\v1.0\jar\help.jar-6536dc32-13do17c2.zip
p1/p2/piclass.class

2. Exploit: Java/CVE-2008-53
53.IB
C:\documents and settings\pete\application data\sun\java\deployment\cache\javapi\v1.0\jar\help.jar-343d59bf-11fa8c5e.zip
dev/s/dyesyasz.class

3. Exploit: Java/CVE-2008-53
53.JJ
C:\documents and settings\pete\application data\sun\java\deployment\cache\javapi\v1.0\jar\help.jar-343d59bf-11fa8c5e.zip
dev/s/loaderx.class

4. Exploit: Java/CVE-2009-38
67.FS
C:\documents and settings\pete\application data\sun\java\deployment\cache\javapi\v1.0\jar\help.jar-343d59bf-11fa8c5e.zip
dev/s/adgredy.class

5. Trojan Horse: Selace.K
C:\documents and settings\pete\application data\sun\java\deployment\cache\javapi\v1.0\jar\help.jar-6536dc32-13do17c2.zip
p1/p2/myclassloader.class

Once again, any assistance in cleaning up this infection would be much appreciated.

Merged posts. ~ OB

Edited by Orange Blossom, 18 July 2010 - 03:33 PM.
Moved from XP to Malware Logs Removal ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 23 July 2010 - 04:22 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 baseballfan

baseballfan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 23 July 2010 - 02:00 PM

Thank you for your offer of assistance, but I have since fixed my problem.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:01 AM

Posted 23 July 2010 - 04:58 PM

Thank you for letting me know


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users