Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: WordPress Websites Compromised by the Thousands Redirect to Tech-Support Scams

Featured Deal: Get 95% off The Ultimate MCSE Certification Training Bundle

infected with defense center

Started by katydidonline , Jul 16 2010 11:17 PM

This topic is locked

15 replies to this topic

#1 katydidonline

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 16 July 2010 - 11:17 PM

Keep getting fake security warnings and virus alerts. Please help remove.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Larry Gray at 21:10:43.40 on Fri 07/16/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.337 [GMT -5:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Webroot Internet Security Essentials *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *enabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Defense Center\defcnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Larry Gray.PC325862970629\Desktop\BleepingComputer\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Defense Center] "c:\program files\defense center\defcnt.exe" -noscan
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] "c:\program files\hpq\default settings\cpqset.exe"
mRun: [RecGuard] "c:\windows\sminst\RecGuard.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [eabconfg.cpl] "c:\program files\hpq\quick launch buttons\EabServr.exe" /Start
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mah%20Jong%20Medley/Images/armhelper.ocx
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: NameServer = 93.188.162.168,93.188.166.199
TCP: {6835AB93-8258-4DF4-A659-FBD9EF91D9D4} = 93.188.162.168,93.188.166.199
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~3\goec62~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-9-26 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2009-10-16 108880]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-27 24652]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-9-18 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-10-19 1201640]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 gupdate1ca29ae30729286;Google Update Service (gupdate1ca29ae30729286);c:\program files\google\update\GoogleUpdate.exe [2009-8-30 133104]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2009-4-13 29292]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-9-17 30192]

=============== Created Last 30 ================

2010-07-17 02:10:17 0 ----a-w- c:\documents and settings\larry gray.pc325862970629\defogger_reenable
2010-07-11 18:00:18 0 d-----w- c:\program files\Defense Center
2010-07-05 21:47:23 0 ----a-w- c:\documents and settings\larry gray.pc325862970629\Ÿ=Ÿ=
2010-06-17 21:24:44 44544 ----a-w- c:\windows\system32\ernel32.dll
2010-06-17 21:24:22 44544 ----a-w- c:\docume~1\larryg~1.pc3\applic~1\d41bdbad.exe

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2009-03-28 04:58:45 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032720090328\index.dat

============= FINISH: 21:12:32.21 ===============

Attached Files

Attach.txt 14.15KB 3 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 17 July 2010 - 05:11 PM

I followed the prep directions and have attached the logs. Can anyone help me get rid of this?

EDIT: Please be patient. There are over 300 unanswered topics in this forum at present and the current average wait time to receive help is 5 days. ~BP

Edited by Budapest, 17 July 2010 - 06:56 PM.

#3 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 23 July 2010 - 04:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

m0le is a proud member of UNITE

#4 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 24 July 2010 - 12:57 AM

Hello and thank you! I am here and still need help resolving my problem

#5 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 24 July 2010 - 04:22 PM

You didn't say whether you had run Gmer to check for rootkits.

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

m0le is a proud member of UNITE

#6 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 24 July 2010 - 08:10 PM

Sorry, I did run that but must not have included it in my post.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-16 23:07:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LARRYG~1.PC3\LOCALS~1\Temp\fglyraoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xF648D6C0]
SSDT 871C8150 ZwAllocateVirtualMemory
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0xF648DB80]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xF648C520]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateKey [0xF648D380]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xF648DEE0]
SSDT 87175020 ZwCreateProcess
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xF648E840]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xF648E140]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0xF648E440]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xF648CE90]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteKey [0xF648B090]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteValueKey [0xF648B1F0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeviceIoControlFile [0xF648CF90]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xF648C7B0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenProcess [0xF648B3B0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xF648CA20]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenThread [0xF648D580]
SSDT 871C81C8 ZwQueueApcThread
SSDT 871C7FA8 ZwReadVirtualMemory
SSDT 871DF698 ZwRenameKey
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0xF648B620]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xF648DD30]
SSDT 871C82B8 ZwSetContextThread
SSDT 87175A08 ZwSetInformationKey
SSDT 871C8510 ZwSetInformationProcess
SSDT 871C8330 ZwSetInformationThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSetValueKey [0xF648AEF0]
SSDT 871C8498 ZwSuspendProcess
SSDT 871C8240 ZwSuspendThread
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateProcess [0xF648ADE0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0xF648B500]
SSDT 871C7020 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2424 80501C5C 12 Bytes [E0, DE, 48, F6, 20, 50, 17, ...]
.rsrc C:\WINDOWS\system32\drivers\viaide.sys entry point in ".rsrc" section [0xF7A99014]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF52CAEBF]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe[556] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0071000A
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0070000C
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0264000A
.text C:\WINDOWS\System32\svchost.exe[1128] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F0000A
.text C:\WINDOWS\Explorer.EXE[1484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A
.text C:\WINDOWS\Explorer.EXE[1484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[1484] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CA000C
.text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0111000A
.text C:\Program Files\internet explorer\iexplore.exe[2524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\Program Files\internet explorer\iexplore.exe[2524] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F6000A
.text C:\Program Files\internet explorer\iexplore.exe[2524] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E35203E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FBF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E352003 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F4B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F85 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352079 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20176A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2524] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35223B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2592] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\WebrootSecurity\SSU.EXE[3784] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\WebrootSecurity\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 86D8DD08
Device \Driver\Tcpip \Device\Ip 86E2DEA0
Device \Driver\Tcpip \Device\Ip 86B96820

AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\Tcpip \Device\Tcp 86D8DD08
Device \Driver\Tcpip \Device\Tcp 86E2DEA0
Device \Driver\Tcpip \Device\Tcp 86B96820

AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\Tcpip \Device\Udp 86D8DD08
Device \Driver\Tcpip \Device\Udp 86E2DEA0
Device \Driver\Tcpip \Device\Udp 86B96820

AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\Tcpip \Device\RawIp 86D8DD08
Device \Driver\Tcpip \Device\RawIp 86E2DEA0
Device \Driver\Tcpip \Device\RawIp 86B96820

AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST 86D8DD08
Device \Driver\Tcpip \Device\IPMULTICAST 86E2DEA0
Device \Driver\Tcpip \Device\IPMULTICAST 86B96820

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device -> \Driver\atapi \Device\Harddisk0\DR0 870D6EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\viaide.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#7 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 25 July 2010 - 10:28 AM

That's found the rootkit we need to remove.

Please run Combofix

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Comfix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

m0le is a proud member of UNITE

#8 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 25 July 2010 - 04:05 PM

Here is the combofix log

ComboFix 10-07-24.03 - Larry Gray 07/25/2010 14:37:31.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.507 [GMT -5:00]
Running from: c:\documents and settings\Larry Gray.PC325862970629\Desktop\ComFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Larry Gray.PC325862970629\Application Data\d41bdbad.exe
c:\documents and settings\Larry Gray.PC325862970629\Desktop\Defense Center.lnk
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}\chrome.manifest
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}\chrome\content\_cfg.js
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}\chrome\content\c.js
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}\chrome\content\overlay.xul
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\{585BE3D3-CD31-4E97-A380-F0E042E831B9}\install.rdf
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\idekqprpv
c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\idekqprpv\kilbmfmtssd.exe
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\About.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Activate.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Buy.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Defense Center Support.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Defense Center.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Scan.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Settings.lnk
c:\documents and settings\Larry Gray.PC325862970629\Start Menu\Programs\Defense Center\Update.lnk
c:\program files\Defense Center
c:\program files\Defense Center\defcnt.exe
c:\program files\Defense Center\defext.dll
c:\program files\Defense Center\defhook.dll
c:\program files\Defense Center\splash.mp3
c:\program files\Defense Center\virus.mp3
c:\windows\system32\ernel32.dll
c:\windows\system32\gotomon.log
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

----- File Replicators -----

c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{688A3383-3CE7-4094-9188-9C39D1E4FCB6}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-25 19:22 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\iQGM17.dll
2010-07-25 17:26 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\93q79c17u.dll
2010-07-25 00:32 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\oC7sKU7m.dll
2010-07-24 14:29 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\SK17931o9.dll
2010-07-24 01:53 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5w55y.dll
2010-07-19 20:26 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\wS1e93179.dll
2010-07-17 21:49 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3179i179.dll
2010-07-17 01:16 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EI17qGMYW.dll
2010-07-16 20:37 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\e5aAA.dll
2010-07-11 18:14 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\sKUOCE3.dll
2010-07-11 17:24 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\u55iQ.dll
2010-07-05 21:43 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7aA17e3.dll
2010-07-05 16:49 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5u5m5.dll
2010-06-30 22:44 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\AA5k5.dll
2010-06-27 19:14 . 2010-06-17 21:26 44544 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7qGM7gM.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 19:32 . 2009-02-01 21:10 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\HPAppData
2010-07-25 17:27 . 2006-09-17 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-17 01:15 . 2006-10-15 14:42 -------- d-----w- c:\program files\Yahoo!
2010-07-16 23:07 . 2006-04-14 03:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-16 21:52 . 2009-06-05 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-13 02:04 . 2008-10-15 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6663\AdobeARM.exe
2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6663\AdobeExtractFiles.dll
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6663\ReaderUpdater.exe
2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.2\ARM\6663\AcrobatUpdater.exe
2010-05-24 01:09 . 2010-05-24 01:09 503808 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\msvcp71.dll
2010-05-24 01:09 . 2010-05-24 01:09 348160 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\msvcr71.dll
2010-05-24 01:09 . 2010-05-24 01:09 499712 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\jmc.dll
2010-05-04 17:20 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 15:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 15:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-07-22 23:20 . 2006-11-07 22:24 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-09-18 19:02 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-17 30192]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-09-18 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [9/26/2008 4:15 AM 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [10/16/2009 10:49 PM 108880]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/27/2009 5:04 PM 24652]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [10/19/2009 8:58 AM 1201640]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S2 gupdate1ca29ae30729286;Google Update Service (gupdate1ca29ae30729286);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2009 3:12 PM 133104]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [4/13/2009 3:30 PM 29292]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/17/2006 6:07 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-07 18:41]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 20:12]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-30 20:12]

2010-07-19 c:\windows\Tasks\wrSpySweeper_L821B0E163B994C9BAC2ADC233F272813.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-19 19:08]

2010-07-19 c:\windows\Tasks\wrSpySweeper_L821B0E163B994C9BAC2ADC233F272813.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-19 19:08]

2010-07-19 c:\windows\Tasks\wrSpySweeper_L87B0BFBFDBCE4908BEFBBF8E98979CBF.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-19 19:08]

2010-07-19 c:\windows\Tasks\wrSpySweeper_L87B0BFBFDBCE4908BEFBBF8E98979CBF.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-10-19 19:08]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Defense Center - c:\program files\Defense Center\defcnt.exe
HKCU-Run-kiurlebj - c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\idekqprpv\kilbmfmtssd.exe
HKLM-Run-kiurlebj - c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\idekqprpv\kilbmfmtssd.exe
AddRemove-Defense Center - c:\program files\Defense Center\Pklkvqdii+`}`

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 15:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\WININET.dll
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-07-25 15:15:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 20:15

Pre-Run: 27,677,147,136 bytes free
Post-Run: 27,719,471,104 bytes free

- - End Of File - - 95E9F3E570F6B38C453C7AF3F9A830AE

#9 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 25 July 2010 - 06:15 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\Spool\prtprocs\w32x86\iQGM17.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal

Please also read this on Viewpoint

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

m0le is a proud member of UNITE

#10 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 25 July 2010 - 08:04 PM

Filename: iQGM17.dll
Status: Scan finished. 14 out of 18 scanners reported malware.
Scan taken on: Mon 26 Jul 2010 03:01:18 (CET) Permalink

--------------------------------------------------------------------------------
Additional info
File size: 44544 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 3f15bc9a051e6c45e76a77ef52868efe
SHA1: dd66faff3e8c3d3d9591488ce5013c787225748b

#11 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 26 July 2010 - 12:47 PM

Thought so but needed to check. Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE

File::
c:\windows\system32\Spool\prtprocs\w32x86\iQGM17.dll
c:\windows\system32\Spool\prtprocs\w32x86\93q79c17u.dll
c:\windows\system32\Spool\prtprocs\w32x86\oC7sKU7m.dll
c:\windows\system32\Spool\prtprocs\w32x86\SK17931o9.dll
c:\windows\system32\Spool\prtprocs\w32x86\5w55y.dll
c:\windows\system32\Spool\prtprocs\w32x86\wS1e93179.dll
c:\windows\system32\Spool\prtprocs\w32x86\3179i179.dll
c:\windows\system32\Spool\prtprocs\w32x86\EI17qGMYW.dll
c:\windows\system32\Spool\prtprocs\w32x86\e5aAA.dll
c:\windows\system32\Spool\prtprocs\w32x86\sKUOCE3.dll
c:\windows\system32\Spool\prtprocs\w32x86\u55iQ.dll
c:\windows\system32\Spool\prtprocs\w32x86\7aA17e3.dll
c:\windows\system32\Spool\prtprocs\w32x86\5u5m5.dll
c:\windows\system32\Spool\prtprocs\w32x86\AA5k5.dll
c:\windows\system32\Spool\prtprocs\w32x86\7qGM7gM.dll

Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

m0le is a proud member of UNITE

#12 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 26 July 2010 - 01:52 PM

Hello m0le,

Sorry, I see now I probably shouldn't have done this but I have run a Webroot scan and ESET scan since our last communication. Below are those results and then your requested log. I hope i did not mess things up

WebRoot findings:

Mal/Jafuzzo-A
Mal/TDSSRt-A
Mal/TDSSPk-AD
Troj/FakeAV-BNK
Troj?Java-G
rouge security products
trojan-downloader-java
+ some cookies

ESET findings:

C:\Qoobox\Quarantine\C\Program Files\Defense Center\defcnt.exe.vir a variant of Win32/Kryptik.FLC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP728\A0131844.exe a variant of Win32/Kryptik.FLC trojan cleaned by deleting - quarantined

ComboFix 10-07-24.06 - Larry Gray 07/26/2010 13:19:35.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -5:00]
Running from: c:\documents and settings\Larry Gray.PC325862970629\Desktop\BleepingComputer\ComFix.exe
Command switches used :: c:\documents and settings\Larry Gray.PC325862970629\Desktop\BleepingComputer\CFScript.txt
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\3179i179.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\5u5m5.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\5w55y.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\7aA17e3.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\7qGM7gM.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\93q79c17u.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\AA5k5.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\e5aAA.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\EI17qGMYW.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\iQGM17.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\oC7sKU7m.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\SK17931o9.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\sKUOCE3.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\u55iQ.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\wS1e93179.dll"
.

((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-26 16:40 . 2010-07-26 16:40 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Local Settings\Application Data\FixItCenter
2010-07-26 16:27 . 2010-07-26 16:27 -------- d-----w- c:\windows\MATS
2010-07-26 16:26 . 2010-07-26 16:27 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-07-26 15:17 . 2010-07-26 15:17 -------- d-----w- c:\windows\LastGood
2010-07-26 06:33 . 2010-07-26 06:38 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-26 06:31 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 03:36 . 2010-07-26 03:36 503808 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-534dd4db-n\msvcp71.dll
2010-07-26 03:36 . 2010-07-26 03:36 499712 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-534dd4db-n\jmc.dll
2010-07-26 03:36 . 2010-07-26 03:36 348160 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-534dd4db-n\msvcr71.dll
2010-07-26 03:36 . 2010-07-26 03:36 61440 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3389b681-n\decora-sse.dll
2010-07-26 03:36 . 2010-07-26 03:36 12800 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3389b681-n\decora-d3d.dll
2010-07-26 03:35 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 16:47 . 2006-04-14 03:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-26 04:38 . 2006-04-14 04:39 -------- d-----w- c:\program files\Google
2010-07-26 04:12 . 2006-04-14 04:53 103720 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-26 04:11 . 2006-08-11 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-26 04:06 . 2006-04-14 03:48 -------- d-----w- c:\program files\HPQ
2010-07-26 04:02 . 2009-02-06 14:33 -------- d-----w- c:\program files\Apple Software Update
2010-07-26 03:54 . 2009-10-01 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-07-26 03:46 . 2006-04-14 04:01 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-07-26 03:43 . 2009-03-29 21:48 -------- d-----w- c:\program files\eMusic Download Manager
2010-07-26 03:43 . 2009-03-29 21:49 -------- d-----w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\eMusic
2010-07-26 03:41 . 2009-11-22 18:10 -------- d-----w- c:\program files\Audacity
2010-07-26 03:36 . 2006-04-14 03:51 -------- d-----w- c:\program files\Common Files\Java
2010-07-26 03:34 . 2006-04-14 03:51 -------- d-----w- c:\program files\Java
2010-07-26 01:33 . 2009-03-25 18:52 -------- d-----w- c:\program files\iTunes
2010-07-26 01:29 . 2009-03-25 18:52 -------- d-----w- c:\program files\iPod
2010-07-26 01:26 . 2006-04-14 04:08 -------- d-----w- c:\program files\GemMaster
2010-07-26 01:17 . 2008-01-07 00:04 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-07-26 01:10 . 2009-08-27 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-25 22:51 . 2008-10-15 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-17 01:15 . 2006-10-15 14:42 -------- d-----w- c:\program files\Yahoo!
2010-07-16 21:52 . 2009-06-05 17:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-24 01:09 . 2010-05-24 01:09 503808 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\msvcp71.dll
2010-05-24 01:09 . 2010-05-24 01:09 348160 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\msvcr71.dll
2010-05-24 01:09 . 2010-05-24 01:09 499712 ----a-w- c:\documents and settings\Larry Gray.PC325862970629\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-705ed607-n\jmc.dll
2010-05-04 17:20 . 2004-08-10 15:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 15:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 15:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 15:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-07-22 23:20 . 2006-11-07 22:24 135680 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-09-18 19:02 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-09-18 6515784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0daila

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [9/26/2008 4:15 AM 29808]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [10/16/2009 10:49 PM 108880]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [10/19/2009 8:58 AM 1201640]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [4/13/2009 3:30 PM 29292]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MATSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]

2010-07-26 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 22:05]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 13:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2704)
c:\windows\system32\WININET.dll
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-26 13:26:52
ComboFix-quarantined-files.txt 2010-07-26 18:26
ComboFix2.txt 2010-07-25 20:15

Pre-Run: 29,381,529,600 bytes free
Post-Run: 29,490,221,056 bytes free

- - End Of File - - 37E759A35ADAD8EB9A4CE429B38AE486

#13 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 26 July 2010 - 05:49 PM

You haven't messed anything up but running other scans during a fix skews the results because Webroot has picked up a trojan...but it's already in Combofix's quarantine folder.

ESET, which I was going to run next

, shows a more interesting picture, which is that it found nothing live.

How is the PC running?

m0le is a proud member of UNITE

#14 katydidonline

Topic Starter

Members
43 posts
OFFLINE

Gender:Female
Location:Midwest USA
Local time:09:31 PM

Posted 26 July 2010 - 07:08 PM

Seems to be running fine now. The only problem I am having is I can't install Security Update for Windows XP (KB2229593). I have tried many times, upgraded to IE8, removed many programs and file no longer needed and it just keeps saying it cannnot install this update. Not sure if it is big deal or not. The update is downloaded and the gold shield in my system tray keeps telling me I have updates to install but it will not install.

#15 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:31 AM

Posted 26 July 2010 - 07:19 PM

This may help:

http://support.microsoft.com/kb/958050

The clean-up is nearly complete, just the final instructions to go..

You're clean. Good stuff!

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
(For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
Please follow the prompts to uninstall Combofix.
You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything associated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean

Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Finally, here's a treasure trove of antivirus, antimalware and antispyware resources

That's it, happy surfing!

Cheers.

m0le

m0le is a proud member of UNITE