Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Downloader.Agent.dlmu


  • This topic is locked This topic is locked
13 replies to this topic

#1 hmstraining

hmstraining

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 28 July 2010 - 07:55 AM

Hello,

I am helping a client of mine (I train her and help support her pc) who cannot log in to work from her home pc as the VPN portal she uses claims she has a virus on her pc. The virus it keeps identifying every time she tries to log in is Win32.downloader.agent.dlmu. Identified as a browser BHO and Trojan. She logs in using the Connectra Portal service which uses Check Point Endpoint Security on Demand to scan her computer for security issues before giving access to the portal. Each time she tries to log in she receives the message "You are not allowed to access the portal, please review the report below for more information and solutions" and the virus is listed as being present on the computer both as a BHO and Trojan.

She has Norton Internet Security installed on the computer with all it's protection working and there is no sign of a virus from that, even after a complete system scan. I have also run Malwarebytes, SuperAntiSpyware and F-Secure online scanner. Malwarebytes identified the trojan, found 7 files and deleted them (I kept a log of the files found). SuperAntiSpyware and subsequently F-Secure picked up some "viruses" mostly tracking and adware cookies and deleted them. However, the work portal still absolutely refuses to let her log on and says the virus is still present.

I would be really grateful if you could have a look at the log files and let me know whether the virus is indeed still present and help me remove it.

Here is a HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:07:47, on 27/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Margaret\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Margaret\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1220883534921
O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://remote.fos.org.uk//SNX/CSHELL/extender.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BabelgumUpdater - Unknown owner - C:\Program Files\Babelgum Player\babelgumupdater_service.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Check Point SSL Network Extender (cpextender) - Check Point Software Technologies - C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8322 bytes


I have attached the mbam txt file showing the files found and deleted, and the gmer log as requested in your forum instructions. Thanks so much for any help you can provide.

Attached Files


Edited by hamluis, 28 July 2010 - 09:04 AM.
Moved from XP forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 07 August 2010 - 12:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 hmstraining

hmstraining
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 09 August 2010 - 09:07 AM

Hi, I haven't fixed the issue yet and will post the logs etc requested later today. Just to let you know that I'd like to keep the topic open. Thanks.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 09 August 2010 - 05:30 PM

thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 hmstraining

hmstraining
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 09 August 2010 - 05:41 PM

Hello, further to my original post, here is the gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-09 23:31:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Margaret\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 863D8790 ZwAlertResumeThread
SSDT 863D8870 ZwAlertThread
SSDT 863D8FC0 ZwAllocateVirtualMemory
SSDT 863D48D8 ZwAssignProcessToJobObject
SSDT 86D228A0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF1951130]
SSDT 863D4E80 ZwCreateMutant
SSDT 863D46F8 ZwCreateSymbolicLinkObject
SSDT 86CFEF10 ZwCreateThread
SSDT 863D49B8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF19513B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF1951910]
SSDT 86398798 ZwDuplicateObject
SSDT 863D8E20 ZwFreeVirtualMemory
SSDT 863D4F70 ZwImpersonateAnonymousToken
SSDT 863D86B0 ZwImpersonateThread
SSDT 86F8A008 ZwLoadDriver
SSDT 863D8D40 ZwMapViewOfSection
SSDT 863D4DA0 ZwOpenEvent
SSDT 86398938 ZwOpenProcess
SSDT 863986D8 ZwOpenProcessToken
SSDT 863D4BE0 ZwOpenSection
SSDT 86398868 ZwOpenThread
SSDT 863D47E8 ZwProtectVirtualMemory
SSDT 863971F8 ZwResumeThread
SSDT 863D8AF0 ZwSetContextThread
SSDT 863D8BB0 ZwSetInformationProcess
SSDT 863D4A98 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF1951B60]
SSDT 863D4CC0 ZwSuspendProcess
SSDT 863D8950 ZwSuspendThread
SSDT 86386658 ZwTerminateProcess
SSDT 863D8A30 ZwTerminateThread
SSDT 863D8C80 ZwUnmapViewOfSection
SSDT 863D8EF0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2590 80501DC8 4 Bytes CALL 06D65B14
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[2728] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device ED770D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


I ran defogger, the DDS.scr files are attached. There's no archiving software on this pc, I hope you don't mind me uploading the uncompressed files.

Since my original post I have also installed a trial version of Zone Alarm as this is the software used by the Connectra Portal to identify viruses on the computer before allowing access to the work servers. Again the updated version of the software ran without finding any trace of a virus. I have since uninstalled it as I couldn't continue running it alongside Norton.

I would love to know if there is a virus still on the pc and if so how to go about removing it. Thanks very much for any help you can provide.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 09 August 2010 - 06:12 PM

MBAM seems to have removed the majority of this infection.

Gmer shows no rootkit so is it right that the only symptom left is the quote at the top of your topic?

QUOTE
The virus it keeps identifying every time she tries to log in is Win32.downloader.agent.dlmu.



Please run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 hmstraining

hmstraining
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 10 August 2010 - 06:39 AM

Yes, that is right. There are no other symptoms apart from being unable to log in to VPN control panel as the security scan done by connectra reports that there are still some virus infected files present. I agree mbar dealt with most of the virus, but perhaps not all? I will post combifix scan results later. Thanks so much for looking at this problem.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 10 August 2010 - 12:09 PM

There's also a possibility that Connectra is reporting falsely.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 14 August 2010 - 07:58 AM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 hmstraining

hmstraining
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 14 August 2010 - 08:55 AM

Hi, sorry have been away for a few days. Didn't realise you couldn't help others if this topic is left open. I had thought myself that the connectra portal could be reporting falsely, but it's difficult to prove it. Hence my contacting you for help. Just doing the combofix scan so will post as soon as it's finished.

#11 hmstraining

hmstraining
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 14 August 2010 - 09:06 AM

Hi, here's the cobofix log. It found a file called fad.sys in te system 2/drivers folder, perhaps that's it. Strange that the other scans did not pick this up. Will let you know if the connectra portal is still reporting a trojan/hijacker present.

ComboFix 10-08-12.03 - Margaret 14/08/2010 14:54:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.530 [GMT 1:00]
Running from: c:\documents and settings\Margaret\Desktop\comfix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\115E.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\115F.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1160.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1166.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1167.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1168.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1171.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1172.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1173.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1178.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1179.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\117A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\15.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\16.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\17.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A50.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A51.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A52.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A5A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A5B.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1A5C.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1B.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1C.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\1D.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\29.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\2A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\2B.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\4A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\4B.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\4C.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\617.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\618.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\619.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\62.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\63.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\64.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\6BA.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\6BB.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\6BC.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\778.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\779.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\77A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\77D.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\77E.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\77F.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\795.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\796.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\797.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7A0.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7A1.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7A2.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7FC.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7FD.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\7FE.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\850.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\851.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\852.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\88D.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\88E.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\88F.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\898.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\899.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\89A.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\8E3.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\8E4.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\8E5.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\906.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\907.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\908.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\90E.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\90F.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\910.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\914.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\915.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\916.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\91B.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\91C.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\91D.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\B2.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\B3.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\B4.tmp
c:\documents and settings\Margaret\Local Settings\Temporary Internet Files\SLC_Margaret.prx
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-14 13:37 . 2010-08-14 13:37 -------- d-----w- c:\windows\LastGood
2010-08-09 19:44 . 2010-08-09 19:44 -------- d-----w- c:\windows\Internet Logs
2010-08-04 13:37 . 2010-08-04 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2010-08-04 13:34 . 2010-08-04 13:34 -------- d-----w- c:\documents and settings\Margaret\Downloads
2010-08-04 13:08 . 2010-08-04 13:08 -------- d-----w- c:\documents and settings\Margaret\Application Data\CheckPoint
2010-08-04 13:07 . 2010-08-04 13:07 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-07-27 16:09 . 2010-07-27 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-07-27 14:47 . 2010-07-27 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-27 10:56 . 2010-07-17 04:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 10:47 . 2010-07-27 10:48 -------- d-----w- c:\documents and settings\Margaret\Local Settings\Application Data\Temp
2010-07-26 10:00 . 2010-07-26 10:00 -------- d-----w- c:\documents and settings\Margaret\Application Data\Malwarebytes
2010-07-26 09:59 . 2010-07-26 09:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 09:59 . 2010-08-04 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 09:51 . 2004-08-04 05:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-07-26 09:51 . 2004-08-04 05:00 185344 ----a-w- c:\windows\system32\dllcache\thawbrkr.dll
2010-07-26 09:51 . 2004-08-04 05:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-07-26 09:51 . 2004-08-04 05:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-07-26 09:51 . 2004-08-04 05:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-07-26 09:51 . 2004-08-04 05:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll
2010-07-26 09:51 . 2004-08-04 05:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-07-26 09:51 . 2004-08-04 05:00 6144 ----a-w- c:\windows\system32\dllcache\ftlx041e.dll
2010-07-15 20:46 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 19:43 . 2010-05-18 09:23 -------- d-----w- c:\program files\CheckPoint
2010-08-04 08:26 . 2006-04-20 13:58 83168 ----a-w- c:\documents and settings\Margaret\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-04 08:11 . 2010-05-01 08:24 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 10:58 . 2006-03-08 14:40 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 10:56 . 2006-03-08 14:40 -------- d-----w- c:\program files\Java
2010-07-26 10:45 . 2006-04-20 14:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-07-26 10:43 . 2006-03-08 14:42 -------- d-----w- c:\program files\Modem Helper
2010-07-26 10:42 . 2006-08-19 16:28 -------- d-----w- c:\program files\Canon
2010-07-26 10:41 . 2006-05-02 08:37 -------- d-----w- c:\program files\Common Files\Cloudmark
2010-07-26 10:41 . 2008-03-24 14:24 -------- d-----w- c:\documents and settings\Margaret\Application Data\Cloudmark
2010-07-26 10:39 . 2006-03-08 14:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-26 09:42 . 2006-11-20 11:32 -------- d-----w- c:\program files\Google
2010-06-14 14:31 . 2004-08-11 17:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-22 08:02 . 2010-05-22 08:02 503808 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7892961e-n\msvcp71.dll
2010-05-22 08:02 . 2010-05-22 08:02 499712 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7892961e-n\jmc.dll
2010-05-22 08:02 . 2010-05-22 08:02 348160 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7892961e-n\msvcr71.dll
2010-05-22 08:01 . 2010-05-22 08:01 12800 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29e1a3d4-n\decora-d3d.dll
2010-05-22 08:01 . 2010-05-22 08:01 61440 ----a-w- c:\documents and settings\Margaret\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29e1a3d4-n\decora-sse.dll
2010-05-18 09:23 . 2010-05-18 09:23 4710 ----a-r- c:\documents and settings\Margaret\Application Data\Microsoft\Installer\{16c325ce-5866-47aa-9b0b-505fb9bcc85c}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Margaret\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-07-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-8 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 16:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1008000.029\SymEFA.sys [05/02/2010 09:35 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1008000.029\BHDrvx86.sys [05/02/2010 09:35 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1008000.029\cchpx86.sys [05/02/2010 09:35 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100813.004\IDSXpx86.sys [14/08/2010 14:43 331640]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [14/01/2009 13:14 353680]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [05/02/2010 09:35 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [28/05/2010 08:00 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [08/03/2006 15:28 87936]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [14/01/2009 13:14 126808]
S2 BabelgumUpdater;BabelgumUpdater;c:\program files\Babelgum Player\babelgumupdater_service.exe [05/02/2009 10:19 13624]
.
Contents of the 'Scheduled Tasks' folder

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1678097689-829710657-4205621924-1005Core.job
- c:\documents and settings\Margaret\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-27 10:47]

2010-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1678097689-829710657-4205621924-1005UA.job
- c:\documents and settings\Margaret\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-27 10:47]

2010-08-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 15:07]

2010-08-14 c:\windows\Tasks\User_Feed_Synchronization-{304B8C87-422D-4495-9D90-8F94496DD85A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://remote.fos.org.uk//SNX/CSHELL/extender.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 14:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d3,43,bf,19,d9,28,17,48,84,b0,c1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d3,43,bf,19,d9,28,17,48,84,b0,c1,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(288)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-08-14 15:01:24
ComboFix-quarantined-files.txt 2010-08-14 14:01

Pre-Run: 22,289,874,944 bytes free
Post-Run: 23,698,800,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C91CC0341FF8B55014064C9F613F8867

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 14 August 2010 - 04:45 PM

Fad.sys is an adware hijacker so your problems should have stopped or at least eased.

The log looks clean, just a few permissions to reset


Rerun Combofix, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run ESET's online scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 16 August 2010 - 07:09 PM

You still there? smile.gif
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:09 PM

Posted 18 August 2010 - 07:44 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users