Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help getting rid of "Security Essentials 11" virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 FrankOtheMountaiN

FrankOtheMountaiN

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 30 September 2010 - 07:09 PM

mbytes got rid of 106 items (!) Thanks for the help.

Here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:08:33 PM, on 9/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32logonui.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecGhostngserver.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:Program FilesSymantecGhostbindbserv.exe
C:Program FilesSymantecGhostbinrteng9.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32logon.scr
D:FrankUTILITY SETUP01-killers and cleanershijackthisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gooofullsearch.com/
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = localhost:8118
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Favorites
O2 - BHO: C:WINDOWSsystem32v3yd8.dll - {D6BA40A1-A502-59BD-F413-04B03A2C8953} - C:WINDOWSsystem32v3yd8.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHEALTHHELPCTRBinariesmsconfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: ATLApplicationLocatorAXInstall - http://192.168.0.136/LaunchVCPC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1261164601062
O16 - DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} (DVR4204 Client Control) - http://192.168.0.51/EDVR.CAB
O16 - DPF: {CCDA56E6-AE8D-4A43-846F-EE464650864A} (WebView Control) - http://192.168.0.100/WebView.cab
O17 - HKLMSystemCCSServicesTcpip..{36F3399F-AC03-4CE2-A2DB-9F6FBCF714A5}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:Program FilesCommon FilesMicrosoft SharedHelphxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:PROGRA~1COMMON~1MICROS~1OFFICE12MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%System32dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:Program FilesSymantecGhostbindbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:Program FilesSymantecGhostngserver.exe

Anything to remove?

The only thing I still see that is weird is sys restore is still disabled. No tab.
If anyone knows the reg key and/or group policy location, please tell, thanks!!
This is a great community.

Crap, I rebooted and it grew back again.
I could really use some help.

new hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 8:42:39 PM, on 9/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32logonui.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecGhostngserver.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSymantecGhostbindbserv.exe
C:Program FilesSymantecGhostbinrteng9.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32smss32.exe
C:WINDOWSExplorer.exe
C:WINDOWSPCHEALTHHELPCTRBinariesmsconfig.exe
C:WINDOWSSystem32logon.scr
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32smss32.exe
C:Program FilesSecEssSE11.exe
C:Program FilesMalwarebytes' Anti-Malwarembam.exe
C:Documents and SettingsAll UsersApplication Datap8uo5LY6.exe
C:Program FilesInternet Exploreriexplore.exe
D:FrankUTILITY SETUP01-killers and cleanershijackthisHijackThis.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gooofullsearch.com/
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = localhost:8118
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Favorites
F2 - REG:system.ini: UserInit=C:WINDOWSsystem32winlogon32.exe
O2 - BHO: C:WINDOWSsystem32v3yd8.dll - {D6BA40A1-A502-59BD-F413-04B03A2C8953} - C:WINDOWSsystem32v3yd8.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O4 - HKLM..Run: [smss32.exe] C:WINDOWSsystem32smss32.exe
O4 - HKCU..Run: [smss32.exe] C:WINDOWSsystem32smss32.exe
O4 - HKCU..Run: [SE11] C:Program FilesSecEssSE11.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~3OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32helpers32.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32helpers32.dll
O15 - Trusted Zone: http://*.download-soft-package.com
O15 - Trusted Zone: http://*.download-software-package.com
O15 - Trusted Zone: http://*.fastestdeploy.com
O15 - Trusted Zone: http://*.get-key-se10.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.fastestdeploy.com (HKLM)
O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)
O16 - DPF: ATLApplicationLocatorAXInstall - http://192.168.0.136/LaunchVCPC.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1261164601062
O16 - DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} (DVR4204 Client Control) - http://192.168.0.51/EDVR.CAB
O16 - DPF: {CCDA56E6-AE8D-4A43-846F-EE464650864A} (WebView Control) - http://192.168.0.100/WebView.cab
O17 - HKLMSystemCCSServicesTcpip..{36F3399F-AC03-4CE2-A2DB-9F6FBCF714A5}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:Program FilesCommon FilesMicrosoft SharedHelphxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:PROGRA~1COMMON~1MICROS~1OFFICE12MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%System32dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:WINDOWSSYSTEM32igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:Program FilesSymantecGhostbindbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:Program FilesSymantecGhostngserver.exe

I am assuming that this is the place to continue with my problem.
I got your note about not touching anything, but I did already before I got your note.
I deleted the se11 folder, took it out of msconfig, and rebooted.
The startup appears clean.
Let me know if I should post a new hijack this log.
thank you

EDIT: Posts merged. No need for a new log yet. ~BP

Edited by Budapest, 30 September 2010 - 10:33 PM.


Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 05 October 2010 - 06:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 05 October 2010 - 08:56 AM

OTL is hanging up/crashing while scanning "firefox settings"

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 05 October 2010 - 09:17 AM

Hi,

could you please rerun the scan with DDS then for me.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 05 October 2010 - 11:25 AM

Sorry, I'm not sure what DDS is.

Summary: Got a virus package while browsing which included Security Essentials 11 and Antimalware.
I was able to stop the fake scan popups with rkill, and ran Malware Bytes twice.
I manually deleted SE11 from program files.
I thought all was gone, but when I rebooted a few days later, antimalware came back.
Takes out folder options, taskmanager, and regedit. Also makes tons of scheduled tasks.
There were hidden exes in windows root, sys 32, and user temp folder.
Virus exes use same names as critical system processes, so it's hard to kill.
There are multiple versions of common processes running.
I was able to run taskman by copying it and renaming it.
I was able to get into gpedit and restore folder options, but it kept disabling it again.
MSconfig gets filled with entries, and it regenerate them as soon as you disable them.
I ran ccleaner often, deleted what I could while running Mbytes.
Ran Mbytes again. Mbytes appears to have deleted all bad stuff.
I am worried that there is still a trace somewhere and that it will grow back again.
It also disabled sys restore, removing all points.
I deleted the scheduled tasks and msconfig startup is empty now after reboot.

Thanks for your help, Frank

Edited by FrankOtheMountaiN, 05 October 2010 - 01:42 PM.


Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 06 October 2010 - 03:21 AM

Hi,

I'm sorry I thought I had seen a DDS log in your first post. Please run DDS then:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 06 October 2010 - 09:20 AM

Both logs are in zip file.

Other notes:------------------------------------------------------------------------------------------------

Preferred DNS Server address was removed, disabling internet browsers. I put the # back in/now back online.

System running slowly over-all

Getting scvhost.exe popup errors randomly and at startup. When this happens, the system becomes unresponsive, and a hard restart is required:
Application popup: svchost.exe - Application Error : The instruction at "0x7c923845" referenced memory at "0x00000000". The memory could not be "read".

DrWatson also ran in the background for like 15 mins.

Starting to get them reinstall blues...

Frank

Edited by FrankOtheMountaiN, 06 October 2010 - 09:24 AM.


Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 07 October 2010 - 02:48 AM

Hi,

if you are open to reformatting (not just repair installing) the OS, this is frequently the best way to go, as many infections nowadays are backdoors.
They allow hackers to remotely control your computer, steal critical system information and download and execute files.

Though those trojans can be killed, because of their's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

If you would rather try to clean, please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 07 October 2010 - 08:31 AM

Hi Myrti, here's the Combofix log:

ComboFix 10-10-06.02 - Administrator 10/07/2010 9:09.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.532 [GMT -4:00]
Running from: d:\frank\UTILITY SETUP\01-killers and cleaners\combofix\combofix 6-2-10\ComboFix.exe
. <<<added note, I updated cfix to current>>>

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B
c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\coreappsetup700.exe
c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\enemies-names.txt
c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\local.ini
c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\lsrslt.ini
c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\synt700isorelease00.exe
c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Application Data\jsdfgs.bat
c:\documents and settings\Administrator\Application Data\srsf.bat
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\p8uo5LY6.exe
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
C:\rundllxxxx.exe
c:\rundllxxxx.exe\config.bin
c:\rundllxxxx.exe\rundllxxxx.exe
c:\windows\system32\18467.exe
c:\windows\system32\cacletup.dll
c:\windows\system32\micr0st.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\spool\prtprocs\w32x86\eIQ3w7.dll
c:\windows\system32\winlogon.bak

----- BITS: Possible infected sites -----

hxxp://www.samischeater.com
Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-07 12:46 . 2010-10-07 12:46 389120 ----a-w- c:\windows\system32\CF1085.exe
2010-10-05 13:31 . 2007-09-02 01:34 10989568 ----a-w- c:\windows\system32\shell31.dll
2010-10-05 00:09 . 2010-10-05 00:09 38257 ----a-w- c:\documents and settings\Administrator\Application Data\Genieo\Application\Partner\uninstall\homeyNews\partner_uninstall.exe
2010-10-05 00:06 . 2010-10-05 00:06 67072 --sha-r- c:\windows\system32\sessmgr6.dll
2010-10-04 20:34 . 2010-10-04 20:34 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-10-04 20:34 . 2010-10-04 20:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-10-02 13:38 . 2010-10-02 13:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-01 00:38 . 2010-10-01 03:20 -------- d-----w- c:\program files\SecEss
2010-09-30 19:27 . 2008-04-14 00:12 146432 ----a-w- c:\windows\Copy of regedit.exe
2010-09-30 19:13 . 2010-09-30 19:13 38252 ----a-w- c:\documents and settings\Administrator\Application Data\Genieo\Application\Partner\uninstall\myHomey\partner_uninstall.exe
2010-09-30 19:13 . 2010-09-30 19:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Genieo
2010-09-30 19:13 . 2010-10-05 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-19 10:46 . 2010-09-19 10:46 455552 ----a-w- c:\documents and settings\Administrator\Application Data\Genieo\Application\Updater\genieo_temp\InstallMyHomey.exe
2010-09-19 10:45 . 2010-09-19 10:45 455552 ----a-w- c:\documents and settings\Administrator\Application Data\Genieo\Application\Updater\genieo_temp\InstallHomeyNews.exe
2010-09-19 10:45 . 2010-09-19 10:45 318952 ----a-w- c:\documents and settings\Administrator\Application Data\Genieo\Application\Updater\genieo_temp\homey_setup.exe
2010-09-15 03:37 . 2010-09-15 03:42 -------- d-----w- c:\windows\system32\URTTemp
2010-09-15 01:26 . 2010-09-15 01:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PCHealth
2010-09-14 23:02 . 2010-09-14 23:02 -------- d-----w- c:\windows\system32\winrm
2010-09-14 23:02 . 2010-09-14 23:02 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-09-14 22:49 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-09-14 22:49 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-09-14 22:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-09-14 22:45 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-09-14 22:43 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-09-14 22:43 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-09-14 22:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-09-14 22:40 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-09-14 22:39 . 2010-09-15 13:22 -------- d--h--w- c:\windows\$hf_mig$
2010-09-14 22:39 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-09-14 22:39 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-09-14 22:27 . 2010-09-14 22:53 -------- d-----w- c:\program files\Remote Desktop
2010-09-14 22:06 . 2010-09-14 22:06 -------- d-----w- c:\windows\system32\scripting
2010-09-14 22:06 . 2010-09-14 22:06 -------- d-----w- c:\windows\l2schemas
2010-09-14 22:06 . 2010-09-14 22:06 -------- d-----w- c:\windows\system32\en
2010-09-14 22:06 . 2010-09-14 22:06 -------- d-----w- c:\windows\system32\bits
2010-09-14 21:50 . 2008-04-14 00:11 12800 ----a-w- c:\windows\system32\credssp.dll
2010-09-14 21:49 . 2008-04-14 00:12 155136 ----a-w- c:\windows\system32\mssha.dll
2010-09-14 21:48 . 2004-08-04 02:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2010-09-14 21:47 . 2004-08-04 02:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2010-09-13 15:59 . 2010-09-13 16:00 -------- d-----w- c:\program files\NVPlayer
2010-09-13 13:30 . 2010-05-07 21:41 265416 ----a-w- c:\windows\system32\PROUnstl.exe
2010-09-09 17:05 . 2010-09-09 17:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Karen's Power Tools
2010-09-09 17:02 . 2010-09-09 17:06 -------- d-----w- c:\program files\Karen's Power Tools
2010-09-09 16:50 . 2010-09-09 16:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\ISP Monitor
2010-09-09 16:46 . 2010-09-09 16:46 737280 ----a-w- c:\windows\iun6002.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 12:55 . 2008-03-05 04:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-10-06 12:41 . 2010-03-12 19:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-10-05 22:32 . 2010-08-24 23:52 768 ----a-w- c:\windows\system32\d3d8caps.dat
2010-10-04 15:59 . 2010-05-26 14:28 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-10-01 02:30 . 2010-10-01 00:21 112 ----a-w- c:\documents and settings\All Users\Application Data\J71R5Tb.dat
2010-09-30 22:11 . 2010-09-30 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-30 22:07 . 2010-09-30 22:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-30 22:07 . 2010-09-30 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-30 19:33 . 2008-03-06 17:38 -------- d-----w- c:\program files\uTorrent
2010-09-30 19:12 . 2008-03-06 17:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-09-27 15:01 . 2008-09-02 17:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-09-21 13:19 . 2008-03-03 16:30 104424 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-15 13:51 . 2008-03-03 19:29 -------- d-----w- c:\program files\Microsoft.NET
2010-09-14 22:08 . 2008-03-03 15:32 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-13 13:31 . 2008-03-03 16:22 -------- d-----w- c:\program files\Intel
2010-08-30 18:31 . 2008-03-03 19:53 -------- d-----w- c:\program files\Sony
2010-08-24 18:10 . 2008-03-03 20:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-24 17:28 . 2010-05-26 14:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio
2010-08-24 12:17 . 2008-12-23 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\CraigsPal
2010-08-23 12:29 . 2010-08-23 12:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D69A48BF-7653-4AA8-94BC-5847522A4573}
2010-08-23 12:26 . 2010-08-23 12:25 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-08-23 12:26 . 2010-08-23 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Native Instruments
2010-08-23 12:26 . 2010-08-23 12:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}
2010-08-23 12:25 . 2010-08-23 12:25 -------- d-----w- c:\program files\Native Instruments
2010-08-23 12:25 . 2010-08-23 12:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2010-08-17 13:17 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-13 16:46 . 2010-08-11 17:24 16 ----a-w- c:\windows\msocreg32.dat
2010-08-11 17:24 . 2010-08-11 17:24 -------- d-----w- c:\program files\IK Multimedia
2010-08-11 17:23 . 2008-03-03 16:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-11 17:23 . 2010-08-11 17:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield
2010-07-27 06:30 . 2010-07-27 06:30 8462336 ------w- c:\windows\system32\SET261.tmp
2010-07-22 15:49 . 2004-08-04 01:07 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2010-09-14 22:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-15 15:23 . 2010-07-15 15:23 654456 ----a-w- c:\windows\system32\ncs2dmix.dll
2010-07-15 15:23 . 2010-07-15 15:23 506488 ----a-w- c:\windows\system32\accesor.dll
2010-07-15 14:45 . 2010-07-15 14:45 27591840 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-07-14 14:16 . 2010-07-14 14:16 182784 ----a-w- c:\windows\system32\Ncs2Setp.dll
2010-07-14 13:39 . 2010-07-14 13:39 134264 ----a-w- c:\windows\system32\ncs2instutility.dll
2010-07-14 13:20 . 2010-07-14 13:20 1813112 ----a-w- c:\windows\system32\ncscolib.dll
2010-07-12 12:45 . 2010-07-12 12:45 3584 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{121634B0-2F4A-11D3-ADA3-00C04F52DD53}\Icon386ED4E3.exe
2007-06-27 01:57 . 2008-03-03 18:51 32768 ----a-w- c:\program files\tarsier.exe
2007-06-27 01:21 . 2008-03-03 18:51 110 ----a-w- c:\program files\screensaveroff.reg
2006-07-05 12:06 . 2008-03-03 18:51 1628813 ----a-w- c:\program files\flash player 8.exe
2005-11-14 13:47 . 2008-03-03 18:51 987136 ----a-w- c:\program files\flash player 7.exe
2005-04-18 01:23 . 2008-03-03 18:51 68 ----a-w- c:\program files\search.vbs
2003-02-08 21:49 . 2008-03-03 18:51 37888 ----a-w- c:\program files\wizmo.exe
2008-03-11 12:51 . 2008-03-11 12:51 0 --sh--w- c:\windows\SD2C70EBC.tmp
.

------- Sigcheck -------

[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\termsrv.dll
[-] 2008-04-14 . E93FC3D9A106DDCD8887547FA01A33FC . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[-] 2004-08-04 . 2FC602F08EE290DEBE26D8510993D6A5 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Showcalc.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Showcalc.lnk
backup=c:\windows\pss\Showcalc.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 21:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-21 21:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGTray]
2008-04-23 01:35 218504 ----a-w- c:\program files\Symantec\Ghost\ngtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2009-07-24 12:33 240112 ----a-w- c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"idsvc"=3 (0x3)
"odserv"=3 (0x3)
"LiveUpdate"=3 (0x3)
"aawservice"=2 (0x2)
"SymSnapService"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IP Monitor"=3 (0x3)
"BroadCamService"=2 (0x2)
"rpcapd"=3 (0x3)
"RoxWatch12"=2 (0x2)
"9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269"=2 (0x2)
"CinemaNow Service"=2 (0x2)
"NIHardwareService"=2 (0x2)
"RoxMediaDB12"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=
"c:\\Program Files\\IP Monitor\\IPMonitor.exe"=
"c:\\Program Files\\IP Monitor\\IPMonSvc.exe"=
"c:\\Program Files\\Microsoft Office2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Roxio 2010\\Venue\\Venue.exe"=
"c:\\Program Files\\Sony\\Vegas Pro 9.0\\VegSrv90.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVPlayer\\NVPlayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5555:TCP"= 5555:TCP:remote 5555
"5555:UDP"= 5555:UDP:remore 5555 2
"9050:UDP"= 9050:UDP:*:Disabled:vidalia
"8118:UDP"= 8118:UDP:*:Disabled:vidalia
"64634:TCP"= 64634:TCP:*:Disabled:64634
"64634:UDP"= 64634:UDP:*:Disabled:64634 2
"25:TCP"= 25:TCP:*:Disabled:IP Monitor:TCP:25
"86:TCP"= 86:TCP:*:Disabled:BroadCam Video Streaming Server TCP/IP Port
"1935:TCP"= 1935:TCP:*:Disabled:BroadCam Video Streaming Server Flash Video Server
"123:UDP"= 123:UDP:*:Disabled:time sync
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [5/26/2010 10:38 AM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [5/26/2010 10:38 AM 15856]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [5/26/2010 10:38 AM 25584]
S0 jlcey;jlcey; [x]
S0 tguho;tguho; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/3/2004 9:07 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]
S4 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
S4 IP Monitor;IP Monitor Network Address Monitor;c:\progra~1\IPMONI~1\ipmonsvc.exe [4/5/2010 1:59 PM 164352]
S4 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [7/17/2009 9:32 AM 3576320]
S4 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S4 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gooofullsearch.com/
uInternet Settings,ProxyServer = localhost:8118
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: cinemanow.com
Trusted Zone: fastestdeploy.com
Trusted Zone: fastestdeploy.com
TCP: {36F3399F-AC03-4CE2-A2DB-9F6FBCF714A5} = 192.168.1.1
DPF: ATLApplicationLocatorAXInstall - hxxp://192.168.0.136/LaunchVCPC.cab
DPF: {7E866715-C9B6-4C64-AAB8-342E0D137213} - hxxp://192.168.0.51/EDVR.CAB
DPF: {CCDA56E6-AE8D-4A43-846F-EE464650864A} - hxxp://192.168.0.100/WebView.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obn3q3vk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obn3q3vk.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obn3q3vk.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obn3q3vk.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-rundllxxxx.exe - c:\rundllxxxx.exe\rundllxxxx.exe
HKU-Default-Run-rundllxxxx.exe - c:\rundllxxxx.exe\rundllxxxx.exe
HKU-Default-Run-KOO9RV9K4Z - c:\windows\system32\config\SYSTEM~1\LOCALS~1\Temp\Hr2.exe
MSConfigStartUp-coreappsetup700 - c:\documents and settings\Administrator\Application Data\7EB69134C92CDBCC4FF1A22944E3A22B\coreappsetup700.exe
MSConfigStartUp-HNUGROXRme - c:\docume~1\ADMINI~1\LOCALS~1\Temp\avp.exe
MSConfigStartUp-HNUGROXRnfc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\c8kax.exe
MSConfigStartUp-HNUGROXRnjbb - c:\docume~1\ADMINI~1\LOCALS~1\Temp\dy7zc2kcnd.exe
MSConfigStartUp-HNUGROXRnnD - c:\docume~1\ADMINI~1\LOCALS~1\Temp\fhdld62v.exe
MSConfigStartUp-HNUGROXRnyc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\csrss.exe
MSConfigStartUp-HNUGROXRnZ - c:\docume~1\ADMINI~1\LOCALS~1\Temp\cmd.exe
MSConfigStartUp-HNUGROXRoMc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\gdi32.exe
MSConfigStartUp-HNUGROXRota - c:\docume~1\ADMINI~1\LOCALS~1\Temp\install.exe
MSConfigStartUp-HNUGROXRotc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\hexdump.exe
MSConfigStartUp-HNUGROXRouqc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\iexplarer.exe
MSConfigStartUp-HNUGROXRprc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\login.exe
MSConfigStartUp-HNUGROXRpuc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\lsass.exe
MSConfigStartUp-HNUGROXRpw+ - c:\docume~1\ADMINI~1\LOCALS~1\Temp\nvsvc32.exe
MSConfigStartUp-HNUGROXRpZ - c:\docume~1\ADMINI~1\LOCALS~1\Temp\mdm.exe
MSConfigStartUp-HNUGROXRre - c:\docume~1\ADMINI~1\LOCALS~1\Temp\user.exe
MSConfigStartUp-HNUGROXRrg - c:\docume~1\ADMINI~1\LOCALS~1\Temp\smss.exe
MSConfigStartUp-HNUGROXRrrb - c:\docume~1\ADMINI~1\LOCALS~1\Temp\taskmgr.exe
MSConfigStartUp-HNUGROXRrse - c:\docume~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
MSConfigStartUp-HNUGROXRrtc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\sysedit.exe
MSConfigStartUp-HNUGROXRruf - c:\docume~1\ADMINI~1\LOCALS~1\Temp\spoolsv.exe
MSConfigStartUp-HNUGROXRrvc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\setup.exe
MSConfigStartUp-HNUGROXRrxe - c:\docume~1\ADMINI~1\LOCALS~1\Temp\system.exe
MSConfigStartUp-HNUGROXRsa - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win.exe
MSConfigStartUp-HNUGROXRsPc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\win32.exe
MSConfigStartUp-HNUGROXRspe - c:\docume~1\ADMINI~1\LOCALS~1\Temp\winamp.exe
MSConfigStartUp-HNUGROXRsre - c:\docume~1\ADMINI~1\LOCALS~1\Temp\wininst.exe
MSConfigStartUp-HNUGROXRssc - c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
MSConfigStartUp-MKaoc - c:\windows\debug.exe
MSConfigStartUp-MKasc - c:\windows\drweb.exe
MSConfigStartUp-MKayc - c:\windows\csrss.exe
MSConfigStartUp-MKbMc - c:\windows\gdi32.exe
MSConfigStartUp-MKbta - c:\windows\install.exe
MSConfigStartUp-MKbtc - c:\windows\hexdump.exe
MSConfigStartUp-MKbuqc - c:\windows\iexplarer.exe
MSConfigStartUp-MKcrc - c:\windows\login.exe
MSConfigStartUp-MKcZ - c:\windows\mdm.exe
MSConfigStartUp-MKdw+ - c:\windows\nvsvc32.exe
MSConfigStartUp-MKeg - c:\windows\smss.exe
MSConfigStartUp-MKerb - c:\windows\taskmgr.exe
MSConfigStartUp-MKeta - c:\windows\services.exe
MSConfigStartUp-MKetc - c:\windows\sysedit.exe
MSConfigStartUp-MKeuf - c:\windows\spoolsv.exe
MSConfigStartUp-MKevc - c:\windows\setup.exe
MSConfigStartUp-MKexe - c:\windows\system.exe
MSConfigStartUp-MKfPc - c:\windows\win32.exe
MSConfigStartUp-3.5 - c:\windows\win32.exe
MSConfigStartUp-MKfpe - c:\windows\winamp.exe
MSConfigStartUp-MKfre - c:\windows\wininst.exe
MSConfigStartUp-MKfsc - c:\windows\winlogon.exe
MSConfigStartUp-MKZe - c:\windows\avp.exe
MSConfigStartUp-MKZSc - c:\windows\avp32.exe
MSConfigStartUp-uPc+MV0Na0LaXms - c:\windows\system32\ht1tuvr8fb.dll
MSConfigStartUp-uPc+MV0NMtaGuo - c:\windows\system32\h67eist.dll
MSConfigStartUp-uPc+MV0NskaGuo - c:\windows\system32\lzqxz2o.dll
MSConfigStartUp-wupdate - c:\windows\system32\wupdate.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1612)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Ghost\ngserver.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-10-07 09:23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-07 13:23

Pre-Run: 5,741,277,184 bytes free
Post-Run: 6,849,581,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Pro 1" /noexecute=optin /fastdetect

- - End Of File - - 2E517214DC5307BF50BD49E25BBE7353


Thanks for helping!

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 08 October 2010 - 02:52 AM

Hi,

do you know if the PC is accessed through remote access? Is this a business PC?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 08 October 2010 - 06:31 AM

Yes, RDP very often. Business yes, but no secrets or financial or bank data on this box.
It seems pretty cleaned up Myrti. What do you think?

Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 08 October 2010 - 07:02 AM

Hi,

there are a couple of things left, which where obviously dropped by malware and which we should still remove.

Someone messed with one of the files for remote access and I would like to make sure that it is still benign:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\termsrv.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

It is quite possible that this was done by the administrator, but there is also malware that has tampered with these files, so I would like to be sure.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 FrankOtheMountaiN

FrankOtheMountaiN
  • Topic Starter

  • Members
  • 514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NY
  • Local time:12:12 AM

Posted 08 October 2010 - 08:33 AM

Filename: termsrv.dll
Status:
Scan finished. 3 out of 17 scanners reported malware.
Scan taken on: Fri 8 Oct 2010 14:50:50 (CET) Permalink

File size: 295424 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: e93fc3d9a106ddcd8887547fa01a33fc
SHA1: ec27a83af6e33e1daae989f9dce1d67f465b4fea

IKARUS, NOD32, AND VBA32 FOUND "VirTool.Win32.Ursnif" OR "Win32/Spy.Ursnif.A"

There was a termsrv patch applied, but I would like to know how to remove it.



Frank O' The Mountain
Doing more stupid before 5AM than most people do all day.


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 08 October 2010 - 09:28 AM

Hi,

basically that would resolve to replacing the file with a clean copy from somewhere else. But I don't think that the file was modified by malware. This should be a valid replacement: c:\windows\ServicePackFiles\i386\termsrv.dll

Please run this script to remove the leftovers:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
driver::
jlcey
tguho
dds::
uInternet Settings,ProxyServer = localhost:8118
firefox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\obn3q3vk.default\
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101063100&s=.


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:12 AM

Posted 16 October 2010 - 04:01 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users