Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I clear??


  • This topic is locked This topic is locked
2 replies to this topic

#1 totoroben

totoroben

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 03 October 2010 - 01:01 AM

Hello BleepingComputer. I went ahead and rad combofix. Sorry I did not get prior reccomendation, but I knew I had problems when MalwareBytes and my antivirus both encountered issues. The trojan or worm or whatever redirected my browser to IP addresses and fake pages. I could not run combofix until I renamed it and I was having generic host errors. Anyways here is my log and I look forward to your reply!!
------------------------------------------------------------------------------------------------

ComboFix 10-10-01.07 - User 10/03/2010 1:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.734 [GMT -4:00]
Running from: c:documents and settingsUserDesktoptt.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:windowssystem32driversi8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-09-03 to 2010-10-03 )))))))))))))))))))))))))))))))
.

2010-10-03 03:58 . 2006-10-16 17:04 154496 ----a-w- c:windowssystem32Prounstl.exe
2010-10-03 03:58 . 2006-10-04 16:52 43880 ----a-w- c:windowssystem32e100bmsg.dll
2010-10-03 03:58 . 2006-09-13 01:41 35704 ----a-w- c:windowssystem32NicInst.dll
2010-10-03 03:58 . 2006-09-13 01:39 28536 ----a-w- c:windowssystem32NicCo.dll
2010-10-03 03:56 . 2010-10-03 03:56 -------- d-----w- C:sound
2010-10-02 22:29 . 2010-10-02 22:29 19480 ----a-w- c:documents and settingsAdministrator.USER2Local SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-10-02 21:59 . 2010-10-02 21:59 52480 ----a-w- c:windowssystem32driversxkwfpfba.sys
2010-10-02 17:20 . 2010-10-02 17:20 -------- d-----w- c:documents and settingsUserApplication DataMalwarebytes
2010-10-02 17:20 . 2010-04-29 19:39 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-10-02 17:20 . 2010-10-02 17:57 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-10-02 17:20 . 2010-04-29 19:39 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-10-02 16:55 . 2010-06-24 12:21 743424 -c----w- c:windowssystem32dllcacheiedvtool.dll
2010-10-02 16:47 . 2010-10-02 16:47 -------- d-sh--w- c:documents and settingsLocalServiceIETldCache
2010-10-02 16:40 . 2010-06-14 14:31 744448 -c----w- c:windowssystem32dllcachehelpsvc.exe
2010-10-02 15:22 . 2010-10-02 15:22 -------- d-----w- c:windowssystem32wbemRepository
2010-10-02 07:01 . 2010-10-02 07:01 -------- d-----w- c:documents and settingsAdministratorApplication DataMalwarebytes
2010-10-02 06:55 . 2010-10-02 06:55 -------- d-----w- c:documents and settingsAdministratorPrivacIE
2010-10-02 06:52 . 2010-10-02 06:52 -------- d-----w- c:documents and settingsAdministratorIETldCache
2010-10-02 06:51 . 2010-10-02 15:20 -------- d-----w- c:documents and settingsAdministratorLocal SettingsApplication DataMicrosoft
2010-10-02 06:51 . 2010-10-02 15:20 -------- d-s---w- c:documents and settingsAdministrator
2010-10-02 06:46 . 2010-10-02 06:46 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2010-10-02 06:19 . 2010-10-02 06:19 -------- d-----w- C:spoolerlogs
2010-09-22 05:43 . 2010-09-22 05:43 -------- d-----w- c:program filesRefworks
2010-09-04 06:28 . 2010-09-07 01:01 -------- d-----w- c:documents and settingsUserLocal SettingsApplication DataMediaMonkey
2010-09-04 06:07 . 2010-09-04 12:35 -------- d-----w- C:New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-03 05:23 . 2009-06-29 21:49 -------- d-----w- c:documents and settingsUserApplication DataWTablet
2010-10-02 17:26 . 2010-06-15 15:14 -------- d-----w- c:documents and settingsLocalServiceApplication DataWTablet
2010-10-02 17:25 . 2010-03-30 19:08 -------- d-----w- c:program filesMicrosoft Silverlight
2010-09-13 22:49 . 2009-11-20 18:52 -------- d-----w- c:documents and settingsUserApplication DataTutor
2010-09-13 22:01 . 2010-07-18 21:51 -------- d-----w- c:program filesMWSnap
2010-08-23 03:47 . 2009-06-05 04:15 -------- d-----w- c:program filesGoogle
2010-08-18 17:15 . 2010-08-18 17:12 -------- d-----w- c:program filesGraphCalc
2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:windowssystem32spoolsv.exe
2010-08-10 20:01 . 2010-08-10 20:01 -------- d-----w- c:program filesAnalog Devices
2010-08-10 20:01 . 2008-01-14 16:43 -------- d-----w- c:program filesCommon FilesInstallShield
2010-08-10 19:48 . 2009-05-31 23:56 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-08-04 14:12 . 2008-01-14 16:45 -------- d--h--w- c:program filesInstallShield Installation Information
2010-07-31 03:56 . 2010-04-04 19:13 21361 ----a-w- c:windowssystem32driversAegisP.sys
2010-07-22 15:49 . 2006-02-28 12:00 590848 ----a-w- c:windowssystem32rpcrt4.dll
2010-07-22 05:57 . 2010-01-14 20:15 5120 ----a-w- c:windowssystem32xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"TabletWizard"="c:windowshelpSplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:program filesCommon Filesmicrosoft sharedinktabtip.exe" [2008-04-14 271872]
"LtMoh"="c:program filesltmohLtmoh.exe" [2003-09-26 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 88363]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2004-04-15 4866048]
"nwiz"="nwiz.exe" [2004-04-15 323584]
"00THotkey"="c:windowssystem3200THotkey.exe" [2004-08-10 258048]
"CrossMenu"="c:program filesToshibaCrossMenuCrossMenu.exe" [2004-02-27 798720]
"TapButt"="c:program filesToshibaTapButtonTapButt.exe" [2003-10-31 176128]
"000StTHK"="000StTHK.exe" [2001-06-24 24576]
"TosRotation"="c:program filesTOSHIBATOSHIBA Rotation UtilityTRot.exe" [2004-01-29 266240]
"TFNF5"="TFNF5.exe" [2003-10-15 73728]
"Apoint"="c:program filesApoint2KApoint.exe" [2003-07-17 159744]
"AS00_WPN511"="c:program filesNETGEARWPN511UtilityWPN511.exe" [2007-07-23 2031616]
"MSSE"="c:program filesMicrosoft Security Essentialsmsseces.exe" [2010-06-01 1093208]
"Enable notification service for Firefox"="c:program filesCommon FilesMozillafirefox.exe" [2010-06-08 199168]
"SwitchBoard"="c:program filesCommon FilesAdobeSwitchBoardSwitchBoard.exe" [2010-02-19 517096]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"DWQueuedReporting"="c:progra~1COMMON~1MICROS~1DWdwtrig20.exe" [2007-02-26 437160]

c:documents and settingsUserStart MenuProgramsStartup
DeskPins.lnk - c:program filesDeskPinsDeskPins.exe [2004-5-2 62464]
Deubox Manager.lnk - c:program filesRed Chair SoftwareDeubox Explorerdeumgr.exe [2007-8-5 988212]

c:documents and settingsAll UsersStart MenuProgramsStartup
AirLink101 Wireless Monitor.lnk - c:program filesAirlink101Airlink101 WLAN MonitorRtWLan.exe [2010-7-30 966656]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyloginkey]
2008-04-14 10:41 47104 ----a-w- c:program filesCommon FilesMicrosoft SharedInkloginkey.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyTabBtnWL]
2002-08-29 11:41 11776 ----a-w- c:windowssystem32tabbtnwl.dll

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifytpgwlnotify]
2008-04-14 10:42 32256 ----a-w- c:windowssystem32tpgwlnot.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetservicestcpipparameterspersistentroutes]
"125.252.224.88,255.255.255.252,192.168.1.138,1"=""

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalMsMpSvc]
@="Service"

[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun-]
"SpybotSD TeaTimer"=c:program filesSpybot - Search & DestroyTeaTimer.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun-]
"SoundMAX"=c:program filesAnalog DevicesSoundMAXSmax4.exe /tray
"SoundMAXPnP"=c:program filesAnalog DevicesSoundMAXSMax4PNP.exe
"SunJavaUpdateSched"="c:program filesJavajre6binjusched.exe"
"AdobeAAMUpdater-1.0"="c:program filesCommon FilesAdobeOOBEPDAppUWAUpdaterStartupUtility.exe"
"AdobeCS5ServiceManager"="c:program filesCommon FilesAdobeCS5ServiceManagerCS5ServiceManager.exe" -launchedbylogin
"QuickTime Task"="c:program filesQuickTimeQTTask.exe" -atboottime

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"%windir%Network Diagnosticxpnetdiag.exe"=
"c:Program FilesMozilla Firefoxfirefox.exe"=
"c:Program FilesBitTornadobtdownloadgui.exe"=
"c:Program FilesMiranda IMmiranda32.exe"=
"c:Program FilesAirlink101Airlink101 WLAN MonitorRtWLan.exe"=
"c:Program FilesRed Chair SoftwareDeubox Explorerdeumgr.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot

R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:windowssystem32driversTBtnKey.sys [1/1/2000 3:35 AM 8832]
R3 WISDPen;Wacom Penabled MiniDriver;c:windowssystem32driverswisdpen.sys [6/29/2009 5:49 PM 34736]
S1 MpKsl94a4cfd8;MpKsl94a4cfd8;??c:documents and settingsAll UsersApplication DataMicrosoftMicrosoft AntimalwareDefinition Updates{B0F5B668-40D1-442E-81E5-FEE41FEED737}MpKsl94a4cfd8.sys --> c:documents and settingsAll UsersApplication DataMicrosoftMicrosoft AntimalwareDefinition Updates{B0F5B668-40D1-442E-81E5-FEE41FEED737}MpKsl94a4cfd8.sys [?]
S2 gupdate;Google Update Service (gupdate);c:program filesGoogleUpdateGoogleUpdate.exe [6/28/2010 12:55 PM 136176]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:windowssystem32AWINDIS5.SYS [1/20/2010 3:19 PM 16194]
S3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:windowssystem32driverswpn511.sys [4/4/2010 3:12 PM 488992]
S3 rtl8180;Belkin 11Mbps Wireless Notebook Network Card Driver;c:windowssystem32DRIVERSBel6020.sys --> c:windowssystem32DRIVERSBel6020.sys [?]
S3 RTL8192cu;Airlink101 Wireless N USB Adapter;c:windowssystem32driversRTL8192cu.sys [7/30/2010 11:51 PM 549280]
S3 SwitchBoard;Adobe SwitchBoard;c:program filesCommon FilesAdobeSwitchBoardSwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WacomPen;Wacom Serial Pen HID Driver;c:windowssystem32driverswacompen.sys [12/31/1999 8:45 PM 14208]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:windowsTasksGoogleUpdateTaskMachineCore.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2010-06-28 16:55]

2010-10-03 c:windowsTasksGoogleUpdateTaskMachineUA.job
- c:program filesGoogleUpdateGoogleUpdate.exe [2010-06-28 16:55]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.uc.edu/login.aspx?ReturnUrl=%2fredirect.aspx
uDefault_Search_URL = hxxp://www.google.com/cse?sa=Search&cx=partner-pub-3451140814115289:q9affw-svha&ie=UTF-8&q=&sa=Search
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
FF - ProfilePath - c:documents and settingsUserApplication DataMozillaFirefoxProfilesbt4rctb7.default
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:documents and settingsUserApplication DataMozillaFirefoxProfilesbt4rctb7.defaultextensionszoteroWinWordIntegration@zotero.orgcomponentszoteroWinWordIntegration.dll
FF - plugin: c:program filesGoogleGoogle Earthpluginnpgeplugin.dll
FF - plugin: c:program filesGoogleUpdate1.2.183.29npGoogleOneClick8.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-03 01:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-10-03 01:36:21
ComboFix-quarantined-files.txt 2010-10-03 05:36

Pre-Run: 11,123,908,608 bytes free
Post-Run: 13,159,485,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - ED997635F752C3284379507DAD739F64

The infection was Rootkit.tdss

Update Windows Security Essentials is detecting Alureon.H in its realtime protection. I will do a full system scan with Malwarebytes and WSE before I go to sleep.

EDIT: Posts merged ~BP

Edited by Budapest, 03 October 2010 - 07:59 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:48 AM

Posted 09 October 2010 - 04:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:48 AM

Posted 13 October 2010 - 06:12 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users