Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Hijacking?


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gwollf

Gwollf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 17 October 2010 - 05:51 PM

In the last week I have experienced some strange happenings with my computer and have come to the conclusion that it may have been hijacked or turned into a server for someone else. I will try to give a clear chronological account of what has happened and the steps I have taken to deal with it.

I am running Windows XP Home edition


Event 1: Mysterious file automatically downloads itself onto my computer (I do not remember its name) while I am using Google Chrome. I delete it immediately.

Event 2: Floppy Drive begins to randomly load up for no reason every twenty seconds or so

Event 3: Twenty minutes later I receive a message that asks me to insert my Windows CD because important files have been changed to an unknown version which could effect Windows' stability. I panic because I don't have the windows CDs, they were misplaced in my family's last move.

Event 4: I go to the Windows Restore function but can not find any restore points except for the one created just after these unknown changes occured.

Event 5: I restart the computer

Event 6: I run Malwarebytes and Combofix which detect and remove all manner of nasty virus scum from my harddrive. Here is the Combofix Log.

ComboFix 10-10-12.01 - owner 10/12/2010 22:05:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1564 [GMT -6:00]
Running from: c:\documents and settings\owner\My Documents\Downloads\ComboFix.exe
FW: NVIDIA Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\owner\Application Data\Tofi\ovus.exe
c:\windows\ExplorerSrv.exe
c:\windows\system32\dmlconf.dat
c:\windows\system32\winlogon.bak
c:\program files\Microsoft\DesktopLayer.exe . . . . Failed to delete
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
c:\windows\Installer\185b8.msi
c:\windows\Installer\70c394.msi

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\winlogon.bak

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-13 02:44 . 2010-10-13 02:44 -------- d-----w- c:\program files\Alwil Software
2010-10-13 02:44 . 2010-10-13 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-13 01:46 . 2010-10-13 02:22 -------- d-----w- c:\windows\system32\NtmsData
2010-10-13 01:09 . 2010-10-13 01:18 -------- d-----w- c:\documents and settings\owner\Application Data\QuickScan
2010-10-13 01:06 . 2010-10-13 01:07 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\AskToolbar
2010-10-13 01:05 . 2010-10-13 01:42 132608 ----a-w- c:\program files\Internet Explorer\IEXPLORESrv.exe
2010-10-13 00:29 . 2010-10-13 00:29 -------- d-----w- c:\program files\Enigma Software Group
2010-10-13 00:28 . 2010-10-13 01:06 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP
2010-10-12 07:52 . 2010-10-12 07:52 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2010-10-12 07:52 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-12 07:52 . 2010-10-12 07:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-12 07:52 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-12 07:52 . 2010-10-12 07:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 06:48 . 2010-10-12 06:49 -------- d-----w- c:\program files\win
2010-10-12 06:48 . 2010-10-12 23:48 -------- d-----w- c:\program files\tmp
2010-09-25 22:03 . 2010-09-25 22:03 -------- d-----w- c:\program files\Ask.com
2010-09-18 02:25 . 2010-10-02 18:25 -------- d-----w- c:\program files\Railroad Tycoon 3
2010-09-14 01:30 . 2010-09-14 01:30 -------- d-----w- c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-30 2515552]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-07-30 22:36 2515552 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 21:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-30 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-07-30 2515552]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-02-13 486856]
"Google Update"="c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-11 135664]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-14 13529088]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-17 198160]

c:\documents and settings\owner\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
abyvup.exe [2010-10-12 262656]
ahgyyg.exe [2010-10-12 262656]
etxies.exe [2010-10-12 262656]
pyawun.exe [2010-10-12 262656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWlan.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWlan.lnk
backup=c:\windows\pss\ZDWlan.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^owner^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\owner\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-25 02:06 904768 ----a-w- c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-03-15 17:06 524632 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 23:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-05-09 00:36 289088 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
2009-08-30 22:23 388608 ----a-w- c:\windows\system32\CF30906.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cwcptray]
2007-05-30 15:40 396592 -c--a-w- c:\program files\ContentWatch\Internet Protection\cwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-02-13 23:09 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe]
2008-06-25 01:52 1325848 ----a-w- c:\program files\Maxtor\MaxBlast\DiscWizardMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-04-12 22:46 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-11 06:22 135664 ----atw- c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-05-10 18:22 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-05-15 01:03 1103216 ----a-w- c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2010-10-12 07:07 1464832 ----a-w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
2008-06-27 23:01 1325800 ----a-w- c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Maxtor Scheduler2 Service]
2008-06-25 01:56 136472 ----a-w- c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
2004-11-20 11:03 266240 -c--a-w- c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-07-14 19:59 13529088 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-07-14 19:59 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2010-10-12 07:16 200704 -c--a-w- c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-07-14 19:59 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2008-01-07 20:02 495616 ----a-w- c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2010-01-04 16:18 2935480 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-10-12 07:17 491520 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2010-10-12 07:12 102400 -c--a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service]
2008-06-25 01:56 136472 ----a-w- c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 23:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-10-02 18:15 1242448 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 17:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-02-17 02:12 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
2007-04-10 21:46 709992 ----a-w- c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x3watch]
2005-08-13 14:27 376832 -c--a-w- c:\program files\X3watch\x3watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\BitZip\\bitzip.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Documents and Settings\\owner\\Desktop\\Old Icons\\ST_Game1.0.4\\ST_Client.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3 Original.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3-no cd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Documents and Settings\\owner\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Program Files\\Steam\\steamapps\\mythalinear\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57535:TCP"= 57535:TCP:Pando Media Booster
"57535:UDP"= 57535:UDP:Pando Media Booster
"57148:TCP"= 57148:TCP:Pando Media Booster
"57148:UDP"= 57148:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/13/2009 11:04 AM 64160]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [9/17/2007 9:29 AM 1217840]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 8:49 AM 1029456]
R2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [4/4/2009 10:58 AM 37376]
S2 app_filter;app_filter;c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe --> c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2010 11:03 AM 135664]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S3 lredbooo;lredbooo;\??\c:\docume~1\owner\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\owner\LOCALS~1\Temp\lredbooo.sys [?]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [9/10/2006 1:04 PM 19200]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/11/2007 7:57 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 17:06]

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-03 18:27]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 17:02]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-17 17:02]

2010-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1993962763-839522115-1005Core.job
- c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-11 06:22]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1993962763-839522115-1005UA.job
- c:\documents and settings\owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-11 06:22]

2010-09-24 c:\windows\Tasks\Norton Security Scan for owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-30 22:45]

2010-10-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15450&l=dis
IE: &Google Search
IE: &Translate English Word
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Similar Pages
IE: Translate Page into English
LSP: c:\windows\system32\cwalsp.dll
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath - c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\sp7injy9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=15450&l=dis
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=BT4&o=15447&locale=en_US&apn_uid=D9CBD246-7810-4B04-A4D2-E227DBFA525E&apn_ptnrs=H0&apn_sauid=E0122565-8AC3-4CB9-AB86-6466E8ABBA50&apn_dtid=YYYYYYYYCA&q=
FF - component: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\sp7injy9.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\sp7injy9.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\sp7injy9.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\owner\Application Data\Mozilla\Firefox\Profiles\sp7injy9.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Java\jre1.6.0_10\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent - c:\program files\BitTorrent\BitTorrent.exe
HKCU-Run-{1C23F7A8-664F-82F2-2D76-FB5BFEF08A18} - c:\documents and settings\owner\Application Data\Tofi\ovus.exe
Notify-AtiExtEvent - (no file)
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Monopod - c:\docume~1\owner\LOCALS~1\Temp\a.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-SoundMan - SOUNDMAN.EXE
MSConfigStartUp-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
AddRemove-Astro Gemini Screensaver Manager_is1 - c:\program files\Astro Gemini Software\Screensaver Manager\unins000.exe
AddRemove-Blue Byte Game Channel - c:\bluebyte\BBGC\uninst.dll
AddRemove-S4Uninst - c:\bluebyte\The Settlers IV\Uninst.isu
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe
AddRemove-{76F0FEBD-6C17-4D57-C4C2-94EBEF761DA4} - c:\program files\UZC Trial\UZC.EXE
AddRemove-{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} - c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1993962763-839522115-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:01,39,0a,cb,e2,95,1b,5a,34,dc,3d,33,07,d9,50,2a,a8,76,c7,ab,86,11,94,
fe,62,0c,fc,02,a3,82,04,14,97,2c,c2,5d,2f,4e,af,22,34,8f,26,0f,66,63,a2,89,\
"??"=hex:ac,88,ac,c7,ce,e4,92,65,4a,af,b5,ae,96,95,e1,d1

[HKEY_USERS\S-1-5-21-1275210071-1993962763-839522115-1005\Software\SecuROM\License information*]
"datasecu"=hex:d1,76,a1,29,96,ef,05,15,78,b1,75,f2,0d,78,ca,c4,65,2e,31,2b,e5,
a0,d2,01,f0,93,08,c0,f8,c0,d6,cc,f7,08,59,6f,55,58,5e,d7,f9,e5,21,e0,b8,95,\
"rkeysecu"=hex:40,a0,8b,d6,3c,e9,34,8b,51,4e,5e,49,a5,e9,05,2c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\relog_ap.dll
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\nvappfilter.dll
c:\program files\ContentWatch\Internet Protection\Modules\Kernel.dll
c:\program files\ContentWatch\Internet Protection\Modules\DatabaseManager.dll
c:\program files\ContentWatch\Internet Protection\Modules\Overseer.dll
c:\program files\ContentWatch\Internet Protection\ContentProtect\Modules\CPAdvisor.dll
c:\program files\ContentWatch\Internet Protection\Modules\Firewall.dll
c:\program files\ContentWatch\Internet Protection\Modules\LicenseManager.dll
c:\windows\system32\LIBEXPAT.dll
c:\program files\ContentWatch\Internet Protection\Modules\HTTPHandler.dll
c:\program files\ContentWatch\Internet Protection\Modules\IMHandler.dll
c:\windows\system32\wxbase28u_xml_vc_CW.dll
c:\program files\ContentWatch\Internet Protection\Modules\NewsHandler.dll
c:\program files\ContentWatch\Internet Protection\Modules\P2PHandler.dll
c:\program files\ContentWatch\Internet Protection\Modules\IMAnalyzer.dll
c:\program files\ContentWatch\Internet Protection\Modules\WebAnalyzer.dll
c:\program files\ContentWatch\Internet Protection\Modules\SearchTree.dll
c:\program files\ContentWatch\Internet Protection\Modules\MiscAnalyzer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\owner\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-10-12 22:26:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 04:26

Pre-Run: 6,920,962,048 bytes free
Post-Run: 8,197,439,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 01836B0EF57239095FB487040F106D39


Event 7: Four files can not be removed. Here is an excerpt from Malwarebytes log concerning these files.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.

Files Infected:
C:\WINDOWS\ExplorerSrv.exe (Heuristics.Shuriken) -> No action taken.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> No action taken.

Event 8: I go into the device manager and disable the Floppy Drive. It stops loading up randomly.

Event 9: Today I noticed that my hard drive space was shrinking. It went from 10gig to 4gig and I was not downloading anything.

Event 10: I ran Malwarebytes again and discovered more nasty virus scum had come onto my computer and my hard drive space is back to 10 gigs, but those four files still can not be removed.

Any help would be greatly appreciated.

Hmm... forum guidelines say that I should not have run ComboFix unless requested to.
I wish now that I came to the forums before finding and running that program. poster_oops.gif
Sorry for my noobitude

EDIT: Posts merged ~BP

Edited by Budapest, 17 October 2010 - 08:38 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:14 AM

Posted 27 October 2010 - 06:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    winlogon.exe
    wininit.exe
    explorer.exe
    hlp.dat
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:14 AM

Posted 04 November 2010 - 04:20 AM

As it has gone stale, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users