Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Patched_c.JHB and .JHF infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 TEllett

TEllett

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 21 October 2010 - 02:36 PM

I know a lot of other people have been having this problem and I apologize if I should not have started a new thread. AVG Resident Shield keeps popping up an alert telling me that explorer.exe is infected with Trojan horse Patched_c.JHF and winlogon.exe is infected with Trojan horse Patched_c.JHB. Of course, AVG can't remove it and neither can Spybot not Malwarebytes. Below are my DDS.TXT and ARK.TXT files; attached is my zipped ATTACH.TXT file (I hope this is right!).

Thanks in advance for all of the work that you do!


DDS (Ver_10-10-21.02) - NTFSx86
Run by Tom Ellett at 13:44:46.14 on Thu 10/21/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.633 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Documents and Settings\Tom Ellett\Local Settings\Application Data\Audiogalaxy\Audiogalaxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Tom Ellett\Application Data\Dropbox\bin\Dropbox.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Zecter\ZumoCast\ZumoCast.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Documents and Settings\Tom Ellett\Desktop\Defogger.exe
C:\Documents and Settings\Tom Ellett\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://calendar.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080716
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar BETA: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: 0@J - No File
BHO: @?07962-6F74-2D53-2644-206D7942484F} - No File
BHO: rsion - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\4608\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: ALOT eMusic Toolbar: {8260c2b8-e0d1-448a-b062-33d12d468bf0} - c:\program files\alot\bin\alot.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: {D71AE705-872E-47ec-9A4B-6A93C2549AE0} - No File
BHO: >49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: >FD14D-132B-48FC-8861-0048AE113215} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\4608\SiteAdv.dll
TB: Yahoo! Toolbar BETA: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: eMusic Toolbar: {f8cc9b08-c14f-4a5c-b73b-518afecc067a} - c:\program files\emusic toolbar\emusicToolbar.dll
TB: LogOnce: {d4cf097c-c195-4fe9-90bd-6aa7437bdfac} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [Audiogalaxy] "c:\documents and settings\tom ellett\local settings\application data\audiogalaxy\Audiogalaxy.exe" /startup
uRun: [ZumoCast] c:\program files\zecter\zumocast\ZumoLauncher.lnk
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Wfupemaqaw] rundll32.exe "c:\windows\esatesuxid.dll",Startup
StartupFolder: c:\docume~1\tomell~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tom ellett\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\tomell~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {78162A52-6823-4C38-BD97-676D28566169} - c:\program files\bsi\edocxl 4.2.0\TriggerIE.exe
IE: {B82C5879-1AAF-4CFF-8062-8F2EF22FED4C} - c:\program files\bsi\edocxl 4.2.0\TriggerIE.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: audible.com\cdl
Trusted Zone: audible.com\www
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232130884140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232130871984
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.pvw.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\4608\SiteAdv.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 74.208.10.249 gs.apple.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomell~1\applic~1\mozilla\firefox\profiles\5sy8786j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {7E033FC3-15F6-42CC-8679-2C595BC9238C} - c:\documents and settings\tom ellett\local settings\application data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-14 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-14 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-10-7 308136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-8-3 47640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-2-11 172328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-15 17408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-19 15:00:25 -------- d-----w- c:\program files\CCleaner
2010-10-19 14:44:17 -------- d-----w- c:\docume~1\tomell~1\locals~1\applic~1\Audiogalaxy
2010-10-14 10:38:08 0 ----a-w- c:\windows\system32\lsp1BE.tmp
2010-10-12 13:32:33 0 ----a-w- c:\windows\system32\lsp1DC.tmp
2010-10-08 17:16:03 -------- d-----w- c:\docume~1\tomell~1\applic~1\Malwarebytes
2010-10-08 17:15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 17:15:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-08 17:15:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 17:15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 16:39:01 0 ----a-w- c:\windows\Atoqub.bin
2010-10-08 16:38:58 -------- d-----w- c:\docume~1\tomell~1\locals~1\applic~1\{7E033FC3-15F6-42CC-8679-2C595BC9238C}
2010-10-08 16:15:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-08 16:15:33 104960 --sha-r- c:\windows\system32\aaclientd.dll
2010-10-08 16:14:42 -------- d-----w- c:\docume~1\tomell~1\applic~1\48746863BE4211F08CA1AA67739D544D
2010-10-07 19:08:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-10-07 17:07:02 -------- d-----w- c:\docume~1\tomell~1\applic~1\ZumoCast
2010-10-07 17:06:05 -------- d-----w- c:\program files\Zecter
2010-09-30 17:06:35 -------- d-----w- c:\program files\Bonjour
2010-09-24 16:21:42 -------- d-----w- c:\documents and settings\tom ellett\.shsh

==================== Find3M ====================

2010-09-30 21:53:35 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-30 21:53:35 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-09-30 21:53:35 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-09-30 21:53:35 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 23:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2006-07-07 16:47:44 0 ----a-w- c:\program files\sit24A.tmp

============= FINISH: 13:47:24.62 ===============


GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-21 14:17:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TOMELL~1\LOCALS~1\Temp\pxtdipob.sys


---- Kernel code sections - GMER 1.0.15 ----

? vxkotlq.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xB9F65314]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D7000C
.text C:\WINDOWS\System32\svchost.exe[1176] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A
.text C:\WINDOWS\System32\svchost.exe[1176] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F9000A
.text C:\WINDOWS\Explorer.EXE[2392] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED000A
.text C:\WINDOWS\Explorer.EXE[2392] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EE000A
.text C:\WINDOWS\Explorer.EXE[2392] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EC000C
.text C:\WINDOWS\system32\SearchIndexer.exe[3812] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 017E000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 017F000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 017D000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00B6CCF5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00B6D22F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00B6CC28
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00B6D14A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00B6D5E6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00B6D6B0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 00B6D062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 00B6CE9E
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00B6CB15
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 00B6CDC2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 00B6CF7A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4580] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[5340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0114000A
.text C:\WINDOWS\system32\wuauclt.exe[5340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\wuauclt.exe[5340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0113000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800JD-75MSA3______________________10.01E04#5&16f139c2&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 156249744 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GKO68GZI\yb-business[1].htm 10019 bytes
File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 21 October 2010 - 04:07 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 TEllett

TEllett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 October 2010 - 10:31 AM

Unfortunately, I'm still getting the same notification from AVG. Below is the ComboFix log. Thanks again!

ComboFix 10-10-21.07 - Tom Ellett 10/22/2010 9:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1470 [GMT -5:00]
Running from: c:\documents and settings\Tom Ellett\My Documents\My Dropbox\Trojan removal\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D
c:\documents and settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D\enemies-names.txt
c:\documents and settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D\local.ini
c:\documents and settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D\lsrslt.ini
c:\documents and settings\Tom Ellett\Application Data\alot
c:\documents and settings\Tom Ellett\Application Data\alot\BrowserSearch101\BrowserSearch101.xml
c:\documents and settings\Tom Ellett\Application Data\alot\BrowserSearch101\BrowserSearch101.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Tom Ellett\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\ErrorSearch101\ErrorSearch101.xml
c:\documents and settings\Tom Ellett\Application Data\alot\ErrorSearch101\ErrorSearch101.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Tom Ellett\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_0\Product_0.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_0\Product_0.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_1\Product_1.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_1\Product_1.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_2\Product_2.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_2\Product_2.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_3\Product_3.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_3\Product_3.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_4\Product_4.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_4\Product_4.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_5\Product_5.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_5\Product_5.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Product_6\Product_6.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Product_6\Product_6.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\products\products.xml
c:\documents and settings\Tom Ellett\Application Data\alot\products\products.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot.ico
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot_brand.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot_brand.png
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot_icon_35x16.png
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot_installation.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\alot_search_24x16.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\backstage.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\downloadMusic.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\eMusicSearch.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\freeRadio.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\Resources\Images\musicAlerts.bmp
c:\documents and settings\Tom Ellett\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Tom Ellett\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Tom Ellett\Application Data\alot\toolbar.xml
c:\documents and settings\Tom Ellett\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Tom Ellett\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\Tom Ellett\Local Settings\Application Data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}
c:\documents and settings\Tom Ellett\Local Settings\Application Data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}\chrome.manifest
c:\documents and settings\Tom Ellett\Local Settings\Application Data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}\chrome\content\_cfg.js
c:\documents and settings\Tom Ellett\Local Settings\Application Data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}\chrome\content\overlay.xul
c:\documents and settings\Tom Ellett\Local Settings\Application Data\{7E033FC3-15F6-42CC-8679-2C595BC9238C}\install.rdf
c:\program files\emusic toolbar
c:\program files\emusic toolbar\affid.dat
c:\program files\emusic toolbar\basis.xml
c:\program files\emusic toolbar\cache\6e6697b743ee9a77a50e76315e839f68
c:\program files\emusic toolbar\emusicToolbar.crc
c:\program files\emusic toolbar\icons.bmp
c:\program files\emusic toolbar\logo.bmp
c:\program files\emusic toolbar\msvcp60.dll
c:\program files\emusic toolbar\msvcrt.dll
c:\program files\emusic toolbar\newversion.txt
c:\program files\emusic toolbar\tbu331\affid.dat
c:\program files\emusic toolbar\tbu331\basis.xml
c:\program files\emusic toolbar\tbu331\emusicToolbar.crc
c:\program files\emusic toolbar\tbu331\emusicToolbar.inf
c:\program files\emusic toolbar\tbu331\icons.bmp
c:\program files\emusic toolbar\tbu331\logo.bmp
c:\program files\emusic toolbar\tbu331\version.txt
c:\program files\emusic toolbar\tbu331affid.dat
c:\program files\emusic toolbar\version.txt
c:\program files\Mozilla Firefox\searchplugins\google_search.xml

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :P
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

2010-10-19 15:00 . 2010-10-19 15:00 -------- d-----w- c:\program files\CCleaner
2010-10-19 14:44 . 2010-10-22 14:28 -------- d-----w- c:\documents and settings\Tom Ellett\Local Settings\Application Data\Audiogalaxy
2010-10-14 10:38 . 2010-10-14 10:38 0 ----a-w- c:\windows\system32\lsp1BE.tmp
2010-10-12 13:32 . 2010-10-12 13:32 0 ----a-w- c:\windows\system32\lsp1DC.tmp
2010-10-08 17:16 . 2010-10-08 17:16 -------- d-----w- c:\documents and settings\Tom Ellett\Application Data\Malwarebytes
2010-10-08 17:15 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 17:15 . 2010-10-08 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-08 17:15 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 17:15 . 2010-10-21 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 17:09 . 2010-10-08 17:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn
2010-10-08 16:39 . 2010-10-19 14:37 0 ----a-w- c:\windows\Atoqub.bin
2010-10-08 16:15 . 2010-10-21 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-10-08 16:15 . 2010-10-08 16:15 104960 --sha-r- c:\windows\system32\aaclientd.dll
2010-10-07 19:08 . 2010-10-07 19:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-10-07 17:07 . 2010-10-22 15:04 -------- d-----w- c:\documents and settings\Tom Ellett\Application Data\ZumoCast
2010-10-07 17:06 . 2010-10-07 17:06 -------- d-----w- c:\program files\Zecter
2010-10-07 16:48 . 2010-10-07 16:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-09-30 17:06 . 2010-09-30 17:06 -------- d-----w- c:\program files\Bonjour
2010-09-24 16:21 . 2010-09-24 16:23 -------- d-----w- c:\documents and settings\Tom Ellett\.shsh

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-07 19:08 . 2009-12-14 18:36 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-10-07 19:08 . 2009-12-14 18:35 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-10-07 19:02 . 2009-12-14 18:35 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-30 21:53 . 2009-08-03 17:15 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-09-30 21:53 . 2009-08-03 17:15 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-30 21:53 . 2009-08-03 17:15 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-09-30 21:53 . 2009-08-03 17:15 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 23:44 . 2010-07-27 23:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44 . 2010-07-27 23:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2006-07-07 16:47 . 2006-07-07 16:47 0 ----a-w- c:\program files\sit24A.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00ZumoCast]
@="{D25B32FE-CB96-491A-98FF-AD59DA382D69}"
[HKEY_CLASSES_ROOT\CLSID\{D25B32FE-CB96-491A-98FF-AD59DA382D69}]
2010-09-21 00:20 748544 ----a-w- c:\program files\Zecter\ZumoCast\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\01ZumoCast]
@="{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}"
[HKEY_CLASSES_ROOT\CLSID\{EB24CA6D-F315-4A81-AC1A-C79CFD77F3F5}]
2010-09-21 00:20 748544 ----a-w- c:\program files\Zecter\ZumoCast\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\02ZumoCast]
@="{B3C78E40-6B64-47C3-AE34-60B770881EB8}"
[HKEY_CLASSES_ROOT\CLSID\{B3C78E40-6B64-47C3-AE34-60B770881EB8}]
2010-09-21 00:20 748544 ----a-w- c:\program files\Zecter\ZumoCast\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\03ZumoCast]
@="{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}"
[HKEY_CLASSES_ROOT\CLSID\{622AFE52-33F6-4D9F-9966-E0BC52D7D69D}]
2010-09-21 00:20 748544 ----a-w- c:\program files\Zecter\ZumoCast\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\04ZumoCast]
@="{855156F0-2A0F-11DE-8C30-0800200C9A66}"
[HKEY_CLASSES_ROOT\CLSID\{855156F0-2A0F-11DE-8C30-0800200C9A66}]
2010-09-21 00:20 748544 ----a-w- c:\program files\Zecter\ZumoCast\ShellExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Tom Ellett\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Tom Ellett\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Tom Ellett\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Weather"="c:\progra~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 1343488]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"@BackupScheduler"="c:\program files\Online Backup\OnlineBackup.exe" [2008-08-18 611768]
"Audiogalaxy"="c:\documents and settings\Tom Ellett\Local Settings\Application Data\Audiogalaxy\Audiogalaxy.exe" [2010-10-09 2338896]
"ZumoCast"="c:\program files\Zecter\ZumoCast\ZumoLauncher.lnk" [2010-10-21 1625]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-07 2067808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Tom Ellett\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Tom Ellett\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-9-15 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-10-07 19:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-30 21:53 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Canon\\DIAS\\CnxDIAS.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Zecter\\ZumoCast\\zumocast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/14/2009 1:35 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/14/2009 1:36 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/7/2010 2:07 PM 308136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/5/2010 9:28 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2/11/2010 6:42 AM 172328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/6/2010 9:58 AM 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [6/15/2009 9:17 AM 17408]
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2006-02-14 c:\windows\Tasks\AudioMagic.job
- c:\program files\YoGen\AudioMagic\AudioMagic.exe [2004-06-04 17:08]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 14:57]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 14:57]

2006-02-14 c:\windows\Tasks\Internet Explorer.job
- c:\progra~1\INTERN~1\iexplore.exe [2004-08-11 13:05]

2010-10-19 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2005-09-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://calendar.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{78162A52-6823-4C38-BD97-676D28566169} - c:\program files\BSI\eDocXL 4.2.0\TriggerIE.exe
IE: {{B82C5879-1AAF-4CFF-8062-8F2EF22FED4C} - c:\program files\BSI\eDocXL 4.2.0\TriggerIE.exe
Trusted Zone: audible.com\cdl
Trusted Zone: audible.com\www
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Tom Ellett\Application Data\Mozilla\Firefox\Profiles\5sy8786j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Tom Ellett\Application Data\Mozilla\Firefox\Profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Tom Ellett\Application Data\Mozilla\Firefox\Profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\RadioWMPCore.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Tom Ellett\Application Data\Mozilla\Firefox\Profiles\5sy8786j.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D71AE705-872E-47ec-9A4B-6A93C2549AE0} - (no file)
HKLM-Run-Wfupemaqaw - c:\windows\esatesuxid.dll
AddRemove-EvilLyrics - c:\old drive_d\Program Files\EvilLyrics\uninst.exe
AddRemove-Flickr Uploadr - c:\old drive_d\Program Files\Flickr Uploadr\uninstall.exe
AddRemove-myFairTunes_is1 - c:\old drive_d\Program Files\myFairTunes\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\old drive_d\Program Files\DivX\DivXCodecUninstall.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(5892)
c:\windows\system32\WININET.dll
c:\program files\Zecter\ZumoCast\ShellExt.dll
c:\documents and settings\Tom Ellett\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Griffin Technology\iTalk Sync\CopyHook.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\DIAS\CnxDIAS.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Zecter\ZumoCast\ZumoCast.exe
c:\progra~1\Webshots\webshots.scr
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-10-22 10:17:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-22 15:17

Pre-Run: 2,640,490,496 bytes free
Post-Run: 2,757,160,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D17B288F401B9FD12856F5AA441FD746


Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 22 October 2010 - 02:51 PM

Good evening. :)

It isn't necessary to quote posts in your replies, although feel free to do so if it makes you happy - it's a cheap way to raise a smile.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your problem is that you have two system files that are infected and it is necessary to replace them, in a particular way, to cure the infection:

c:\windows\system32\winlogon.exe
c:\windows\explorer.exe


I think it's likely that you will need to gain access to another XP Pro system as I don't think that there are useful copies on your machine, but we'll have a look anyway.

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:

  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:


    :filefind
    explorer.*
    winlogon.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#5 TEllett

TEllett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 22 October 2010 - 03:03 PM

SystemLook 04.09.10 by jpshortstuff
Log created at 14:56 on 22/10/2010 by Tom Ellett
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\i386\EXPLORER.EX_ --a---- 359533 bytes [21:48 11/08/2004] [10:00 04/08/2004] 4F061B12F3D5457315A0314954E7EF46
C:\i386\EXPLORER.SC_ --a---- 181 bytes [21:48 11/08/2004] [10:00 04/08/2004] BC5B38879C56DFBC05C8B5C43AC4D739
C:\Old Drive_D\Old_Drives\Drive_D\WINDOWS\EXPLORER.EXE --a---- 180224 bytes [23:01 13/05/2003] [03:22 24/04/1999] B22B28F61B1BB06723019307F0FAACFC
C:\Old Drive_D\Old_Drives\Drive_D\WINDOWS\EXPLORER.SCF --a---- 80 bytes [23:01 13/05/2003] [03:22 24/04/1999] A3975A7D2C98B30A2AE010754FFB9392
C:\Old Drive_D\Old_Drives\Drive_D\WINDOWS\Desktop\Explorer.exe.lnk --a---- 279 bytes [23:03 13/05/2003] [21:11 08/04/2002] 27CC2E31E432340AA478E4CA42453D42
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [22:00 11/08/2004] [00:12 14/04/2008] C3307266B0844A4472F02904CFB41457
C:\WINDOWS\explorer.scf --a---- 80 bytes [22:00 11/08/2004] [10:00 04/08/2004] A3975A7D2C98B30A2AE010754FFB9392
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [04:39 16/07/2008] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [11:50 22/07/2008] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [11:04 22/07/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\system32\dllcache\explorer.exe --a---- 1033216 bytes [12:00 23/08/2001] [10:23 13/06/2007] 6A57300DF1F2ECB7C85BFFF01B59AAD5

Searching for "winlogon.*"
C:\i386\winlogon.exe --a---- 507904 bytes [00:21 23/07/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [11:50 22/07/2008] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [11:05 22/07/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [22:00 11/08/2004] [00:12 14/04/2008] F4BBCF064BB25A091DCCE10AC8F6309E
C:\WINDOWS\system32\dllcache\winlogon.exe --a---- 502272 bytes [12:00 23/08/2001] [07:56 04/08/2004] 7B584F9F45272E24B5F16DAE1A727ACF

-= EOF =-

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 23 October 2010 - 02:05 PM

Good evening. :)

The computer Gods seem to be smiling on you this evening.

The first step of this two step procedure is to copy two files to the root of your hard drive.

File 1: C:\WINDOWS\ServicePackFiles\i386\explorer.exe needs to be become C:\explorer.exe
File 2: C:\i386\winlogon.exe needs to become C:\winlogon.exe

Please note that you are using Copy and Paste and NOT Cut and Paste as you may need the original files in the future. Once you have done this, read on.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Read through the following instructions to be sure that you understand what is required and if you are unclear about anything at all, ask BEFORE you begin:

  • Restart your computer.
  • Before Windows loads, you will be prompted to choose which Operating System to start.
  • Use the up/down arrow keys to select Microsoft Windows Recovery Console.
  • You need to tell the PC which Windows installation to access (there may be more than one) - select the C:\Windows option and press <ENTER>.
You now need to enter the following two commands, one at a time, pressing <ENTER> after each, ensuring that you do so exactly as shown:

ren explorer.exe explorer.old
copy c:\explorer.exe c:\windows\explorer.exe
After entering the final command you should see the message 1 file(s) copied which indicates that it has been successful. If you do not see this message, enter the copy command again checking that you have done so correctly. If you still do not see the message, you need to enter the following command:

ren explorer.old explorer.exeThis will restore the infected file so that your system will function correctly on reboot.

* If you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No as something hasn't gone correctly.

If the file isn't successfully copied you should exit the Recovery Console - see bottom of post. If all goes well however, run the following set of three commands:

cd system32
ren winlogon.exe winlogon.old
copy c:\winlogon.exe c:\windows\system32\winlogon.exe
Again you should see the 1 file(s) copied message - if you don't, you should repeat the copy command and if that doesn't work you need to enter the following command:

ren winlogon.old winlogon.exeAgain, if you are prompted that you are about to overwrite a file when you enter the copy command, you need to select No

Once you have complete both sets of commands, or if you had issues with the first set, enter the following command to exit the Recovery Console:
exit - this will reboot your system as normal.
Let me know how you get on.

So long, and thanks for all the fish.

 

 


#7 TEllett

TEllett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 25 October 2010 - 09:49 AM

Everything seems to be working perfectly!

Thank you so very much!

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 25 October 2010 - 01:22 PM

Good evening. :)

I always like to read such things! I think a little scan before we tidy up and you go on your way is a good idea.

Pay a visit to the ESET Online Scanner.
  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you uncheck the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

I'd also like a fresh DDS log as well.

Edited by Noviciate, 25 October 2010 - 01:22 PM.

So long, and thanks for all the fish.

 

 


#9 TEllett

TEllett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 26 October 2010 - 01:05 PM

Good call! It turns out that I still have multiple infections as shown in the log below:

C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.EK trojan
C:\Old Drive_D\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\K7M1KPS3\glimbo.cjb[1].htm HTML/ScrInject.B.Gen virus
C:\Old Drive_D\Old_Drives\Drive_C\Program Files\AWS\WeatherBug\Install\WxBugSetup50b11.exe a variant of Win32/AdInstaller application
C:\Old Drive_D\Old_Drives\Drive_D\WINDOWS\gendel32.exe Win32/HackTool.Gendel.B trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\Tom Ellett\Application Data\48746863BE4211F08CA1AA67739D544D\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ftdisk.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP11\A0003303.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP9\A0002911.dll a variant of Win32/Cimag.DP trojan
C:\WINDOWS\explorer.old Win32/Bamital.EL trojan
C:\WINDOWS\system32\winlogon.old Win32/Bamital.EL trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B9Q6KKIG\script[1] Win32/Adware.Antivirus2010 application
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G9X806SN\dialog_alert[1] Win32/Adware.Antivirus2010 application
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G9X806SN\INSTALL[1] Win32/Adware.Antivirus2010 application
C:\WINDOWS\system32\dllcache\explorer.exe Win32/Bamital.EL trojan
C:\WINDOWS\system32\dllcache\winlogon.exe Win32/Bamital.EL trojan



DDS (Ver_10-10-21.02) - NTFSx86
Run by Tom Ellett at 12:57:45.58 on Tue 10/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.540 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\DIAS\CnxDIAS.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Online Backup\OnlineBackup.exe
C:\Documents and Settings\Tom Ellett\Local Settings\Application Data\Audiogalaxy\Audiogalaxy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Tom Ellett\Application Data\Dropbox\bin\Dropbox.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Tom Ellett\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://calendar.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080716
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar BETA: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: 0@J - No File
BHO: @?07962-6F74-2D53-2644-206D7942484F} - No File
BHO: rsion - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\4608\SiteAdv.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {8260C2B8-E0D1-448a-B062-33D12D468BF0} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: {D71AE705-872E-47ec-9A4B-6A93C2549AE0} - No File
BHO: >49E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: >FD14D-132B-48FC-8861-0048AE113215} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\4608\SiteAdv.dll
TB: Yahoo! Toolbar BETA: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: eMusic Toolbar: {f8cc9b08-c14f-4a5c-b73b-518afecc067a} - c:\program files\emusic toolbar\emusicToolbar.dll
TB: LogOnce: {d4cf097c-c195-4fe9-90bd-6aa7437bdfac} - mscoree.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [@BackupScheduler] c:\program files\online backup\OnlineBackup.exe
uRun: [Audiogalaxy] "c:\documents and settings\tom ellett\local settings\application data\audiogalaxy\Audiogalaxy.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\tomell~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\tom ellett\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\tomell~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {78162A52-6823-4C38-BD97-676D28566169} - c:\program files\bsi\edocxl 4.2.0\TriggerIE.exe
IE: {B82C5879-1AAF-4CFF-8062-8F2EF22FED4C} - c:\program files\bsi\edocxl 4.2.0\TriggerIE.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: audible.com\cdl
Trusted Zone: audible.com\www
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3}
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232130884140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232130871984
DPF: {6F750200-1362-4815-A476-88533DE61D0C}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} - hxxp://sib1.pvw.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\4608\SiteAdv.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomell~1\applic~1\mozilla\firefox\profiles\5sy8786j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\{9ee802e8-c931-47ab-b570-aa8f791598ca}\components\RadioWMPCore.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\tom ellett\application data\mozilla\firefox\profiles\5sy8786j.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-14 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-14 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-10-7 308136]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-5 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-8-3 47640]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-2-11 172328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-15 17408]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-10-26 14:14:04 -------- d-----w- c:\program files\ESET
2010-10-25 14:15:18 507904 ----a-w- C:\winlogon.exe
2010-10-25 14:15:18 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-10-25 14:14:39 1033728 ----a-w- c:\windows\explorer.exe
2010-10-25 14:14:39 1033728 ----a-w- C:\explorer.exe
2010-10-22 14:34:26 -------- d-sha-r- C:\cmdcons
2010-10-22 14:30:05 98816 ----a-w- c:\windows\sed.exe
2010-10-22 14:30:05 77312 ----a-w- c:\windows\MBR.exe
2010-10-22 14:30:05 256512 ----a-w- c:\windows\PEV.exe
2010-10-22 14:30:05 161792 ----a-w- c:\windows\SWREG.exe
2010-10-22 14:29:38 -------- d-----w- C:\ComboFix
2010-10-19 15:00:25 -------- d-----w- c:\program files\CCleaner
2010-10-19 14:44:17 -------- d-----w- c:\docume~1\tomell~1\locals~1\applic~1\Audiogalaxy
2010-10-14 10:38:08 0 ----a-w- c:\windows\system32\lsp1BE.tmp
2010-10-12 13:32:33 0 ----a-w- c:\windows\system32\lsp1DC.tmp
2010-10-08 17:16:03 -------- d-----w- c:\docume~1\tomell~1\applic~1\Malwarebytes
2010-10-08 17:15:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-08 17:15:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-08 17:15:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-08 17:15:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-08 16:39:01 0 ----a-w- c:\windows\Atoqub.bin
2010-10-08 16:15:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-08 16:15:33 104960 --sha-r- c:\windows\system32\aaclientd.dll
2010-10-07 19:08:32 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-10-07 17:07:02 -------- d-----w- c:\docume~1\tomell~1\applic~1\ZumoCast
2010-10-07 17:06:05 -------- d-----w- c:\program files\Zecter
2010-09-30 17:06:35 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-09-30 21:53:35 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-09-30 21:53:35 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-09-30 21:53:35 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-09-30 21:53:35 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2006-07-07 16:47:44 0 ----a-w- c:\program files\sit24A.tmp

============= FINISH: 12:59:19.75 ===============

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 26 October 2010 - 03:08 PM

Good evening. :)

I'll work through the above and explain as best I can.

C:\WINDOWS\explorer.old
C:\WINDOWS\system32\winlogon.old


These are the two infected files that you renamed and replaced - you can delete these manually.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\WINDOWS\system32\dllcache\explorer.exe
C:\WINDOWS\system32\dllcache\winlogon.exe


These are system file back-ups of the top two files that have unfortunately also been infected. You need to replace these with clean copies.
Simply delete the two files above from the dllcache folder and then copy and paste clean ones to the same folder. You can either use the two spare files that you had in the root of your drive, if they are still there, or the two that you dropped where they belonged:

Either c:\winlogon.exe or c:\windows\system32\winlogon.exe
And either c:\explorer.exe or c:\windows\explorer.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\Documents and Settings\All Users\Documents\Server\hlp.dat

The above can simply be deleted - it's a leftover from the infection you had.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Detections in C:\System Volume Information relate to infected Restore Points created by System Restore and pose no immediate risk to you PC. Once you've got the PC clean you will create a clean Restore Point and you won't use one from before this. Over time the points are removed as new ones are created and so things will clean themselves without further involvement.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The only question I have is with regard to C:\Old Drive_D - could you tell me what this folder is exactly?

So long, and thanks for all the fish.

 

 


#11 TEllett

TEllett
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 October 2010 - 10:48 AM

Thanks for everything; you've been a real life saver (or as my son would say, "a light sabre")!

The "Old Drive_D" thing is my simpleton way of archiving my data when I upgrade my computer/hard drive. With each upgrade, I always get a bigger hard drive and simple copy the entire old hard drive to the new one. That way I never lose any old files (99% of which I'll never access again, of course!) without having to actually spend any time thinking about what I want to keep and what I should delete. If I do access an old file, I typically save it into the current "My Documents" folders and so I don't have a lot of clutter there, but things I use are easily accessible. I'm sure there are smarter ways to accomplish this more efficiently, but I haven't put any energy into researching them.

Thanks again!

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 27 October 2010 - 03:09 PM

Good evening. :)

I guessed it was something like that, but I thought i'd ask.

or as my son would say, "a light sabre"

Light sabre I am, a good thing that is - sad Yoda impressions don't seem to work as well in text, but there you are.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\Old Drive_D\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\K7M1KPS3\glimbo.cjb[1].htm

C:\Old Drive_D\Old_Drives\Drive_D\WINDOWS\gendel32.exe


The first isn't a threat, so i'd ignore it, but you could delete the second, just to be on the safe side. It's highly unlikely to cause you any grief, but given that if you were to go on a mad click and hunt it might conceivably do something that you might not like, better safe than sorry.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You've got some leftovers from either infections or uninstallations that we might as well tidy up, although they are just gathering dust rather than lying in wait.

Download a copy of HJTInstall.exe from here and save it to your Desktop
  • Double click HiJackThis.msi to begin installation.
  • You will need to accept the EULA to install the tool, so check the box and click Next.
  • Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Change... button if you want to choose somewhere else and then click Next
  • Once HJT has installed click Finish to finish - nice and clear this bit!
  • A shortcut will be handily created on your Desktop, so click it to begin.
  • When HJT opens, click on the Do a system scan and save a log file button.
  • When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the Hijackthis folder for reference.
  • Copy and paste this into your next reply.

So long, and thanks for all the fish.

 

 


#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:06 AM

Posted 01 November 2010 - 03:49 PM

In the time honoured tradition, as there has been no reply for five days, this one is now locked.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users