Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm sorry, my "IT" bro in law ran combofix without the prep work...


  • This topic is locked This topic is locked
10 replies to this topic

#1 warob

warob

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 10 November 2010 - 02:00 PM

I apologize, I went to my brother inlaw because he is an IT guy :mellow: and thought he could help. I had a maleware infection that Malewarebytes and Super anispyware could not clean, so he takes his pin drive and runs the combofix program. So far it seems to have worked, but since visiting this site, I am now worried I didn't go through the proper procedures. I have now downloaded the dds, and the gmer files, plus I have the original combofix log:

ComboFix 10-11-09.03 - ROBERTWA 11/10/2010 10:54:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3536.2913 [GMT -6:00]
Running from: c:\documents and settings\robertwa\Desktop\pc tools\ComboFixnew.exe
AV: Microsoft Forefront Client Security *On-access scanning enabled* (Updated) {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\robertwa\Application Data\Ovcyw
c:\documents and settings\robertwa\Application Data\Ovcyw\quyb.tmp
c:\documents and settings\robertwa\Application Data\Ovcyw\quyb.ukc
c:\winnt\null

----- BITS: Possible infected sites -----

hxxp://US1019SMSP.america.apci.com:80
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 15:10 . 2010-11-10 15:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\WhiteSmokeTranslator
2010-11-10 15:09 . 2010-11-10 16:10 -------- d-----w- c:\documents and settings\robertwa\Application Data\whitesmoketoolbar
2010-11-10 15:06 . 2010-11-10 15:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
2010-11-10 14:29 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{43B3D682-C58C-4923-88BB-E3E095486790}\mpengine.dll
2010-11-05 19:37 . 2010-11-10 16:22 -------- d-----w- c:\winnt\system32\%APPDATA%
2010-11-05 19:37 . 2010-11-05 19:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2010-11-05 17:26 . 2010-11-05 17:26 21384 ---ha-w- c:\winnt\system32\drivers\whlva.sys
2010-11-05 12:58 . 2010-11-05 12:58 -------- d-----w- c:\documents and settings\robertwa\Application Data\SUPERAntiSpyware.com
2010-11-05 12:58 . 2010-11-05 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-05 11:53 . 2010-11-05 12:50 -------- d-----w- c:\winnt\LMIF.tmp
2010-11-05 10:10 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Updates\mpengine.dll
2010-11-05 04:06 . 2010-11-05 04:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\documents and settings\robertwa\Application Data\Malwarebytes
2010-11-05 00:26 . 2010-04-29 20:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 00:26 . 2010-11-05 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-05 00:26 . 2010-04-29 20:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-11-04 22:40 . 2010-11-05 02:04 -------- d-----w- c:\documents and settings\robertwa\Application Data\Liuvtu
2010-11-04 20:27 . 2010-11-04 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-04 20:06 . 2010-11-04 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-04 18:49 . 2010-11-04 18:49 -------- d-----w- c:\documents and settings\robertwa\Local Settings\Application Data\IsolatedStorage
2010-11-03 22:13 . 2010-11-03 22:13 -------- d-----w- c:\documents and settings\robertwa\Local Settings\Application Data\PCHealth
2010-11-02 19:10 . 2010-11-02 19:10 -------- d-----w- c:\winnt\ms
2010-10-18 18:40 . 2010-08-23 16:12 617472 -c----w- c:\winnt\system32\dllcache\comctl32.dll
2010-10-18 18:40 . 2010-09-18 06:53 974848 -c----w- c:\winnt\system32\dllcache\mfc42.dll
2010-10-18 18:40 . 2010-09-18 06:53 953856 -c----w- c:\winnt\system32\dllcache\mfc40u.dll
2010-10-18 18:40 . 2010-07-16 12:05 1288192 -c----w- c:\winnt\system32\dllcache\ole32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 16:41 . 2010-08-26 18:46 222080 ------w- c:\winnt\system32\MpSigStub.exe
2010-10-18 14:41 . 2010-08-26 18:46 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-29 17:43 . 2010-09-29 17:43 2035 ----a-w- c:\winnt\system32\WhlNSPBackup_1.reg
2010-09-29 17:43 . 2010-09-29 17:43 117002 ----a-w- c:\winnt\system32\WhlLSPBackup_1.reg
2010-09-18 17:23 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42u.dll
2010-09-18 06:53 . 2009-01-14 02:04 974848 ----a-w- c:\winnt\system32\mfc42.dll
2010-09-18 06:53 . 2009-01-14 02:04 954368 ----a-w- c:\winnt\system32\mfc40.dll
2010-09-18 06:53 . 2009-01-14 02:04 953856 ----a-w- c:\winnt\system32\mfc40u.dll
2010-09-09 13:36 . 2009-01-14 02:04 841216 ----a-w- c:\winnt\system32\wininet.dll
2010-09-09 13:36 . 2009-01-14 02:04 1830912 ----a-w- c:\winnt\system32\inetcpl.cpl
2010-09-09 13:36 . 2009-01-14 02:04 78336 ----a-w- c:\winnt\system32\ieencode.dll
2010-09-09 13:36 . 2009-01-14 02:04 17408 ----a-w- c:\winnt\system32\corpol.dll
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\winnt\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\winnt\system32\QuickTime.qts
2010-09-08 15:48 . 2009-01-14 02:04 389120 ----a-w- c:\winnt\system32\html.iec
2010-09-01 11:51 . 2009-01-14 02:04 285824 ----a-w- c:\winnt\system32\atmfd.dll
2010-08-31 13:42 . 2009-01-14 02:04 1852800 ----a-w- c:\winnt\system32\win32k.sys
2010-08-27 08:02 . 2009-01-14 02:04 119808 ----a-w- c:\winnt\system32\t2embed.dll
2010-08-23 16:12 . 2009-01-14 02:04 617472 ----a-w- c:\winnt\system32\comctl32.dll
2010-08-17 13:17 . 2009-01-14 02:04 58880 ----a-w- c:\winnt\system32\spoolsv.exe
2010-08-16 08:45 . 2009-01-14 02:04 590848 ----a-w- c:\winnt\system32\rpcrt4.dll
2010-08-13 12:53 . 2009-12-02 23:05 5120 ----a-w- c:\winnt\system32\xpsp4res.dll
2008-10-08 17:18 . 2009-12-01 15:06 3125248 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2008-10-08 17:18 . 2009-12-01 15:06 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2008-10-08 17:18 . 2009-12-01 15:06 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2008-10-08 17:18 . 2009-12-01 15:06 40960 -c--a-w- c:\program files\Common Files\DigitalSignature.ocx
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\winnt\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\winnt\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\winnt\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AESTFltr"="c:\winnt\system32\AESTFltr.exe" [2008-05-20 466944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-15 150040]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-15 178712]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-15 150040]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-04-11 5116256]
"8e6Authentication"="wscript.exe" [2008-04-14 155648]
"CfgDownload"="c:\program files\IXOS\bin\CfgDownload.exe" [2007-05-29 184320]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"CgaViewer"="c:\program files\CyberGatekeeper Agent\cgav.exe" [2010-02-16 163898]
"CgaHelper"="c:\program files\CyberGatekeeper Agent\cgahelp.exe" [2010-02-16 106560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-01-19 1033600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2009-12-3 135168]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-03 15:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 15:51 8704 ----a-w- c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logoff\0\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\0\0]
"Script"=InterfaceMetric.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\1\0]
"Script"=EFS_LS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2072974133-1425365782-667646791-35529\Scripts\Logon\2\0]
"Script"=DelWhlCach3.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\winnt\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\winnt\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GlobeTrotter Connect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GlobeTrotter Connect.lnk
backup=c:\winnt\pss\GlobeTrotter Connect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-23 05:24 620152 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
2009-10-09 23:58 883272 ----a-w- c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 21:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-09-21 21:34 1206544 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2009-09-21 21:49 1392640 ----a-w- c:\program files\Intel\WiFi\bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINNT\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Microsoft Forefront UAG\\Endpoint Components\\3.1.0\\WhlClnt3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINNT\\system32\\mmc.exe"=

R0 vmscsi;vmscsi;c:\winnt\system32\drivers\vmscsi.sys [1/14/2009 9:28 AM 10880]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R2 CafeDrv;CafeDrv NDIS Protocol Driver;c:\winnt\system32\drivers\CafeDrv.sys [10/28/2009 11:36 AM 29568]
R2 CGAgent;CyberGatekeeper Agent;c:\program files\CyberGatekeeper Agent\cgasvc.exe [2/16/2010 5:07 PM 81982]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 8:41 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 8:41 PM 21352]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [1/19/2010 3:49 PM 16880]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [4/30/2008 5:52 PM 200704]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 psginasvc;Password Manager Logon Management Service;c:\program files\P-Synch\Clients\service\psginasvc.exe [7/8/2009 1:50 PM 585728]
R3 AESTAud;AE Audio Service;c:\winnt\system32\drivers\AESTAud.sys [12/1/2009 7:47 AM 108160]
R3 cvusbdrv;Broadcom USH CV;c:\winnt\system32\drivers\cvusbdrv.sys [12/1/2009 7:52 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\winnt\system32\drivers\e1y5132.sys [11/12/2008 9:33 AM 244368]
R3 Iexim;Infoexpress Generic Network Filter Service;c:\winnt\system32\drivers\iexim.sys [12/8/2009 10:17 AM 31232]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\winnt\system32\drivers\IntcHdmi.sys [12/1/2009 7:49 AM 110080]
R3 whlva;SSL Network Tunneling;c:\winnt\system32\drivers\whlva.sys [11/5/2010 11:26 AM 21384]
S1 qpulsrwv;qpulsrwv;\??\c:\winnt\system32\drivers\qpulsrwv.sys --> c:\winnt\system32\drivers\qpulsrwv.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 5:59 PM 121416]
S3 DMService;Microsoft Forefront UAG Endpoint Component Manager;c:\winnt\DOWNLO~1\DMService.exe [11/5/2010 11:24 AM 468368]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\winnt\system32\drivers\Gt51Ip.sys [7/7/2008 2:29 PM 106112]
S3 GT72UBUS;GT 72 U BUS;c:\winnt\system32\drivers\gt72ubus.sys [8/20/2008 3:49 PM 59008]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\winnt\system32\drivers\swnc8u56.sys [4/7/2009 11:37 AM 190080]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\winnt\system32\drivers\swumx56.sys [4/7/2009 11:37 AM 148096]
S3 whliocsv;Microsoft Forefront UAG SSL Network Tunneling Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\whliocsv.exe [11/5/2010 11:26 AM 156048]
S3 WinRM;Windows Remote Management (WS-Management);c:\winnt\system32\svchost.exe -k WINRM [1/13/2009 8:04 PM 14336]
S4 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\program files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe [11/5/2010 11:25 AM 149904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2010-09-09 13:36 124928 ----a-w- c:\winnt\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\winnt\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-01-19 21:49]

2010-11-10 c:\winnt\Tasks\User_Feed_Synchronization-{5DB2A058-6A4B-4593-80F8-C95C73691C34}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]

2010-11-10 c:\winnt\Tasks\User_Feed_Synchronization-{67B1C9E0-7BD3-4FD7-9AE6-D0A287583655}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-13 23:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aponline.apci.com
uInternet Settings,ProxyOverride = <local>
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - c:\program files\QlikView\QvProtocol\Qvp.dll
DPF: {A67EE2D0-D7C7-4ADE-96E5-7AE17AFBEDE2} - hxxp://meup1/softwarerequest/srsinstall.cab
.
.
------- File Associations -------
.
JSEFile=c:\winnt\system32\Notepad.exe "%1" %*
vbsfile\shell\edit\command=c:\winnt\system32\Notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

BHO-{52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
Toolbar-{52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 11:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\winnt\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\winnt\system32\netprovcredman.dll
c:\program files\P-Synch\Clients\service\ginasvc.dll

- - - - - - - > 'explorer.exe'(2004)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
c:\winnt\System32\SCardSvr.exe
c:\progra~1\CYBERG~1\cgagent.exe
c:\winnt\system32\msdtc.exe
c:\progra~1\CYBERG~1\nicman.exe
c:\progra~1\CYBERG~1\cgahelp.exe
c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\winnt\system32\HPZipm12.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\winnt\system32\mqsvc.exe
c:\winnt\system32\CCM\CcmExec.exe
c:\winnt\system32\mqtgsvc.exe
c:\winnt\system32\igfxsrvc.exe
c:\winnt\system32\msiexec.exe
c:\progra~1\AirProducts\8e6auth\authenticat.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-10 11:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 17:08
ComboFix2.txt 2010-11-06 01:52

Pre-Run: 111,243,018,240 bytes free
Post-Run: 111,142,846,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 47C8202F142A09D7C1FB4B80714F69BA

Edited by warob, 10 November 2010 - 03:08 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 17 November 2010 - 08:48 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 21 November 2010 - 12:26 PM

I'm still not having any real problems that I can tell, but want to make sure my system is clean.

DDS:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Robertson at 11:04:39.82 on Sun 11/21/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.1022.230 [GMT -6:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\LogonUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Robertson\Desktop\pc tools\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://98.196.241.133/activex/AMC.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-7 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 OPZREWJ;OPZREWJ;c:\users\robert~1\appdata\local\temp\OPZREWJ.exe [2010-10-21 592768]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-20 1343400]

=============== Created Last 30 ================

2010-11-21 16:42:20 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{0021b333-01bd-4023-bec2-93202694e278}\mpengine.dll
2010-11-12 03:39:56 -------- d-----w- c:\windows\system32\appmgmt
2010-11-12 02:32:23 -------- d-----w- c:\program files\ESET
2010-10-26 23:19:17 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-10-26 23:19:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-10-26 23:19:17 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-10-26 23:19:17 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-26 23:18:57 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-10-26 03:42:25 -------- d-----w- c:\users\robert~1\appdata\local\SupportSoft
2010-10-26 03:35:32 -------- d-----w- c:\program files\common files\supportsoft
2010-10-26 03:35:32 -------- d-----w- c:\program files\Comcast
2010-10-26 02:19:54 -------- d-----w- c:\users\robert~1\appdata\roaming\Malwarebytes
2010-10-26 02:19:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 02:19:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-26 02:19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 19:13:35 -------- d-----w- c:\users\robert~1\appdata\roaming\SUPERAntiSpyware.com
2010-10-23 19:13:35 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-10-23 19:13:23 -------- d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec
2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll

============= FINISH: 11:05:21.39 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 22 November 2010 - 08:03 PM

Hello, warob.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!


Ok, the first thing is that you were infected iwth a backdoor rootkit. So I'll provide the warning below.

Also, this appears to be a corporate computer. By continuing, you acknowledge that you are aware of your IT policies and accept responsibility for the fixes in this thread. Combofix or other tools may remove corporate specific items such as custom scripts or policies.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.















Step 1


Please run MBAM Quick Scan (update the definitions first), and post the resulting log here.

etavares

Edited by etavares, 22 November 2010 - 08:04 PM.
add warning


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 23 November 2010 - 07:25 PM

First off, I would like to thank you for helping me. I am a new member, and may have cheated a little here. You were correct the first post was my coporate pc, but since it was taking a while for a reply (which I totally understand) I had to send that pc in for repair. Here is where I cheated, instead of starting a new topic when I saw the reply, I posted the scan results from my home pc which has been having problems also. I apologize, and understand if you want me to start a new thread. I will do better from now on I promise! Anyway if you want to continue here is the results from the quick scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5178

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/23/2010 6:20:22 PM
mbam-log-2010-11-23 (18-20-22).txt

Scan type: Quick scan
Objects scanned: 152229
Time elapsed: 8 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 24 November 2010 - 10:06 AM

Hello, warob.

In the future, please start other threads for each computer. I wasted a fair amount of time researching the first log.

Are you having any issues on this computer?



Step 1

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 2

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 November 2010 - 10:53 PM

I truly apologize for that.

This computer hasn't been giving me many problems, but at one time not long ago I was using utorrent, and did aquire some viruses. This is when I decided file sharing wasn't worth the misery it can bring and deleted it. I was able to get those viruses under control with a combination of Malware Bytes and Super anti spyware. I just want to make sure the pc is really clean.

I ran the ESET scan and it found no infected files.

Thanks again.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 26 November 2010 - 11:21 AM

Hello, warob.

No worries. Everything looks ok on my end, so let's clean up.


Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • If that link doesn't work, try this one.
  • Doubleclick the Posted Image icon to start the program.
  • Then, click the big Posted Image button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.

If you ran Defogger and disabled your emulator, please don't forget to run it again and reenable it. See the instructions here to do so.


Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. You can use Secunia PSI to keep track of necessary updates. It can run in the background and constantly monitor your software; although I just run it once a week manually. It will alert you when an update is available for a variety of software. It is very useful.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 warob

warob
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 26 November 2010 - 03:10 PM

Thank you for your help, I did the cleanup, and installed the two optional programs. I am going to start a new thread for my corporate pc, as they sent it back to me with only repairing the booting problem it was having. I believe it is still infected. Thanks again!!

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 28 November 2010 - 09:14 AM

No problem.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:16 AM

Posted 03 December 2010 - 07:44 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users