Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multi mshta.exe following TDSS rootkit and other trojan infestation


  • This topic is locked This topic is locked
15 replies to this topic

#1 jaxmom

jaxmom

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 01:31 PM

Hello all,

Yesterday I discovered my Dell laptop running Windows XP had been infected by TDSS rootkit, which had masked a double-handful of other worms and trojans. Have run TDSSKiller and removed that, and managed to kill whatever was causing constant pop ups and redirects (Think Point?), but am still finding infected files and seeing multiple instances of msta.exe running in Process Explorer. I've called up the Command Line in ProcExp and can see that these instances are calling funking urls, so I'm sure it's viral. Have also found lspE.dll hiding in System32, but cannot delete, even after renaming.

I have admin rights (work computer), but cannot access safe mode.

Have run ESET twice. Malwarebytes and TrendMicro both come up clean now, but I know there is some ongoing infection. Any assistance in cleaning what remains of this mess would be greatly appreciated.

Edited by jaxmom, 14 November 2010 - 01:34 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 01:38 PM

Hello jaxmom ,

Posted Image

Well then let's run something different and see what we can see. :thumbup2: Looks like you did a fine job on your own with the rest! :)


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to jaxmom .exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 02:03 PM

Thanks for the reply. This was a nasty infestation. :)

CF tried to install the recovery console, but failed. I can kill TM process, but cannot permanently disable - no password (IT policy).

ComboFix log follows:


ComboFix 10-11-13.01 - JPL03 11/14/2010 13:48:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1353 [GMT -5:00]
Running from: c:\documents and settings\jpl03\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {CFA3A29D-B643-4196-8DD5-72308F38BB4F}
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\LL Phone Lookup .Lnk
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\kbwv.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_lxla


((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 08:28 . 2010-11-14 08:28 -------- d-----w- c:\program files\ESET
2010-11-13 19:05 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 19:05 . 2010-11-13 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 19:05 . 2010-11-13 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 19:05 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 18:59 . 2010-11-13 18:59 -------- d-----w- c:\documents and settings\jpl03\Application Data\Malwarebytes
2010-11-13 16:36 . 2010-11-13 16:36 47490 ----a-w- c:\windows\system32\virusdll.rmv
2010-11-13 16:23 . 2010-11-13 16:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-04 14:30 . 2010-11-05 03:30 -------- d-----w- c:\documents and settings\jpl03\Application Data\Dreamscape_Saves
2010-11-03 20:25 . 2010-11-03 20:25 -------- d-----w- c:\documents and settings\jpl03\Application Data\ERS Game Studios
2010-10-29 16:01 . 2010-10-29 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2010-10-29 13:52 . 2010-10-29 13:52 -------- d-----w- c:\documents and settings\jpl03\Local Settings\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-06 09:26 . 2009-10-21 13:51 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-20 14:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 20:05 . 2010-08-23 20:05 438 ----a-w- c:\program files\0823201016050894.bat
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-06-03 02:22 . 2010-06-03 02:22 440 ----a-w- c:\program files\0602201022225141.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-21 39408]
"Google Update"="c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"LLSync6"="c:\lbsbin\llsync6.exe" [2001-11-20 294912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2007-08-07 331776]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"nwiz"="nwiz.exe" [2007-04-28 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-28 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-02-05 849192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-21 122880]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-31 202256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"llsync6"="c:\lbsbin\llsync6.exe" [2001-11-20 294912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-20 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Microsoft Office.lnk - c:\program files\Microsoft Access 2000\Office\OSA9.EXE [2000-1-21 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3997:TCP"= 3997:TCP:WWW
"45143:TCP"= 45143:TCP:Trend Micro OfficeScan Listener
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [1/9/2007 10:03 AM 122880]
R2 LLLogSvc;LLLogSvc;c:\lbsbin\PLATFO~1\LLLogSvc.exe [9/11/2007 3:53 PM 49211]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [9/11/2007 4:05 PM 266240]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [6/16/2009 9:54 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [6/16/2009 9:53 PM 36368]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [9/11/2007 4:04 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [9/11/2007 4:04 PM 3712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 2:12 PM 135664]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [9/11/2007 4:04 PM 11904]
S3 Teardes;Teardes; [x]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/5/2010 8:22 AM 51792]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/23/2009 11:31 AM 689416]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xzrgd
.
Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:10]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:10]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025193558-2076190225-1934255263-6977Core.job
- c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025193558-2076190225-1934255263-6977UA.job
- c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-11-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025193558-2076190225-1934255263-6977.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-11-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025193558-2076190225-1934255263-6977.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {58D47A56-C89C-4BC7-A22E-33592CBBDDA5} - hxxps://secure.acuitybrandslighting.net/CabFiles_Std/ABLSecAX.cab
DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF}
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.acuitybrands.com/dana-cached/sc/JuniperSetupClient.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-klmdb.sys
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 13:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3176)
c:\windows\system32\WININET.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\lbsbin\platform\LL_WrDc.exe
c:\lbsbin\platform\LL_RouterSpawnerEngine.exe
.
**************************************************************************
.
Completion time: 2010-11-14 14:00:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-14 19:00

Pre-Run: 32,392,478,720 bytes free
Post-Run: 32,773,050,368 bytes free

- - End Of File - - 82C48FBC06C290F93DC7D678BB78C1B2

Edited by jaxmom, 14 November 2010 - 02:04 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 02:16 PM

Hello,

You're welcome. :)

How is it running now?

Thankfully, TM doesn't interfere as badly as some AV programs do, so I think we're all right on that count. When you don't have the recovery console installed, depending on the infection, ComboFix won't remove infected files. Can you try again to install it? :)

Let me know if you're still having the same problems and we'll go from there.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 02:36 PM

I don't have the Windows CDs (XP Pro, SP3) . The only download I'm finding is meant for booting from a floppy (and SP2) - you want me to grab that one? Or is there a link I'm not finding?

It seems to be running fine at the moment. The multiple mshta instances can take a awhile to show up, though, so I can't be certain just yet. :)

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 02:44 PM

Yes, that SP2 package is fine. :thumbup2: If it doesn't install, that's all right. :) I just wanted to be sure we're being as thorough as we can be. It may be that ComboFix wouldn't find anything else....just trying to be safe. :)

Let me know about the other mshta...if they show again.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 02:54 PM

Downloaded to desktop as an exe file. I'm not sure if I should go ahead and let it run? I don't actually *want* to reformat if I don't have to. :) Should I run CF again to see what it says?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 02:57 PM

I don't want you to reformat either....not at all. :blink: This is the recovery console package?

Yes, run it again and see what it says. Post the report.....still running all right? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 03:18 PM

MSN KB article designated it as recovery console, but when I got to the download page, it was titled Setup Disks for Floppy Boot Install. So I downloaded to desktop, but didn't run. Think I'll delete it now. :)

CF ran fine and was able to install recovery console on this attempt. :)

No more mshta instances thus far. I do have 6 svchost instances, but they seem legit.


ComboFix 10-11-13.01 - JPL03 11/14/2010 15:05:49.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -5:00]
Running from: c:\documents and settings\jpl03\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {CFA3A29D-B643-4196-8DD5-72308F38BB4F}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 08:28 . 2010-11-14 08:28 -------- d-----w- c:\program files\ESET
2010-11-13 19:05 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-13 19:05 . 2010-11-13 19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-13 19:05 . 2010-11-13 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-13 19:05 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-13 18:59 . 2010-11-13 18:59 -------- d-----w- c:\documents and settings\jpl03\Application Data\Malwarebytes
2010-11-13 16:36 . 2010-11-13 16:36 47490 ----a-w- c:\windows\system32\virusdll.rmv
2010-11-13 16:23 . 2010-11-13 16:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-11-04 14:30 . 2010-11-05 03:30 -------- d-----w- c:\documents and settings\jpl03\Application Data\Dreamscape_Saves
2010-11-03 20:25 . 2010-11-03 20:25 -------- d-----w- c:\documents and settings\jpl03\Application Data\ERS Game Studios
2010-10-29 16:01 . 2010-10-29 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Fugazo
2010-10-29 13:52 . 2010-10-29 13:52 -------- d-----w- c:\documents and settings\jpl03\Local Settings\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 13:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38 . 2004-08-04 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 15:57 . 2004-08-04 12:00 389120 ----a-w- c:\windows\system32\html.iec
2010-09-06 09:26 . 2009-10-21 13:51 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-20 14:43 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 20:05 . 2010-08-23 20:05 438 ----a-w- c:\program files\0823201016050894.bat
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-06-03 02:22 . 2010-06-03 02:22 440 ----a-w- c:\program files\0602201022225141.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-21 39408]
"Google Update"="c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-15 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 138008]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"LLSync6"="c:\lbsbin\llsync6.exe" [2001-11-20 294912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2007-08-07 331776]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 258048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"nwiz"="nwiz.exe" [2007-04-28 1626112]
"NVHotkey"="nvHotkey.dll" [2007-04-28 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-04-28 81920]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-02-05 849192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-10-21 122880]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-31 202256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-20 113664]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Microsoft Office.lnk - c:\program files\Microsoft Access 2000\Office\OSA9.EXE [2000-1-21 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3997:TCP"= 3997:TCP:WWW
"45143:TCP"= 45143:TCP:Trend Micro OfficeScan Listener
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [1/9/2007 10:03 AM 122880]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [9/11/2007 4:05 PM 266240]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [6/16/2009 9:54 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [6/16/2009 9:53 PM 36368]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [9/11/2007 4:04 PM 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [9/11/2007 4:04 PM 3712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 2:12 PM 135664]
S2 LLLogSvc;LLLogSvc;c:\lbsbin\PLATFO~1\LLLogSvc.exe [9/11/2007 3:53 PM 49211]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [9/11/2007 4:04 PM 11904]
S3 Teardes;Teardes; [x]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/5/2010 8:22 AM 51792]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/23/2009 11:31 AM 689416]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP100

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xzrgd
.
Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:10]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 19:10]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025193558-2076190225-1934255263-6977Core.job
- c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025193558-2076190225-1934255263-6977UA.job
- c:\documents and settings\jpl03\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-24 04:27]

2010-11-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025193558-2076190225-1934255263-6977.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-11-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025193558-2076190225-1934255263-6977.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]
.
.
------- Supplementary Scan -------
.
mStart Page = about:blank
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {58D47A56-C89C-4BC7-A22E-33592CBBDDA5} - hxxps://secure.acuitybrandslighting.net/CabFiles_Std/ABLSecAX.cab
DPF: {CAFECAFE-0013-0001-0024-ABCDEFABCDEF}
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.acuitybrands.com/dana-cached/sc/JuniperSetupClient.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-14 15:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-14 15:11:45
ComboFix-quarantined-files.txt 2010-11-14 20:11
ComboFix2.txt 2010-11-14 19:00

Pre-Run: 32,757,477,376 bytes free
Post-Run: 32,734,728,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F58AD817BB29DF49469A580B30D65589

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 03:23 PM

Excellent....sounds good to me. :thumbup2:

Looks all right too.....yes, that number of svchost is normal. I'd like for you to check all the problems you had in your initial post and see if they're all set to right again and let me know. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 03:44 PM

Initial problems seem resolved - no more browser hijacking, sly bots, or other visible files that clearly don't belong. :)

I do, however, have a new problem - BSOD - yikes.

I've gotten it twice since last post, both times associated with logging into an account of some sort (log in to yahoo, then gmail). Error message at BSOD is:

***STOP: 0x0000008E (0x0000005, 0xBF953C37, 0xB447C00, 0x00000000)

***win32k.sys - Address BF953C37 base at BF800000, datestamp 4c7d06ce

Edited to add:
----I have no lsp.dll anymore. Maybe it's related to layered service/winsock and I need to run a fix?

Edited by jaxmom, 14 November 2010 - 04:01 PM.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 04:00 PM

I would give it a little bit and see if it continues. This particular stop error is more common than most think, and we did make some changes to your system by the cleaning and RC. My point is, it may right itself. :thumbup2: I don't think it's a RAM problem, or you would have had the error before we started.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 jaxmom

jaxmom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 14 November 2010 - 04:05 PM

Huh. Well, I'll be darned if I didn't just give it another try and log in to gmail with no problems. :)

Looks like I may be all set. Thanks *very much* for the help - this is my 20th+ hour of trying to clean up the system, and I was beginning to get a little frustrated. ;)

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 14 November 2010 - 04:15 PM

Hi there,

You're most welcome. :)

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Those old versions also take up a ton of space! Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 22 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Adobe is also WAY out of date, which makes it vulnerable.....update that one as well. :thumbup2:

If you have any questions, please feel free to ask.

Take care and be frustration free! :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:23 PM

Posted 19 November 2010 - 11:23 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users