Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS/Alureon reinfection on client's PC


  • This topic is locked This topic is locked
16 replies to this topic

#1 Robert Trevellyan

Robert Trevellyan

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 01:53 PM

About a week ago I cleaned up a client's PC. The infection included a TDSS-variant root-kit that I removed using TDSSKiller. When I was done, MSE, Malwarebytes and Hitman Pro all came up with no threats detected.

Two days ago the client called and said they were having problems again. MSE detected Alureon and Meredrop, i.e. probably the same root-kit infection again. I've done my best to clean the machine again. Both times I did the initial cleanup with the drive in a docking station attached to a different PC, then completed it with the drive installed the client's PC.

I would very much appreciate help to determine whether the PC is actually clean now or to figure out what I've missed. One thing I noticed in the DDS log is a cpuz_x32.sys service running out of a temp folder, which seems suspicious to me.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Bart at 9:48:09.68 on Sun 12/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1448 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Bart\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nFZoZVkKO
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxps://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291325553906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1291265096875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
SEH: {56F9679E-7826-4C84-81F3-532071A8BCC5} - No File
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bart\applic~1\mozilla\firefox\profiles\cbrm1pxv.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\microsoft.net\framework\v1.1.4322\netfxupdate.exe [2007-1-15 73728]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-10 135664]
S3 cpuz131;cpuz131;\??\c:\docume~1\bart\locals~1\temp\cpuz131\cpuz_x32.sys --> c:\docume~1\bart\locals~1\temp\cpuz131\cpuz_x32.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

=============== Created Last 30 ================

2010-12-11 20:03:04 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{06b80c2d-f005-4dc6-b2a0-3b4d55d20a81}\mpengine.dll
2010-12-11 20:02:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-11 19:59:13 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-03 21:30:45 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-03 21:30:45 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-12-03 16:22:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-03 16:20:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-03 01:08:15 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-12-03 01:07:56 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-03 01:07:55 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-03 01:07:42 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-12-03 01:07:26 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-03 01:07:22 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-03 01:07:11 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-03 01:06:14 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-03 01:05:21 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-12-03 01:05:20 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-12-03 01:03:38 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-03 01:03:38 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-03 01:03:37 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-03 01:03:37 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-03 01:03:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-03 01:03:35 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-03 01:03:28 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-03 01:02:19 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-12-03 01:02:09 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-12-03 00:57:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-12-03 00:56:50 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-12-03 00:56:14 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-12-03 00:54:42 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2010-12-02 04:11:29 -------- d-sh--w- c:\documents and settings\bart\IECompatCache
2010-12-02 03:49:16 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-12-02 03:49:16 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-12-02 03:43:20 19569 ----a-w- c:\windows\003554_.tmp
2010-12-02 03:18:13 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-01 22:19:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-01 22:19:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-12-01 21:49:08 -------- d-----w- c:\docume~1\bart\applic~1\Malwarebytes
2010-12-01 21:49:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 21:49:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-01 21:49:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 21:49:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 19:41:11 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2010-12-01 19:41:11 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2010-12-01 19:41:10 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2010-12-01 19:41:10 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2010-12-01 19:39:58 79872 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2010-12-01 19:38:55 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-12-01 19:37:54 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-12-01 19:37:54 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll
2010-12-01 19:37:53 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2010-12-01 19:37:52 10240 -c--a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-12-01 19:37:51 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-12-01 19:37:49 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-01 19:37:49 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-12-01 19:37:41 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-12-01 19:37:41 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-12-01 19:37:40 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-12-01 19:37:40 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-12-01 19:37:40 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-12-01 19:37:39 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-12-01 19:30:13 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-12-01 19:30:13 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2010-12-01 19:14:18 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-01 19:14:18 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-01 19:14:18 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-01 19:14:18 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-01 19:14:10 22339 ----a-r- c:\windows\SET171.tmp
2010-12-01 19:14:10 10559 ----a-r- c:\windows\SET172.tmp
2010-12-01 19:13:59 13753 ----a-r- c:\windows\SET12E.tmp
2010-12-01 19:13:58 1086058 ----a-r- c:\windows\SET122.tmp
2010-12-01 19:13:57 106147 ----a-r- c:\windows\SET11F.tmp
2010-12-01 17:35:01 -------- d-sh--w- C:\$RECYCLE.BIN

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 9:49:31.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 02:05 PM

Hello Robert Trevellyan ,

Posted Image

How is the computer behaving at this point?


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Trevellyan.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 03:01 PM

Thanks so much for the rapid response.

Superficially the PC is behaving OK. However, it won't go into standby mode and there is a Windows update that wants to install every time Windows starts. I've attached images of the corresponding messages to this post.

Please note, before I opened this topic, I uninstalled McAfee and installed MSE. However, ComboFix reports that McAfee is still active. I disabled MSE before running ComboFix and accepted the warning when it said McAfee was active.


ComboFix 10-12-11.06 - Bart 12/12/2010 14:37:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1554 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bart\Application Data\install
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-12 19:20 . 2010-12-12 19:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-12-11 20:03 . 2010-11-10 01:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{06B80C2D-F005-4DC6-B2A0-3B4D55D20A81}\mpengine.dll
2010-12-11 20:02 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-11 19:59 . 2010-12-11 19:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-09 17:30 . 2010-12-09 17:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-03 21:30 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-12-03 16:22 . 2010-12-03 16:22 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-03 16:20 . 2010-12-03 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-03 01:08 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-12-03 01:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-03 01:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-03 01:07 . 2010-08-26 13:39 357248 -c----w- c:\windows\system32\dllcache\srv.sys
2010-12-03 01:07 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-03 01:07 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-12-03 01:07 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-03 01:06 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-03 01:05 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-12-03 01:05 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-12-03 01:03 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-12-03 01:03 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-12-03 01:03 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-12-03 01:03 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-12-03 01:03 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-03 01:03 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-12-03 01:03 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-12-03 01:02 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-12-03 01:02 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-12-03 00:57 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-12-03 00:56 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-12-03 00:56 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-12-03 00:54 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2010-12-02 21:41 . 2010-12-02 21:52 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-02 04:13 . 2010-12-02 04:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-12-02 04:11 . 2010-12-02 04:11 -------- d-sh--w- c:\documents and settings\Bart\IECompatCache
2010-12-02 03:49 . 2008-04-14 10:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-12-02 03:49 . 2008-04-14 03:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-12-02 03:43 . 2006-12-29 05:31 19569 ----a-w- c:\windows\003554_.tmp
2010-12-02 03:18 . 2008-04-14 05:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-01 22:19 . 2010-12-01 22:19 -------- d-----w- c:\program files\Common Files\Java
2010-12-01 22:19 . 2010-09-15 09:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-12-01 22:19 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-01 21:49 . 2010-12-01 21:49 -------- d-----w- c:\documents and settings\Bart\Application Data\Malwarebytes
2010-12-01 21:49 . 2010-12-01 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-01 21:49 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-01 21:49 . 2010-12-01 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-01 21:49 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-01 21:01 . 2010-12-01 21:01 -------- d-----w- c:\documents and settings\Administrator
2010-12-01 19:41 . 2004-08-10 09:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2010-12-01 19:41 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2010-12-01 19:41 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2010-12-01 19:41 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2010-12-01 19:39 . 2004-08-10 11:00 79872 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2010-12-01 19:38 . 2004-08-10 11:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2010-12-01 19:37 . 2004-08-10 11:00 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll
2010-12-01 19:37 . 2001-08-18 03:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-12-01 19:37 . 2004-08-10 11:00 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2010-12-01 19:37 . 2008-04-14 10:42 10240 -c--a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-12-01 19:37 . 2008-04-14 10:42 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-12-01 19:37 . 2008-04-14 10:42 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-12-01 19:37 . 2004-08-10 11:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-01 19:37 . 2004-08-10 11:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-12-01 19:37 . 2004-08-10 11:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-12-01 19:37 . 2004-08-10 11:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-12-01 19:37 . 2004-08-10 11:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-12-01 19:37 . 2004-08-10 11:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-12-01 19:37 . 2004-08-10 11:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-12-01 19:30 . 2004-08-10 11:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-12-01 19:30 . 2004-08-10 11:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2010-12-01 19:14 . 2004-08-10 11:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-01 19:14 . 2004-08-10 11:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-01 19:14 . 2004-08-10 11:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-01 19:14 . 2004-08-10 11:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-01 19:14 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET171.tmp
2010-12-01 19:14 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET172.tmp
2010-12-01 19:13 . 2004-08-10 11:00 13753 ----a-r- c:\windows\SET12E.tmp
2010-12-01 19:13 . 2004-08-10 11:00 1086058 ----a-r- c:\windows\SET122.tmp
2010-12-01 19:13 . 2004-08-10 11:00 106147 ----a-r- c:\windows\SET11F.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-05 12:39 . 2010-09-11 05:07 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-18 17:23 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-10 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-10 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 07:29 . 2009-03-15 20:16 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-04-01 14:03 . 2009-04-01 14:03 27976 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-01 14:03 . 2009-04-01 14:03 126360 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-09-23 624056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 4:11 PM 73728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/10/2010 11:52 PM 135664]
S3 cpuz131;cpuz131;\??\c:\docume~1\Bart\LOCALS~1\Temp\cpuz131\cpuz_x32.sys --> c:\docume~1\Bart\LOCALS~1\Temp\cpuz131\cpuz_x32.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 04:52]

2010-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-11 04:52]

2010-12-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{5CFA5B80-01F4-420F-B18B-545712C8A1C8} - http://www.playsushi.com/About.ps?l=6&t=nFZoZVkKO
Trusted Zone: microsoft.com\update
FF - ProfilePath - c:\documents and settings\Bart\Application Data\Mozilla\Firefox\Profiles\cbrm1pxv.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - (no file)
AddRemove-HijackThis - e:\from 512mb flash\tools\hjt\HijackThis.exe
AddRemove-HitmanPro35 - c:\documents and settings\Bart\My Documents\Downloads\HitmanPro35.exe
AddRemove-Playsushi - c:\program files\PlaySushi\psuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-12 14:51:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 19:51

Pre-Run: 180,227,788,800 bytes free
Post-Run: 180,606,308,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4F9A1DA1B8866A64228ADA69D4C0913C

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 03:16 PM

Hello,

Check and see if .NET Framework 1.1 installed? If not, turn off auto updates, install 1.1 and get the updates directly from the MS site. A lot of times when computers have been infected they have problems initially getting updates.

Is this the only problem remaining after ComboFix? Or are there others?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 03:40 PM

According to Control Panel/Add/Remove, .NET 1.1 is installed. Should I remove it and reinstall manually?

There are no other obvious issues at the moment.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 03:42 PM

No...I don't think you need to do that....just go to the MS site and get the updates that way, restart, then see if it quits trying to run at startup.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 04:52 PM

OK, I had to remove and reinstall .NET 1.1 and its updates, but the sticky update issue is gone and the machine will now Standby properly.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 05:18 PM

Excellent. :thumbup2:

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Are other scans coming up clean? If you'd like one more, here's the best to do:


Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Update that Adobe for them. Old versions are vulnerable, and theirs is way out of date.

Let me know how things are. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 05:32 PM

MBAM reports no threats.

By "update Adobe" do you mean Acrobat? Unfortunately it's the Pro version that comes with CS3, so I don't think I can update it unless they buy a new version, which I probably isn't an option for them right now.

Any clues as to how the machine was reinfected?

I see two entries in the update history that show as failed, KB956802 and KB968389. I saw them last time I cleaned the machine and attempted manual installation. Any way to tell if that was successful?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 05:40 PM

Yes, Acrobat.

Look in the report at the Files Created from 2010-11-12 to 2010-12-12 All those files created at the same time on the same day. Check those against the updates you did and see if they match. Looks like others were successful as well.

Not sure how it got reinfected....it may be that a sneaky little file was missed (very easy to do) and it let all the gremlins back in when nobody was looking. It happens.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 05:51 PM

" Check those against the updates you did and see if they match."
Sorry to be a dope, but I don't know how to tell if they match.

No concerns about cpuz_x32.sys?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 06:27 PM

No concerns about cpuz_x32.sys?

No...and if it needs to go ComboFix will empty temp when it's uninstalled. :thumbup2:

You aren't a dope. Go to the MS site and see what files are contained in the updates you did. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 09:54 PM

OK, if I'm understanding what I'm looking at, it looks like the right versions of the files for those two updates are present.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:59 AM

Posted 12 December 2010 - 10:18 PM

:thumbup2: anything else? Feel free to ask.....
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Robert Trevellyan

Robert Trevellyan
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 12 December 2010 - 10:37 PM

Thanks so much for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users