Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect log file


  • This topic is locked This topic is locked
2 replies to this topic

#1 leena104

leena104

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 27 April 2011 - 10:02 AM

I have been fighting this virus for 6 months. It broke through my work computer (working for a very large corporation with very right security). I.T. cannot seem to help me??? I have run combofix and my log file is posted below. Please help me....

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Client.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-25 14:28 . 2011-04-25 14:28 -------- d-----w- c:\program files\CCleaner
2011-04-19 13:58 . 2011-04-19 13:58 -------- d-----w- c:\documents and settings\nkazimie\Application Data\McAfee
2011-04-19 13:58 . 2011-04-19 13:58 -------- d-sh--w- c:\documents and settings\nkazimie\IETldCache
2011-04-06 14:16 . 2011-04-06 14:16 -------- d-----w- c:\documents and settings\Kathleen.Burton\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-27 13:34 . 2010-05-17 14:13 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-03-07 05:33 . 2008-09-24 15:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 10:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 10:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 10:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 10:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-18 18:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 10:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 10:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 23:03 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33 . 2004-08-04 10:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-03 19:45 . 2011-02-03 19:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-03 19:45 . 2011-02-03 19:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 00:07 . 2011-03-23 18:26 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-19 39408]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-02-23 2251064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-03-05 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-13 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-13 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-13 141336]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-08-26 124224]
"AClntUsr"="c:\program files\Altiris\AClient\AClntUsr.EXE" [2011-04-27 184320]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2010-02-26 152872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
.
c:\documents and settings\abrandt\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\G_Plescia\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\imBF\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\T_Maloney\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\ao-es-tmaloney\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\Brian.Kunert\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\B_Kunert\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
profxp.bat [2002-2-5 70]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CSUserxp.bat [2004-11-16 149]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
WinZip Quick Pick.lnk - c:\windows\Installer\{1D7086A4-802F-43D0-99CD-E7A82C4F2636}\Icon1D7086A4.exe [2010-5-18 218112]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1051030849-4060563901-1370798027-25746\Scripts\Logon\0\0]
"Script"=IntranetZoneUpdate
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-14221\Scripts\Logon\0\0]
"Script"=IntranetZoneUpdate
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-14221\Scripts\Logon\1\0]
"Script"=ITTDefense.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-17067\Scripts\Logon\0\0]
"Script"=\\avionics.de.ittind.com\netlogon\dnssearchzone.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-17067\Scripts\Logon\1\0]
"Script"=ITTDefense.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-17067\Scripts\Logon\2\0]
"Script"=Outlook Cache Mode Enabler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-25123\Scripts\Logon\0\0]
"Script"=ITTDefense.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-25404\Scripts\Logon\0\0]
"Script"=IntranetZoneUpdate
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2013013795-1909734096-953767643-25411\Scripts\Logon\0\0]
"Script"=IntranetZoneUpdate
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\altiris\\aclient\\AClntUsr.EXE"=
"c:\\Program Files\\MANDIANT\\MANDIANT Intelligent Response Agent\\miragent.exe"=
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [5/17/2010 1:58 PM 24064]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [5/29/2007 6:55 PM 9216]
R2 IntelligentResponseAgent;Intelligent Response Agent;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe -service -servicename IntelligentResponseAgent --> c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe -service -servicename IntelligentResponseAgent [?]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [8/6/2009 4:53 PM 222528]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [8/25/2010 8:07 PM 22816]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/18/2011 1:52 PM 69192]
R2 Telelogic License Manager;Telelogic License Manager;c:\program files\IBM\Rational\License Server\lmgrd.exe [11/27/2007 8:40 PM 1423440]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/17/2010 1:58 PM 144480]
R3 Mandiant_Tools;Mandiant_Tools;c:\documents and settings\All Users\Application Data\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [10/11/2010 10:27 AM 19920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2011 2:35 PM 135664]
S2 Wireless Support;Wireless Support;c:\windows\ITT\srvany.exe [5/17/2010 10:15 AM 8192]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/18/2011 1:52 PM 67240]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 6:00 AM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MANDIANT_TOOLS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-19 18:35]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-19 18:35]
.
2011-04-27 c:\windows\Tasks\User_Feed_Synchronization-{27E54518-A20E-4633-AA8C-1810787E83CB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.avionics.de.ittind.com/
uInternet Settings,ProxyOverride = <local>
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: area5.avionics.de.ittind.com
Trusted Zone: itt-root.net
Trusted Zone: itt-tds.com
Trusted Zone: itt.com
Trusted Zone: itt.net
Trusted Zone: ittavionics.com\www
Trusted Zone: ittdefence.co.uk
Trusted Zone: ittind.com
Trusted Zone: org.uk\*.Ashridge
Trusted Zone: ourittcannon.com
Trusted Zone: umich.edu\*.livecast.engin
Trusted Zone: umich.edu\livecast.engin
DPF: Concur Expense Applets - file://\\buildarea\ntunat\SW\JavaVM\Concur_Exp_Applets\cnqr_ie.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kathleen.Burton\Application Data\Mozilla\Firefox\Profiles\9fn5q678.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor Enterprise: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor Enterprise
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-IDTSysTrayApp - (no file)
HKLM-Run-POINTER - point32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 10:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\AMINIT32.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\AMINIT32.dll
.
Completion time: 2011-04-27 10:41:16
ComboFix-quarantined-files.txt 2011-04-27 14:41
.
Pre-Run: 52,399,865,856 bytes free
Post-Run: 52,517,830,656 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - DB43688E61A2EC5380B341D89EC7ABE5

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 05 May 2011 - 08:27 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:34 PM

Posted 10 May 2011 - 06:08 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users