Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC system infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Mica33

Mica33

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 25 May 2011 - 09:45 AM

This computer has been infected with WinXP Recovery Fake Virus. Below you will find the Combofix log.

Thanks,

ComboFix 11-05-24.06 - Administrator 05/25/2011 7:11.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.320 [GMT -5:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\All Users\Application Data\NpLvkgdMCjJX.exe
d:\windows\Downloaded Program Files\CpnMgr.dll
E:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
.
.
2011-05-06 18:36 . 2011-05-06 18:36 398760 ----a-r- d:\windows\system32\cpnprt2.cid
2011-05-06 12:54 . 2011-05-06 12:55 -------- d-----w- d:\program files\WOTraffic
2011-05-06 12:09 . 2011-05-24 20:52 -------- d-----w- d:\documents and settings\culberr
2011-05-06 11:54 . 2011-05-06 11:54 -------- d-----w- D:\culbertson virus activity
2011-05-06 11:48 . 2011-05-06 11:48 -------- d--h--w- d:\documents and settings\Administrator\Application Data\SPE
2011-05-03 07:25 . 2011-04-11 07:04 7071056 ---ha-w- d:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{FB8FEDBC-B47B-4819-8E04-98D0824EF787}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2007-07-02 16:04 7071056 ---ha-w- d:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-18 17:33 . 2011-02-14 22:05 71072 ----a-w- d:\windows\CouponPrinter.ocx
2011-03-07 05:33 . 2007-05-17 18:04 692736 ----a-w- d:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- d:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- d:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="d:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="d:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="d:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="d:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="d:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"itype"="d:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="d:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"CarboniteSetupLite"="d:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="d:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-12 202256]
"BCSSync"="d:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- d:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3268579073-2598524899-1415456918-11670\Scripts\Logon\0\0]
"Script"=PushPrinterConnections.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3268579073-2598524899-1415456918-11670\Scripts\Logon\1\0]
"Script"=pushprinterconnections.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3268579073-2598524899-1415456918-3201\Scripts\Logon\0\0]
"Script"=PushPrinterConnections.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3268579073-2598524899-1415456918-3201\Scripts\Logon\1\0]
"Script"=SalesHR.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3268579073-2598524899-1415456918-3201\Scripts\Logon\2\0]
"Script"=pushprinterconnections.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 FreeAgentGoNext Service;Seagate Service;d:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 WinDefend;Windows Defender;d:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 3:06 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);d:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 3:06 PM 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 11:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;d:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 SavRoam;SAVRoam;d:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - EraserUtilDrv11110
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 d:\windows\Tasks\defrag.job
- d:\windows\system32\defrag.exe [2004-08-04 00:12]
.
2011-05-25 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 20:06]
.
2011-05-24 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 20:06]
.
2011-05-25 d:\windows\Tasks\MP Scheduled Scan.job
- d:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
2011-05-25 d:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3268579073-2598524899-1415456918-11670.job
- d:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2011-05-17 d:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3268579073-2598524899-1415456918-11670.job
- d:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.localtvllc.com/ourstations/
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {233405FE-26C4-4B6A-93AB-C3FE5EBA5B29} = 10.168.1.225,10.114.35.32
DPF: {1359DD49-0D00-4F6D-BE1A-56693B8B04BD} - hxxp://forecast.localtvllc.com/cabs/fcbootstrap.cab
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{B846CCD1-CC4F-74EC-ACCB-63FA32CBC936} - (no file)
Notify-ckpNotify - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-25 07:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
d:\program files\common files\logitech\bluetooth\LBTWlgn.dll
d:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2011-05-25 07:34:44
ComboFix-quarantined-files.txt 2011-05-25 12:34
.
Pre-Run: 80,750,731,264 bytes free
Post-Run: 81,272,553,472 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - ACAF5523D67417F4A72E87064F9251D0

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:22 AM

Posted 04 June 2011 - 05:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:22 AM

Posted 08 June 2011 - 07:43 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users