Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect Infection - Ultra Defragger Also RTHDBPL infection


  • This topic is locked This topic is locked
87 replies to this topic

#1 Bob914

Bob914

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 04 September 2011 - 09:00 AM

I'm preparing for help with a browser redirect virus.
I ran DDS but it did not generate the logs.
In the black window after the information text, there was a progression of ###########
It seemed to be running but when it finished, no reports.
Perhaps there is some script blocking running?
How can I tell?

Thanks in advance.
Bob

Issue resolved.

Although there were no pop up notepad windows, the log files were created.
I did a file name search and they were put into a Temp folder.
Now I can continue.

Thanks in advance,
Bob

After opening a page on a legitimate website, I got infected with Ultra Defragger, I believe or some other HDDFailure virus.
I followed the procedure on bleepingcomputer and it seemed to remove most of the infection.
I believe I used rkill, malwarebytes, and unhide. This was a few weeks ago.
I also ran spybot sd to try and remove the browser redirect with no results.
We are still left with what appears to be a browser redirect virus and it seems to be getting worse.
Whenever we try to use a search engine and click on a link, we get redirected to some other random search sites.
Redirection also occurs occasionally when typing in a url.
After removing UltraDefragger, my profile was lost and there are no links to most of the programs listed in the programs menu.
I've viewed a number of posts and the infection seems very similar and most achieved results.

Also, Malwarebytes keeps finding and infection named RTHDBPL

I ran DEFOGGER, DDS, then GMER

When trying to run GMER, a window pops up with the following:

LoadDriver("c:\temp\pwtdypog.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

GMER does open after closing the error window but the only settings that be chosen are Services, Registry, Files, and ADS. The other choices were grayed out.
After GMER ran, I got the message: GMER hasn't found any system modification.

Thanks in advance for your help.

Here's what logs I could get:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Laurette at 10:24:32 on 2011-09-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2344 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XChrgSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\Program Files\Brother\Brmfl05c\FAXRX.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Documents and Settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.weather.com/weather/my?showdatasavepop=T
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\laurette\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CAMMonitor] c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XChrgSrv.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Maxtor Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
StartupFolder: c:\docume~1\laurette\startm~1\programs\startup\faxrx.lnk - c:\program files\brother\brmfl05c\FAXRX.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mysoft~1.lnk - c:\program files\common files\mysoftware\NewsFlsh.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/downloads/pc/1.4.0.102/WebSlingPlayer.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-10-3 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-10-3 108392]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-10-3 2177464]
R2 XCSecurity;X-Charge Security;c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XCSecurityService.exe [2010-11-27 1554432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-3-29 8792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110903.002\NAVENG.SYS [2011-9-3 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110903.002\NAVEX15.SYS [2011-9-3 1576312]
S0 PQV2i;PQV2i; [x]
S1 PQIMount;PQIMount; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\common files\maxtor\schedule2\schedul2.exe [2008-6-27 431384]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-10-3 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\intuit\quc2c1~1\qbdbmgrn.exe -hvquickbooksdb21 --> c:\progra~1\intuit\quc2c1~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S3 XCService;X-Charge Server;c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XCService.exe [2010-11-27 461824]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-09-04 02:34:29 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2011-09-04 02:34:02 -------- d-----w- c:\program files\Maxtor
2011-09-03 21:37:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-17 02:12:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-17 02:12:38 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-08-10 09:13:50 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 09:13:37 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-04 02:34:41 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-09-04 02:34:41 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-09-04 02:34:34 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-09-03 21:37:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-17 12:20:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 10:30:50.53 ===============

Merged topics then posts for the sake of continuity. Removed redundant content. ~ OB

Attached Files


Edited by Orange Blossom, 05 September 2011 - 11:52 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 09 September 2011 - 07:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#3 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 09 September 2011 - 09:42 AM

Hi nasdaq, thanks for responding for my cry for help!

I also found on my desktop a shortcut for "System Repair" which points to a file called P1kAIMiG2Kb7Fz.exe
Good thing no one clicked on that!

I cannot run the scans until this evening after 6:00 pm.
I've read that they take hours in some cases and the infected computer is in use all day at my business.
I've been following many posts and can't wait to get started.
I'll download and run ComboFix and post the logs asap this evening.
Shall I run Security Check immediately after ComboFix and place the log to the same post?
Thanks again for your help.

Bob

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 09 September 2011 - 10:22 AM

I also found on my desktop a shortcut for "System Repair" which points to a file called P1kAIMiG2Kb7Fz.exe
Good thing no one clicked on that!


If that file is still around after you have run the ComboFix delete it.

Yes run the SecurityCheck and paste it in your next post with ComboFix.

#5 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 09 September 2011 - 08:26 PM

nasdaq,

Ran ComboFix and boy it had a lot to do!
Tried using some search engines and seem to be working OK.. No redirecting.
The links in my Programs menu are still "empty" and original profile still not there.
I think you may have a fix for that as well, I hope.
Looks like good progress so far.

Here are the logs:

ComboFix 11-09-09.04 - Laurette 09/09/2011 19:40:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2154 [GMT -4:00]
Running from: c:\documents and settings\Laurette\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
c:\documents and settings\Laurette\Desktop\System Repair.lnk
c:\documents and settings\Laurette\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Laurette\g2mdlhlpx.exe
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\AlertView.exe.8de2ebce.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\AllertEula.exe.561b80e6.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\ClientApplicationFrameWork.exe.3ead1c54.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\ClientApplicationFramework.exe.3ead1c54.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\DA_PASlog.exe.266217b1.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\DellUpdateMsg.exe.4ceef5a4.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\DFolder.exe.368dcbb5.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\DNGen.exe.8bb9a8a9.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\DS_PASlog.exe.5c97331f.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\ExpEval21.exe.8f3e9125.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\InC6B.exe.88fb338c.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\InstallManager.exe.481df074.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\InstallManager.exe.ca4f1f1.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\MSI11.tmp.ab4fe21a.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\NA1Msgr.exe.d8c085f6.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\NA1Msgr.exe.d8c085f6.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\QBServerUtilityMgr.exe.8b2bd1ac.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\qbw32.exe.16bd612f.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\qbw32.exe.7d562eb0.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\rng.exe.ac4aa698.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\SL61.tmp.e2d08cdf.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\ssIS.exe.4a0d72e5.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\startDSLog.exe.48f7a42b.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\Uninstall.exe.95d2cdc5.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\WaitAndKill.exe.a591803d.ini.inuse
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\WMITarget.exe.da38aab9.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\WorldShipTD.exe.ce6c3c7b.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\WSDLanFix.exe.15ae8fdf.ini
c:\documents and settings\Laurette\Local Settings\Application Data\ApplicationHistory\WSProcessHandler.exe.12e91ea4.ini
c:\documents and settings\Laurette\Start Menu\Programs\System Repair
c:\documents and settings\Laurette\Start Menu\Programs\System Repair\System Repair.lnk
c:\documents and settings\Laurette\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
c:\documents and settings\Laurette\WINDOWS
c:\documents and settings\QBDataServiceUser17\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\QBDataServiceUser17\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\QBDataServiceUser17\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse
c:\documents and settings\QBDataServiceUser17\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
c:\documents and settings\QBDataServiceUser20.STABLE-NEW\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\QBDataServiceUser20.STABLE-NEW\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\QBDataServiceUser20.STABLE-NEW\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse
c:\documents and settings\QBDataServiceUser20.STABLE-NEW\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
c:\documents and settings\QBDataServiceUser21\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\QBDataServiceUser21\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\QBDataServiceUser21\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse
c:\documents and settings\QBDataServiceUser21\Local Settings\Application Data\ApplicationHistory\SL30.tmp.47ef97a6.ini
C:\Thumbs.db
c:\windows\dasetup.log
c:\windows\system32\azip32.dll
c:\windows\system32\bszip.dll
c:\windows\system32\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
.
.
2011-09-04 02:34 . 2011-09-04 02:34 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2011-09-04 02:34 . 2011-09-04 02:34 -------- d-----w- c:\program files\Maxtor
2011-09-03 21:37 . 2011-09-03 21:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-17 02:12 . 2011-08-17 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-17 02:12 . 2011-08-17 02:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-04 02:34 . 2008-01-26 19:27 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-09-04 02:34 . 2008-01-26 19:27 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-09-04 02:34 . 2008-01-26 19:27 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-09-03 21:37 . 2007-04-19 12:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-03 10:17 . 2004-08-04 11:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-17 12:20 . 2011-05-18 12:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-04 11:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 11:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-08-04 14:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-08-04 14:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2004-08-04 11:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 11:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-07 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-06-30 1388544]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2008-12-04 24576]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 53248]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-14 1527128]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2006-03-13 995328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-10-03 115560]
"CAMMonitor"="c:\documents and settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XChrgSrv.exe" [2010-12-22 10841736]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2008-06-27 136472]
"Maxtor Scheduler2 Service"="c:\program files\Common Files\Maxtor\Schedule2\schedhlp.exe" [2008-06-27 136472]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
.
c:\documents and settings\Laurette\Start Menu\Programs\Startup\
FAXRX.lnk - c:\program files\Brother\Brmfl05c\FAXRX.exe [2007-6-13 499712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Controller.LNK - c:\program files\WinFax\WFXCTL32.EXE [N/A]
MySoftware NewsFlash.lnk - c:\program files\Common Files\MySoftware\NewsFlsh.exe [2005-8-16 261120]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser "= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-27 21:08 904776 ----a-w- c:\program files\Maxtor\MaxBlast\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-08-04 22:54 136176 ----atw- c:\documents and settings\Laurette\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]
2008-06-27 21:01 1325800 ----a-w- c:\program files\Maxtor\MaxBlast\MaxBlastMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-07 13:15 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\speedDIAL\\speedDIAL.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\UPS\\WSTD\\MSSQL$UPSWSDBSERVER\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Brother\\Brmfl05c\\FAXRX.exe"=
"c:\\MOMLocal6\\momwin.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\CAM Commerce Solutions\\X-Charge\\Application\\XChrgSrv.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:UDP"= 1434:UDP:UDP 1434
.
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [6/30/2011 1:25 PM 1248256]
R2 XCSecurity;X-Charge Security;c:\documents and settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe [11/27/2010 7:34 PM 1554432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 5:52 PM 105592]
R3 mv2;mv2;c:\windows\SYSTEM32\DRIVERS\mv2.sys [3/29/2010 4:13 PM 8792]
S0 PQV2i;PQV2i; [x]
S1 PQIMount;PQIMount; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:24 AM 135664]
S2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [6/27/2008 5:03 PM 431384]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [10/3/2007 3:29 PM 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 10:24 AM 135664]
S3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\Intuit\QUC2C1~1\QBDBMgrN.exe -hvQuickBooksDB21 --> c:\progra~1\Intuit\QUC2C1~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [3/9/2011 8:56 PM 11520]
S3 XCService;X-Charge Server;c:\documents and settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XCService.exe [11/27/2010 7:34 PM 461824]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:24]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 14:24]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2170712181-924847976-3970311172-1005Core.job
- c:\documents and settings\Laurette\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 22:54]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2170712181-924847976-3970311172-1005UA.job
- c:\documents and settings\Laurette\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 22:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/my?showdatasavepop=T
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-WinFaxAppPortStarter - wfxsnt40.exe
HKLM-Run-WFXSwtch - c:\progra~1\WinFax\WFXSWTCH.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-09 20:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(888)
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\System32\GEARSec.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-09-09 20:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-10 00:50
.
Pre-Run: 96,268,718,080 bytes free
Post-Run: 97,915,072,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4FA4E0FD9A0F2A83CEED9405DE244D2A



Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````


Thanks again.

Bob

#6 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 09 September 2011 - 08:48 PM

nasdaq,

Did a search for the P1kAlMiG2Kb7Fz file and found 3 slightly different instances of it in C:\Documents and Settings\All Users\Application Data.
The Windows Repair shortcut is gone from the desktop.
Shall I just delete those files as you suggested?

Bob

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 10 September 2011 - 09:13 AM

Did a search for the P1kAlMiG2Kb7Fz file and found 3 slightly different instances of it in C:\Documents and Settings\All Users\Application Data.

Delete also the Icon on your desktop.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u26-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java 2 Runtime Environment, SE v1.4.2_03

===


Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

===

An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android.Adobe recommends... update to Adobe Flash Player 10.3.181.22

Direct download current version - executable Flash Player installer... to your Desktop, then double-click to install.

Download for Internet Explorer

Download for Firefox and other browsers
<<<>>>

The ComboFix is clean.

Any remaining issues?

#8 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 10 September 2011 - 11:05 AM

OK, I followed all the above instructions and all went well.

I still have the problem with the folders in my All Programs menu being still "empty" and my original profile is not there.

Edited by Bob914, 10 September 2011 - 11:05 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 10 September 2011 - 12:16 PM

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

However, the newer variants of the Fake rogue programs are now deleting the following folders and storing them into a numbered folder under %Temp%\smtmp\:

%Temp%\smtmp\1\ => %AllUsersProfile%\Start Menu
%Temp%\smtmp\2\ => %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch
%Temp%\smtmp\3\ => %AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => %AllUsersProfile%\Desktop

It goes without saying that if the %temp% folder was cleaned ahead of restoration would result in loss of these folders

Empty START program files.

Right click on each of the folders and selected Open, to open the start menu folder in Explorer. Then browse to C:\Program Files\<program name> (or whatever location the program is installed in), locate the main program's .exe file (it will usually have a name very similar to the program name and the same icon), copy and paste it into the start menu folder you have open. Then close the folders and look in your start menu again, the shortcut should be there and functioning!

So for example, the start menu folder SpeedCrunch show up as (Empty). Right clicked on the folder and selected Open, then opened C:\Program Files\SpeedCrunch and located the .exe file named "speedcrunch". Copy and paste that file into the start menu folder".

===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used to clean this computer.

If you need additional help please ask.

#10 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 10 September 2011 - 01:04 PM

I ran unhide and it didn't help although I can see everything on the hdd.

Can I use accrestore from xptutor to help restoring the All Programs links or does it only work with the Accessories folder?

Also, my "Administrative Tools" is empty.
Anything to help restore this?

Bob

Edited by Bob914, 10 September 2011 - 01:06 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:57 PM

Posted 11 September 2011 - 08:38 AM

Can I use accrestore from xptutor to help restoring the All Programs links or does it only work with the Accessories folder?

I was not familiar with that site.
Looking at this page I do not see any reference to the Program files folder restore.
http://www.winxptutor.com/xpbasics.htm

Can you try to restore one of the programs you use.
Look at my instructions under this heading
Empty START program files.

If you need clarification please ask.


Also, my "Administrative Tools" is empty.
Anything to help restore this?


Go to:
http://windowsxp.mvps.org/admintools.htm

Under Solution for Case 2.
Download the The utility AdminTools. Extract the zip file and run the .exe file that is extracted.
===

#12 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 11 September 2011 - 12:26 PM

I did a scan with MalwareBytes to see if the RTHDBPL file still shows up and it is still there.
It is in the registry at HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\Current Version\Policies\Explorer\Run\RTHDBPL
I haven't done anything else yet. Not sure what do with this.

#13 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 11 September 2011 - 01:07 PM

Oh nooo! I'm infected again with the Redirect Virus Again on the computer we were working with.
The browser redirects again.

And now, I have some other issue with another computer of mine on the same network.
I tried to run malwarebytes and it wouldn't run in normal mode so I rebooted into safe mode and ran it with no infections found. I'm running Symantec Endpoint and in normal mode it shows an error with the program.
It does run in safe mode. I'm running a scan now.
All I did last night on both computers was update Java, Adobe Reader X, and updated Flash Player installers as you suggested.
Looks like there's an g2mdlhlpx.exe file and a folder called backups was created and my "user name" profile backup was crested.

Please help.

Bob

Edited by Bob914, 11 September 2011 - 06:25 PM.


#14 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 11 September 2011 - 06:35 PM

I ran DDS and GMER again as I did initially.

Again, when trying to run GMER, a window pops up with the following:

LoadDriver("c:\temp\pwtdypog.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key.

GMER does open after closing the error window but the only settings that be chosen are Services, Registry, Files, and ADS. The other choices were grayed out.
After GMER ran, I got the message: GMER hasn't found any system modification.

Here are the results:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Laurette at 18:27:53 on 2011-09-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2145 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Documents and Settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XChrgSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Brother\Brmfl05c\FAXRX.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Documents and Settings\All Users\Application Data\CAM Commerce Solutions\X-Charge\Application\XCSecurityService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.weather.com/weather/my?showdatasavepop=T
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CAMMonitor] c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XChrgSrv.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [Maxtor Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mExplorerRun: [RTHDBPL] c:\documents and settings\laurette\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\laurette\startm~1\programs\startup\faxrx.lnk - c:\program files\brother\brmfl05c\FAXRX.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\contro~1.lnk - c:\program files\winfax\WFXCTL32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mysoft~1.lnk - c:\program files\common files\mysoftware\NewsFlsh.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/downloads/pc/1.4.0.102/WebSlingPlayer.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-10-3 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-10-3 108392]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-10-3 2177464]
R2 XCSecurity;X-Charge Security;c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XCSecurityService.exe [2010-11-27 1554432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-3-29 8792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110911.002\NAVENG.SYS [2011-9-11 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110911.002\NAVEX15.SYS [2011-9-11 1576312]
S0 PQV2i;PQV2i; [x]
S1 PQIMount;PQIMount; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S2 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\common files\maxtor\schedule2\schedul2.exe [2008-6-27 431384]
S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-10-3 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 QuickBooksDB21;QuickBooksDB21;c:\progra~1\intuit\quc2c1~1\qbdbmgrn.exe -hvquickbooksdb21 --> c:\progra~1\intuit\quc2c1~1\QBDBMgrN.exe -hvQuickBooksDB21 [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-3-9 11520]
S3 XCService;X-Charge Server;c:\documents and settings\all users\application data\cam commerce solutions\x-charge\application\XCService.exe [2010-11-27 461824]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-09-09 23:32:53 -------- d-sha-r- C:\cmdcons
2011-09-09 23:26:44 98816 ----a-w- c:\windows\sed.exe
2011-09-09 23:26:44 518144 ----a-w- c:\windows\SWREG.exe
2011-09-09 23:26:44 256000 ----a-w- c:\windows\PEV.exe
2011-09-09 23:26:44 208896 ----a-w- c:\windows\MBR.exe
2011-09-09 23:25:24 -------- d-----w- C:\ComboFix
2011-09-04 02:34:29 368480 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2011-09-04 02:34:02 -------- d-----w- c:\program files\Maxtor
2011-09-03 21:37:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-08-17 02:12:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-17 02:12:38 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-09-10 15:58:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-10 15:20:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-04 02:34:41 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2011-09-04 02:34:41 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2011-09-04 02:34:34 132224 ----a-w- c:\windows\system32\drivers\snapman.sys
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 18:34:39.84 ===============

Thanks again for your help.

Should I run ComboFix again?

Bob

Attached Files



#15 Bob914

Bob914
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:57 PM

Posted 11 September 2011 - 07:26 PM

I ran Security Check as well.
Here's the results:

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 27
Adobe Flash Player 10.3.183.7
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users