Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with many, ping.exe, XP Security Center, Google redirection


  • This topic is locked This topic is locked
36 replies to this topic

#1 garsenal

garsenal

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 05 January 2012 - 11:44 PM

I read through the pre-work but was able to successfully complete almost none of it.

Here's what happened on that list.

1) during full backup of c:, I got a hard stop error (blue screen). I then just did a partial backup of my photo file only.
2) I was able to turn on the firewall
3) I was not able to run defogger, it just closed when I double clicked on it.
4) I was not able to run DDS. Same as defogger, it closed when I attempted to run it.
5) I was able to run GMER for several hours, then it also hit a hard stop error (blue screen) and I was done.

Not sure where to go from here since I can't get these steps to work.

Thanks in advance for any help.

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:25 AM

Posted 11 January 2012 - 11:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/436538 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 13 January 2012 - 07:28 AM

Still having problems here. Ping.exe and google redirects when running IE or Mozilla (News Daily7 comes up always)

Initially I was not able to run defogger. I tried again in safe mode and it ran.

- I was not able to run DDS in safe mode or regular.
- I was able to run GMER in safe mode. It ran all night. In the morning it said it found suspicious modifications. When I tried to save the log, I got an error saying C:\my documents was not available, not enough resources.

I'm running Windows XP Home Edition 2002, Service Pack 3

I have a few cds from Dell: Operating System (Reinstallation CD for Windows XP service Pack 2, 2 drivers and utilities resource CDs, and 2 application CDs)

Thanks again

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 13 January 2012 - 08:45 AM

Hi garsenal,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

White Warrior

#5 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 13 January 2012 - 09:14 AM

Hi garsenal

Please try to run the following tools in normal mode. If they do not run then boot into safe mode and try to run them from there.

Please download Rkill by Grinler from one of these links:

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Save Rkill to your desktop.
Double-click on Rkill to run it.

Note: If the first one does not run successfully, download and try the other copies (with a different file extension) and see if one of them will run.

Warning: Do not let RKill reboot the machine. If it does reboot, then run RKill again.

Once Rkill has successfully run:

Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
White Warrior

#6 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 13 January 2012 - 07:20 PM

Hi thanks for helping me out.

I was unable to run Rkill in normal mode (they all just disappeared upon double-clicking). In safe mode my screen flashed several times, then a window came up saying Preparing to run Rkill. It then went away. I assume I will get a message saying it completed successfully, right? I wanted to make sure before running the Combofix.

Thanks,

#7 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2012 - 02:34 AM

Hi garsenal

I assume I will get a message saying it completed successfully, right?

You should get a message stating that it ran. It usually states: "processors stopped and a number"

White Warrior

#8 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 14 January 2012 - 09:08 AM

Okay, so I can't get Rkill to run successfully in safe mode. I get the Preparing Rkill, then a pause, then it goes away. There's a small bit of text that shoots up just before disappearing, but it goes away too fast for me to see what it is.

Can I run combofix or do we need to get rkill to work first?

#9 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2012 - 10:07 AM

Hi

Yes run combofix if you can.

White Warrior

#10 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 15 January 2012 - 12:29 PM

Okay, I was able to run Combofix and MBR. Attached are the logs. Hmm, in looking at MBR, it might not have been finished. Let me know if I need to rerun and repost, sorry about that.

Attached Files



#11 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 15 January 2012 - 01:14 PM

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-15 10:49:24
-----------------------------
10:49:24.546 OS Version: Windows 5.1.2600 Service Pack 3
10:49:24.546 Number of processors: 2 586 0x403
10:49:24.546 ComputerName: DESKTOP UserName:
10:49:25.375 Initialize success
10:50:22.406 AVAST engine defs: 12011500
10:51:05.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:51:05.687 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 3
10:51:05.687 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
10:51:05.687 Disk 1 Vendor: ST330063 3.04 Size: 286168MB BusType: 3
10:51:05.687 Disk 0 MBR read successfully
10:51:05.687 Disk 0 MBR scan
10:51:05.734 Disk 0 Windows XP default MBR code
10:51:05.734 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
10:51:05.734 Disk 0 scanning sectors +625121280
10:51:05.781 Disk 0 scanning C:\WINDOWS\system32\drivers
10:51:13.796 Service scanning
10:51:14.656 Modules scanning
10:51:17.312 Disk 0 trace - called modules:
10:51:17.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
10:51:17.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a641030]
10:51:17.343 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a607030]
10:51:18.281 AVAST engine scan C:\WINDOWS
10:51:32.890 AVAST engine scan C:\WINDOWS\system32
10:53:15.046 AVAST engine scan C:\WINDOWS\system32\drivers
10:53:30.734 AVAST engine scan C:\Documents and Settings\Amy & Gary
11:22:55.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Amy & Gary\Desktop\MBR.dat"
11:22:55.328 The log file has been saved successfully to "C:\Documents and Settings\Amy & Gary\Desktop\aswMBR.txt"



ComboFix 12-01-15.01 - Amy & Gary 01/15/2012 10:10:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1562 [GMT -6:00]
Running from: c:\documents and settings\Amy & Gary\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Amy & Gary\2005.xls
c:\documents and settings\Amy & Gary\Application Data\Mozilla\Firefox\Profiles\vkxs67z1.default\searchplugins\bing-zugo.xml
c:\documents and settings\Amy & Gary\g2mdlhlpx.exe
c:\documents and settings\Amy & Gary\My Documents\pubDA.tmp
C:\LOGE1.tmp
c:\windows\$NtUninstallKB58019$\2521855219\@
c:\windows\$NtUninstallKB58019$\2521855219\bckfg.tmp
c:\windows\$NtUninstallKB58019$\2521855219\cfg.ini
c:\windows\$NtUninstallKB58019$\2521855219\Desktop.ini
c:\windows\$NtUninstallKB58019$\2521855219\gwelha
c:\windows\$NtUninstallKB58019$\2521855219\keywords
c:\windows\$NtUninstallKB58019$\2521855219\kwrd.dll
c:\windows\$NtUninstallKB58019$\2521855219\L\cgmkbabm
c:\windows\$NtUninstallKB58019$\2521855219\lsflt7.ver
c:\windows\$NtUninstallKB58019$\2521855219\U\00000001.@
c:\windows\$NtUninstallKB58019$\2521855219\U\00000002.@
c:\windows\$NtUninstallKB58019$\2521855219\U\00000004.@
c:\windows\$NtUninstallKB58019$\2521855219\U\80000000.@
c:\windows\$NtUninstallKB58019$\2521855219\U\80000004.@
c:\windows\$NtUninstallKB58019$\2521855219\U\80000032.@
c:\windows\$NtUninstallKB58019$\2521855219\wykgwu
c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
c:\windows\system32\Thumbs.db
c:\windows\$NtUninstallKB58019$\3363392390 . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-09 23:14 . 2012-01-09 23:14 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-09 23:14 . 2012-01-09 23:14 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-09 23:14 . 2012-01-09 23:14 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-09 23:14 . 2012-01-09 23:14 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-05 03:18 . 2012-01-05 03:18 -------- d-----w- c:\documents and settings\Amy & Gary\Local Settings\Application Data\Safe mirror
2012-01-05 03:18 . 2012-01-05 03:18 -------- d-----w- c:\program files\Cobian Backup 10
2011-12-26 23:05 . 2011-12-26 23:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-24 15:07 . 2011-12-24 15:07 260 ----a-w- c:\windows\system32\cmdVBS.vbs
2011-12-24 15:07 . 2011-12-24 15:07 256 ----a-w- c:\windows\system32\MSIevent.bat
2011-12-19 02:26 . 2012-01-15 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-12-19 02:26 . 2011-12-19 12:11 -------- d-----w- c:\program files\STOPzilla!
2011-12-19 02:26 . 2011-12-19 02:26 -------- d-----w- c:\program files\Common Files\iS3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-07 23:12 . 2011-12-07 23:12 68648 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-12-07 23:12 . 2011-12-07 23:12 547880 ----a-r- c:\windows\system32\SZComp5.dll
2011-12-07 23:12 . 2011-12-07 23:12 482344 ----a-r- c:\windows\system32\SZBase5.dll
2011-12-07 23:12 . 2011-12-07 23:12 457768 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-12-07 23:12 . 2011-12-07 23:12 30248 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-12-07 23:12 . 2011-12-07 23:12 24616 ----a-r- c:\windows\system32\SZIO5.dll
2011-12-07 23:12 . 2011-12-07 23:12 134184 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-12-07 23:12 . 2011-12-07 23:12 740392 ----a-r- c:\windows\system32\IS3Base5.dll
2011-12-07 23:12 . 2011-12-07 23:12 392232 ----a-r- c:\windows\system32\IS3UI5.dll
2011-12-07 23:12 . 2011-12-07 23:12 232488 ----a-r- c:\windows\system32\IS3Win325.dll
2011-12-07 23:12 . 2011-12-07 23:12 105512 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-12-07 23:12 . 2011-12-07 23:12 101416 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ------w- c:\windows\system32\encdec.dll
2012-01-09 23:14 . 2011-10-02 11:55 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
c:\documents and settings\Amy & Gary\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]
HotSync Manager.LNK - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-1-21 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-1-21 9136960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"=
"c:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Amy & Gary\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
"50000:UDP"= 50000:UDP:IHA_MessageCenter
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [9/26/2011 11:21 AM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [8/16/2011 4:48 PM 59080]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [1/4/2012 9:18 PM 67584]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [12/12/2011 11:03 AM 290832]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 3:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 7:58 AM 20480]
R3 busbcrw;USB Card Reader Writer driver;c:\windows\system32\drivers\busbcrw.sys [2/28/2008 3:15 PM 16896]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [9/17/2010 6:05 PM 11520]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [9/26/2011 11:21 AM 61328]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2009 9:14 AM 135664]
S3 AllShare;SAMSUNG AllShare Service;c:\program files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 4:23 PM 6638080]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [3/12/2011 1:51 PM 29184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2009 9:14 AM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-15 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-03-13 01:44]
.
2012-01-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-28 12:33]
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-12 15:13]
.
2012-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-12 15:13]
.
2012-01-15 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2008-03-15 19:07]
.
2012-01-15 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2008-03-15 19:07]
.
2012-01-15 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-813497703-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2012-01-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-813497703-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 20:25]
.
2012-01-15 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2011-09-18 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://co108w.col108.mail.live.com/default.aspx?wa=wsignin1.0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1 68.238.96.12
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
FF - ProfilePath - c:\documents and settings\Amy & Gary\Application Data\Mozilla\Firefox\Profiles\vkxs67z1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-15 10:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1004336348-813497703-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1004336348-813497703-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,36,14,55,f0,c1,c1,d9,0b,86,df,ab,11,3a,c5,19,39,91,69,5c,3f,b9,d1,
19,90,72,89,9e,55,91,35,4b,ca,74,a3,bf,71,85,bc,49,20,19,db,3f,7b,51,88,46,\
"??"=hex:0b,7b,66,a1,ee,3d,1b,d3,a3,79,99,ff,6f,6a,02,4e
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\WININET.dll
c:\documents and settings\Amy & Gary\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\iS3\Anti-Spyware\SZServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-15 10:41:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-15 16:41
.
Pre-Run: 54,824,894,464 bytes free
Post-Run: 56,775,278,592 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3E99203E7F68FA7ABBE7E751F4E2ECDA

#12 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 16 January 2012 - 12:02 PM

Hi garsenal

Please use the Add Reply button and copy/paste your logs. Attachments are hard for me to read.

I'm afraid I have bad news.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to continue then read on.

For x86 bit systems please download GrantPerms.zip and save it to your desktop.
Unzip the file and run GrantPerms.exe
Copy and paste the following in the edit box:

c:\windows\$NtUninstallKB58019$\3363392390

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Let me know how the computer is running now.
Are there any problems left?

White Warrior

#13 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 16 January 2012 - 10:41 PM

the computer is running perfectly. Very bummed about the trojan.

Here's my result:

GrantPerms by Farbar
Ran by Amy & Gary (administrator) at 2012-01-16 21:39:21

===============================================

#14 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 17 January 2012 - 05:46 AM

Hi garsenal

Did you copy this line into the program?

c:\windows\$NtUninstallKB58019$\3363392390


Were those 2 lines the complete log? It should be bigger than that.

I need to see some information about what is happening in your machine. Please perform the following scans.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Download Security Check by screen317 from here or here.
  • Save it to your desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Any problems left?

White Warrior

#15 garsenal

garsenal
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 17 January 2012 - 09:29 PM

Hmm, very confused.

Yes I ran GrantPerms as you asked pasting in the note in the text prior to "list permissions" this is all it came up with.

I still was not able to run dds (either file). I have stopzilla and I disabled and closed it before running. It still just disappears when I try to run it.

I tried the Security Check. While running, it kept saying file not found. Then it opened a text box that was totally blank. The last message in the dos window was file not found again.

any ideas?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users