Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

**** Troj_zac, pum.hijack.startmenu, IE search highjacked


  • Please log in to reply
4 replies to this topic

#1 mattymatt

mattymatt

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 06 April 2012 - 12:14 AM

Hello,

My Trend Micro is picking up a TROJ_ZAC quite a bit. I ran Malwarebytes and 11 items were found including Trojan.QHost.BG, PUM.Hijack.StartMenu, Trojan.Agent, and RootKit.0Access.H to name a few. Also, a program named "SMART HDD" was installed on my computer and it pops up things like my HD is corrupt/damaged and it will run a fake scan, etc.

Things I've done:
-- Ran Malwarebytes and Superantispyware in Safemode. Seemed to clean it up but the issues returned.
-- Was able to delete the SMART HDD but that will return after a time too.

Help!! And thanks in advance!

Matt

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:50 AM

Posted 06 April 2012 - 11:31 AM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 mattymatt

mattymatt
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 06 April 2012 - 06:08 PM

I have done all you asked and here are the logs:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
Trend Micro Client/Server Security Agent
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

CA Yahoo! Anti-Spy (remove only)
SpywareBlaster 4.6
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java™ 6 Update 29
Out of date Java installed!
Adobe Flash Player 11.2.202.228
Mozilla Firefox (3.6.12) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Trend Micro OfficeScan Client pccntmon.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
Trend Micro Client Server Security Agent ntrtscan.exe
Trend Micro Client Server Security Agent tmlisten.exe
Trend Micro Client Server Security Agent OfcPfwSvc.exe
Trend Micro Client Server Security Agent pccntupd.exe
``````````End of Log````````````




Farbar Service Scanner Version: 01-03-2012
Ran by matt.thomas (administrator) on 06-04-2012 at 13:54:10
Running from "C:\Documents and Settings\matt.thomas\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2004-08-11 19:00] - [2011-08-17 09:49] - 0138496 ____A () D6644D111B815BB034FF78FEB2E3E1C5

C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-11 19:00] - [2004-08-04 07:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
DNE(9) Gpc(6) IPSec(4) NEOFLTR_630_14121(10) NetBT(5) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000500000006000000070000000800000009000000
IpSec Tag value is correct.

**** End of log ****



MiniToolBox by Farbar Version: 18-01-2012
Ran by matt.thomas (administrator) on 06-04-2012 at 13:55:45
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


94.63.147.16 www.google.com
94.63.147.17 www.bing.com


========================= IP Configuration: ================================

The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : MDS0083

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : michiganheart.com

michiganheart.com

michiganheart.com



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1C-23-24-00-C4



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : hsd1.mi.comcast.net.

Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-1D-60-BF-27-7F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.0.0.6

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.0.0.1

DHCP Server . . . . . . . . . . . : 10.0.0.1

DNS Servers . . . . . . . . . . . : 75.75.76.76

75.75.75.75

Lease Obtained. . . . . . . . . . : Friday, April 06, 2012 1:33:02 PM

Lease Expires . . . . . . . . . . : Friday, April 13, 2012 1:33:02 PM



Pinging google.com [74.125.225.71] with 32 bytes of data:



Reply from 74.125.225.71: bytes=32 time=36ms TTL=53

Reply from 74.125.225.71: bytes=32 time=43ms TTL=53



Ping statistics for 74.125.225.71:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 36ms, Maximum = 43ms, Average = 39ms



Pinging yahoo.com [72.30.38.140] with 32 bytes of data:



Reply from 72.30.38.140: bytes=32 time=201ms TTL=48

Reply from 72.30.38.140: bytes=32 time=137ms TTL=48



Ping statistics for 72.30.38.140:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 137ms, Maximum = 201ms, Average = 169ms



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c 23 24 00 c4 ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 1d 60 bf 27 7f ...... Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.6 25
10.0.0.0 255.255.255.0 10.0.0.6 10.0.0.6 25
10.0.0.6 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.0.0.6 10.0.0.6 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.6 10.0.0.6 20
224.0.0.0 240.0.0.0 10.0.0.6 10.0.0.6 25
255.255.255.255 255.255.255.255 10.0.0.6 2 1
255.255.255.255 255.255.255.255 10.0.0.6 10.0.0.6 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 02 C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll [79224] (Juniper Networks)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 mswsock.dll [File Not found] ()
Catalog5 05 C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll [79224] (Juniper Networks)
Catalog5 06 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\WINDOWS\system32\biolsp.dll [212992] (Wave Systems Corp.)
Catalog9 02 C:\WINDOWS\system32\biolsp.dll [212992] (Wave Systems Corp.)
Catalog9 03 C:\WINDOWS\system32\biolsp.dll [212992] (Wave Systems Corp.)
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 C:\WINDOWS\system32\biolsp.dll [212992] (Wave Systems Corp.)
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()
Catalog9 26 mswsock.dll [File Not found] ()
Catalog9 27 mswsock.dll [File Not found] ()
Catalog9 28 mswsock.dll [File Not found] ()
Catalog9 29 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/06/2012 01:31:59 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (04/06/2012 01:31:11 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (04/06/2012 01:31:10 PM) (Source: COM+) (User: )
Description: The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d027)

Error: (04/06/2012 01:31:10 PM) (Source: MSDTC Client) (User: )
Description: Failed to initialize the needed name objects. Error Specifics: d:\comxp_sp3\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 2208
No Callstack,
CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Error: (04/06/2012 03:04:00 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft SQL Server 2005 Express Edition -- Error 2259. The installer has encountered an unexpected error. The error code is 2259. Database: Table(s) Update failed

Error: (04/06/2012 03:03:57 AM) (Source: MSSQL$MSSMLBIZ) (User: )
Description: The file "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBData.mdf" is compressed but does not reside in a read-only database or filegroup. The file must be decompressed.

Error: (04/06/2012 03:02:11 AM) (Source: MSDTC Client) (User: )
Description: Failed to initialize the needed name objects. Error Specifics: d:\comxp_sp3\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 836
No Callstack,
CmdLine: setup.exe /q /qn ADDLOCAL=SQL_Data_Files,SQL_Engine,SQL_SharedTools UPGRADE=SQL_Data_Files,SQL_Engine,SQL_SharedTools LOGPATH="C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\LOG\Hotfix\SQL9Express_Hot...

Error: (04/06/2012 01:53:40 AM) (Source: COM+) (User: )
Description: The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d027)

Error: (04/06/2012 01:53:40 AM) (Source: MSDTC Client) (User: )
Description: Failed to initialize the needed name objects. Error Specifics: d:\comxp_sp3\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 3232
No Callstack,
CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Error: (04/06/2012 00:43:51 AM) (Source: COM+) (User: )
Description: The run-time environment was unable to initialize for transactions required to support transactional components. Make sure that MS-DTC is running. (DtcGetTransactionManagerEx(): hr = 0x8004d027)


System errors:
=============
Error: (04/06/2012 01:55:57 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:56 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:55 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:54 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:53 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:52 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:51 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:50 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (04/06/2012 01:55:49 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (02/24/2012 10:53:56 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 43887 seconds with 1980 seconds of active time. This session ended with a crash.

Error: (01/18/2012 10:34:29 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 525 seconds with 180 seconds of active time. This session ended with a crash.

Error: (12/28/2011 05:07:27 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 20465 seconds with 5280 seconds of active time. This session ended with a crash.

Error: (12/19/2011 10:07:19 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 41702 seconds with 1080 seconds of active time. This session ended with a crash.

Error: (05/11/2011 02:37:13 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 17629 seconds with 1740 seconds of active time. This session ended with a crash.

Error: (04/15/2011 03:27:31 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 20424 seconds with 660 seconds of active time. This session ended with a crash.

Error: (04/01/2011 09:08:05 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 45870 seconds with 300 seconds of active time. This session ended with a crash.

Error: (03/15/2011 09:57:21 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 30371 seconds with 3360 seconds of active time. This session ended with a crash.

Error: (03/04/2011 01:09:06 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 175037 seconds with 4380 seconds of active time. This session ended with a crash.

Error: (02/22/2011 04:50:36 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 104024 seconds with 2220 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

2007 Microsoft Office system (Version: 12.0.6612.1000)
ACR38/100/122 PC/SC Driver 1.1.2.0 (Version: 1.1.2)
Adobe Acrobat 8 Standard (Version: 8.3.1)
Adobe Acrobat 8.3.1 - CPSID_83708
Adobe Acrobat 8.3.1 Standard (Version: 8.3.1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) (Version: 8.1.2)
Adobe Flash Player 11 ActiveX (Version: 11.2.202.228)
Adobe Flash Player 11 Plugin (Version: 11.2.202.228)
ADS Tech Master Installer V3.6 (Version: 3.7.0.6)
ADS Tech V3.7 DVD Xpress CapWiz (Version: 3.7.0.6)
ADS Tech V3.8 DVD Xpress CapWiz (Version: 3.8.0.10)
Any DVD Converter Professional 3.7.9
Apple Application Support (Version: 1.5.2)
Apple Mobile Device Support (Version: 3.4.1.2)
Apple Software Update (Version: 2.1.1.116)
ArcSoft Software Suite
biolsp patch (Version: 01.00.01.0010)
Bloggie Software (Version: 03.01.0099)
Bonjour (Version: 2.0.5.0)
Broadcom ASF Management Applications (Version: 10.13.02)
Broadcom Management Programs (Version: 10.15.01)
Broadcom TPM Driver Installer (Version: 8.04.04)
Business Contact Manager for Outlook 2007 SP1 (Version: 3.0.7311.0)
CA Yahoo! Anti-Spy (remove only)
Canon Camera Access Library (Version: 8.4.0.1)
Canon Camera Support Core Library (Version: 7.3.1.6)
Canon Camera WIA Driver (Version: 5.7)
Canon EOS 5D WIA Driver (Version: 5.7)
Canon RAW Image Task for ZoomBrowser EX (Version: 3.3.0.5)
Canon Utilities CameraWindow (Version: 7.1.0.2)
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX (Version: 5.4.5.17)
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX (Version: 6.4.2.16)
Canon Utilities Digital Photo Professional 3.4 (Version: 3.4.0.0)
Canon Utilities EOS Utility (Version: 2.4.0.1)
Canon Utilities MyCamera (Version: 6.4.0.5)
Canon Utilities Original Data Security Tools (Version: 1.4.0.1)
Canon Utilities PhotoStitch (Version: 3.1.21.45)
Canon Utilities Picture Style Editor (Version: 1.3.0.0)
Canon Utilities RemoteCapture Task for ZoomBrowser EX (Version: 1.7.1.9)
Canon Utilities WFT-E1/E2/E3 Utility (Version: 3.2.1.1)
Canon Utilities ZoomBrowser EX (Version: 6.1.1.21)
Canon ZoomBrowser EX Memory Card Utility (Version: 1.1.0.8)
Centra Client
Conexant HDA D330 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Embassy Trust Suite by Wave Systems (Version: 02.00.00.039)
Dell Touchpad (Version: Version 7.1.101.6)
Dell Wireless WLAN Card (Version: 4.100.15.8)
Digital Line Detect (Version: 1.21)
DigitImg (Version: 2.00.0000)
Document Manager Lite (Version: 05.06.00.005)
Dropbox (Version: 1.1.35)
EMBASSY Security Center (Version: 03.00.00.036)
EMBASSY Security Setup (Version: 03.00.00.035)
EMBASSY Trust Suite by Wave Systems (Version: 2.00.00.039)
ESC Home Page Plugin (Version: 03.00.00.013)
ESET Online Scanner v3
ETS Upgrade (Version: 02.00.00.012)
Facebook Plug-In
First Step Guide (Version: 1.00.000)
Google Toolbar for Internet Explorer (Version: 1.0.0)
GoToMeeting 5.1.0.880 (Version: 5.1.0.880)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HijackThis 2.0.2 (Version: 2.0.2)
HP LaserJet P1500 series
HP Memories Disc (Version: 1.0.4.805)
HP Software Update (Version: 1.0.18.20030627)
HPCarePackCore (Version: 10.0.0.1)
HPCarePackProducts (Version: 1.0.0.1)
HPSSupply (Version: 2.1.1.0000)
Image Resizer Powertoy for Windows XP (Version: 1.00.0001)
Image Retriever 7 (Version: 7.0.0.0)
ImageMixer VCD2 (Version: 2.01.002.3)
Intel® Graphics Media Accelerator Driver
IntelliSonic Speech Enhancement (Version: 2.1.37)
iTunes (Version: 10.3.1.55)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Juniper Networks Secure Application Manager (Version: 6.3.0.14121)
LogMeIn (Version: 4.0.680)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components (Version: 11.0.8173.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Professional Hybrid 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Small Business Connectivity Components (Version: 2.0.7024.0)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) (Version: 9.3.4035.00)
Microsoft SQL Server Native Client (Version: 9.00.5000.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.5000.00)
Microsoft SQL Server VSS Writer (Version: 9.00.5000.00)
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft WinUsb 1.0
Mirar
MobileMe Control Panel (Version: 3.1.6.0)
Modem Diagnostic Tool (Version: 1.0.20.0)
Mozilla Firefox (3.6.12) (Version: 3.6.12 (en-US))
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
NDH2008Plus!
NetWaiting (Version: 2.5.44)
Novacomd (Version: 1.0.40)
NTRU TCG Software Stack (Version: 2.1.12)
O2Micro USB Smart Card Reader (Version: 1.00.0000)
PaperPort Image Printer (Version: 1.00.0000)
Photosmart 140,240,7200,7600,7700,7900 Series (Version: 2.0)
PL-2303 USB-to-Serial
PowerDVD (Version: 7.0)
Preboot Manager (Version: 2.0.0.102)
Private Information Manager (Version: 05.05.00.022)
PS7600 (Version: 1.00.0000)
PSShortcuts (Version: 1.00.0000)
PSUsage (Version: 1.20.0000)
QuickSet (Version: 8.1.12)
QuickTime (Version: 7.69.80.9)
ResMed Ventilator Installer v1.96.0 (Version: 1.96.0)
ResScan (Version: 3.16)
Rhapsody
Rhapsody Player Engine (Version: 1.0.604)
Roxio Creator Audio (Version: 3.3.0)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Copy (Version: 3.3.0)
Roxio Creator Data (Version: 3.3.0)
Roxio Creator DE (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Drag-to-Disc (Version: 9.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio Update Manager (Version: 3.0.0)
Safari (Version: 5.33.18.5)
Scanner Utility for Microsoft Windows
ScanSoft OmniPage SE 4 (Version: 15.2.0020)
Secure Update (Version: 05.03.00.011)
Security Wizards (Version: 01.03.00.021)
Segoe UI (Version: 14.0.4327.805)
SigmaTel Audio (Version: 5.10.4820.0)
Skype Click to Call (Version: 5.10.9560)
Skype™ 5.8 (Version: 5.8.158)
Software Operation Panel
Sonic Activation Module (Version: 1.0)
Sony USB Driver
SpywareBlaster 4.6 (Version: 4.6.0)
SUPERAntiSpyware Free Edition (Version: 4.22.0.1014)
Trend Micro Client/Server Security Agent
TubeSucker (Version: 5.0.0.4)
Ulead DVD MovieFactory 3 SE (Version: 3.0)
Ulead Straight-to-Disc SDK (Version: 2.2)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB968220) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
upekmsi (Version: 02.00.02.0010)
URL Assistant
Virtual Earth 3D (Beta) (Version: 3.0.808.29001)
VPN Client
Wave Infrastructure Installer (Version: 03.05.10.0050)
Wave Support Software (Version: 05.04.00.018)
WebDrive (Version: 7.10.1475)
WebEx
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - ACS (A38CCID) SmartCardReader (12/16/2009 1.1.6.5) (Version: 12/16/2009 1.1.6.5)
Windows Driver Package - ACS (ACR122U) SmartCardReader (12/16/2009 1.1.6.3) (Version: 12/16/2009 1.1.6.3)
Windows Driver Package - ACS (ACSSCR) SmartCardReader (12/15/2009 1.1.6.2) (Version: 12/15/2009 1.1.6.2)
Windows Driver Package - Dell Inc. PBADRV System (09/25/2006 6.0.0.0) (Version: 09/25/2006 6.0.0.0)
Windows Driver Package - O2Micro (guardian2) SmartCardReader (02/05/2007 1.1.3.7) (Version: 02/05/2007 1.1.3.7)
Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0) (Version: 11/30/2008 1.0.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.8.0031.9)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.2980)
Windows Media Format 11 runtime
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Service Pack 3 (Version: 20080414.031525)
Workspace Desktop
WOT for Internet Explorer (Version: 11.11.7.0)
Xerox WC M20 Series PS
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

========================= Devices: ================================

Name: Cisco Systems VPN Adapter
Description: Cisco Systems VPN Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 56%
Total physical RAM: 2037.9 MB
Available physical RAM: 893.2 MB
Total Pagefile: 3930.6 MB
Available Pagefile: 2484.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.74 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.44 GB) (Free:7.43 GB) NTFS

========================= Users: ========================================

User accounts for \\MDS0083

charlene.oldeck Guest HelpAssistant
Hypnos l3174299092 matt.thomas
sleepadmin Support SUPPORT_388945a0


**** End of log ****






Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.06.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
matt.thomas :: MDS0083 [administrator]

4/6/2012 1:59:02 PM
mbam-log-2012-04-06 (14-55-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242553
Time elapsed: 38 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\temp\arg230733.exe (Exploit.Drop) -> No action taken.

(end)




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-06 18:05:10
-----------------------------
18:05:10.296 OS Version: Windows 5.1.2600 Service Pack 3
18:05:10.296 Number of processors: 2 586 0xF0D
18:05:10.296 ComputerName: MDS0083 UserName:
18:05:12.421 Initialize success
18:05:27.109 AVAST engine defs: 12040600
18:05:50.906 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:05:50.921 Disk 0 Vendor: TOSHIBA_MK8037GSX DL240D Size: 76319MB BusType: 3
18:05:50.937 Disk 0 MBR read successfully
18:05:50.937 Disk 0 MBR scan
18:05:51.000 Disk 0 Windows XP default MBR code
18:05:51.000 Disk 0 MBR hidden
18:05:51.000 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
18:05:51.031 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 76230 MB offset 176715
18:05:51.062 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 156296385
18:05:51.062 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
18:05:51.078 Disk 0 scanning sectors +156301472
18:05:51.140 Disk 0 scanning C:\WINDOWS\system32\drivers
18:05:52.468 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Rootkit-gen [Rtk]
18:06:27.750 Disk 0 trace - called modules:
18:06:27.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x897b3fd0]<<
18:06:27.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac4eab8]
18:06:27.765 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x89deec68]
18:06:27.765 \Driver\00001680[0x89758360] -> IRP_MJ_CREATE -> 0x897b3fd0
18:06:30.109 AVAST engine scan C:\WINDOWS
18:07:16.625 AVAST engine scan C:\WINDOWS\system32
18:13:45.578 AVAST engine scan C:\WINDOWS\system32\drivers
18:13:46.890 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Rootkit-gen [Rtk]
18:14:25.421 AVAST engine scan C:\Documents and Settings\matt.thomas
18:56:41.281 AVAST engine scan C:\Documents and Settings\All Users
19:01:18.734 Scan finished successfully
19:01:34.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\matt.thomas\Desktop\MBR.dat"
19:01:34.656 The log file has been saved successfully to "C:\Documents and Settings\matt.thomas\Desktop\aswMBR.txt"


Thanks for your help!!

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:50 AM

Posted 06 April 2012 - 06:49 PM

You're seriously infected and it'll require more advanced tools.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 mattymatt

mattymatt
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 06 April 2012 - 10:48 PM

I have started a topic over there. Thanks for your time!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users