Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Gen won't seem to go away


  • Please log in to reply
3 replies to this topic

#1 peg2012

peg2012

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 06 April 2012 - 09:40 AM

Computer is running Win XP Pro SP3. Several weeks ago, a fake antivirus program installed. I cleaned the computer with Superantispyware and Malwarebytes, with scans coming up clean. At the end of March, the user reported problems with numerous Windows errors, explorer.exe faulting (Event ID 1001). I noticed a program shortcut called System Check on the desktop. Research revealed this to be malware. I updated the antispyware programs, but they found no infections. I then followed instructions to remove System Check from an online anti-malware website, where I was instructed to rename three files under C:\Documents and Settings\AllUsers\Application Data. After doing so, TDSSKiller, Malwarebytes and Symantec Endpoint Protection all found infections: Backdoor.Tidserv, Hacktool.Rootkit, and two instances of Trojan.Agent. All of these were quarantined and deleted, with subsequent scans coming up clean. Today, SEP is autodetecting an infected file, DWHA.temp, at C:\Documents and Settings\username\Local Settings\Temp\. Scanning with MBAM, Superantispyware and TDSSKiller is not coming up with anything, in safe mode or normal mode. Is this computer still infected? It concerns me that the three files I renamed are still sitting in their original location, and the software can't detect/remove them because of the names; therefore, the regsitry may not be clean. Any assistance you can give is appreciated.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:22 PM

Posted 06 April 2012 - 11:27 AM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 peg2012

peg2012
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 06 April 2012 - 02:57 PM

Thanks for your help. Results as follows:

Checkup.txt:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
CCleaner
Java™ 6 Update 13
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Symantec AntiVirus Smc.exe
Symantec AntiVirus Rtvscan.exe
Symantec AntiVirus SmcGui.exe
``````````End of Log````````````

******************************************************************

FSS.txt:

Farbar Service Scanner Version: 01-03-2012
Ran by user1 (administrator) on 06-04-2012 at 14:18:35
Running from "C:\Documents and Settings\user1\Local Settings\Temporary Internet Files\Content.IE5\XE86P33S"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdik(8) NetBT(5) PSched(7) SYMTDI(10) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

***********************************************************************************

Mini Tool Box log:

MiniToolBox by Farbar Version: 18-01-2012
Ran by user1 (administrator) on 06-04-2012 at 14:19:55
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: ourserver:8080
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek PCIe GBE Family Controller = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Payroll

Primary Dns Suffix . . . . . . . : our-domain.COM

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : our-domain.COM

our-domain.COM



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : our-domain.COM

Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller

Physical Address. . . . . . . . . : 6C-62-6D-48-E4-15

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.166

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.253

DHCP Server . . . . . . . . . . . : 192.168.1.11

DNS Servers . . . . . . . . . . . : 192.168.1.11

Primary WINS Server . . . . . . . : 192.168.1.11

Lease Obtained. . . . . . . . . . : Friday, April 06, 2012 2:02:52 PM

Lease Expires . . . . . . . . . . : Saturday, April 14, 2012 2:02:52 PM

Server: ourserver.our-domain.com
Address: 192.168.1.11

Name: google.com
Addresses: 74.125.225.103, 74.125.225.96, 74.125.225.99, 74.125.225.104
74.125.225.100, 74.125.225.101, 74.125.225.110, 74.125.225.98, 74.125.225.97
74.125.225.102, 74.125.225.105



Pinging google.com [74.125.225.103] with 32 bytes of data:



Reply from 74.125.225.103: bytes=32 time=14ms TTL=57

Reply from 74.125.225.103: bytes=32 time=11ms TTL=57



Ping statistics for 74.125.225.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 11ms, Maximum = 14ms, Average = 12ms

Server: ourserver.our-domain.com
Address: 192.168.1.11

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=39ms TTL=55

Reply from 209.191.122.70: bytes=32 time=38ms TTL=55



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 38ms, Maximum = 39ms, Average = 38ms

Server: ourserver.our-domain.com
Address: 192.168.1.11

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...6c 62 6d 48 e4 15 ...... Realtek PCIe GBE Family Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.253 192.168.1.166 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.166 192.168.1.166 20
192.168.1.166 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.166 192.168.1.166 20
224.0.0.0 240.0.0.0 192.168.1.166 192.168.1.166 20
255.255.255.255 255.255.255.255 192.168.1.166 192.168.1.166 1
Default Gateway: 192.168.1.253
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/06/2012 02:10:59 PM) (Source: NTBackup) (User: )
Description: End Operation: Warnings or errors were encountered.

Consult the backup report for more details.

Error: (04/06/2012 02:10:58 PM) (Source: NTBackup) (User: )
Description: End Backup of 'C:' 'Warnings or errors were encountered.'


Verify: Off

Mode: Replace

Type: Normal


Consult the backup report for more details.

Error: (04/06/2012 02:05:03 PM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/06/2012 00:44:57 PM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/06/2012 10:44:57 AM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/06/2012 08:44:57 AM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/06/2012 07:59:48 AM) (Source: Symantec AntiVirus) (User: )
Description: Security Risk Found!Trojan.Gen in File: C:\Documents and Settings\user1\Local Settings\Temp\DWHA.tmp by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied. Action Description: The file was left unchanged.

Error: (04/06/2012 07:57:12 AM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/05/2012 02:18:09 PM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.

Error: (04/05/2012 00:18:09 PM) (Source: AeSecurity) (User: SYSTEM)SYSTEM
Description: The security device for connection sqlsrvr-attendance/stp15ae could not be located on the computer. Ensure that
the block is properly connected and retry the security update.


System errors:
=============
Error: (04/06/2012 08:41:39 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (04/06/2012 08:11:03 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (04/06/2012 08:11:03 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (04/06/2012 08:11:03 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (04/06/2012 08:09:28 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
eeCtrl
Fips
intelppm
mfehidk
SASDIFSV
SASKUTIL
SPBBCDrv
SRTSP
SRTSPX
SYMTDI

Error: (04/06/2012 08:09:22 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (04/02/2012 10:39:28 AM) (Source: Print) (User: SYSTEM)
Description: Printer PDF Complete failed to initialize because a suitable PDF Complete Converter driver could not be found.

Error: (04/02/2012 09:42:08 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
atapi

Error: (04/02/2012 09:41:26 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (04/02/2012 09:05:36 AM) (Source: Service Control Manager) (User: )
Description: The My IT Company Monitor Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 20000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.2.202.228)
Adobe Reader 9.5.0 (Version: 9.5.0)
Attendance Enterprise (Version: 1.5.33.856)
Bing Bar (Version: 7.0.822.0)
BizCover (Version: 1.0.0.4)
CCleaner (Version: 3.16)
Collaboration Client 2.0 (Version: 4.4.3.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
HiJackThis (Version: 1.0.0)
HP Help and Support (Version: 4.2.0010)
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.5102)
InterVideo WinDVD 8 (Version: 8.5.10.36)
Java™ 6 Update 13 (Version: 6.0.130)
Kaseya Agent (payroll.root.stp.healthcheck - portal.teknoforcesupport.com) (Version: 6.2.0.0)
Lantronix DeviceInstaller 4.3.0.1 (x86) (Version: 43.00.1500)
LiveUpdate 3.3 (Symantec Corporation) (Version: 3.3.0.101)
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
Realtek High Definition Audio Driver (Version: 5.10.0.5963)
Segoe UI (Version: 14.0.4327.805)
Shadow Copy Client (Version: 5.2.01)
SUPERAntiSpyware (Version: 5.0.1144)
Symantec Endpoint Protection (Version: 11.0.6300.803)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2362765) (Version: 1)
Update for Windows Internet Explorer 8 (KB2447568) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB982664) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2264107) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
WebEx
WebFldrs XP (Version: 9.50.7523)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Management Framework Core

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 38%
Total physical RAM: 1917.1 MB
Available physical RAM: 1170.12 MB
Total Pagefile: 3810.2 MB
Available Pagefile: 3035.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.81 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:286.53 GB) (Free:261.98 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:9.55 GB) (Free:0.84 GB) NTFS
4 Drive s: () (Network) (Total:60 GB) (Free:56.62 GB) NTFS

========================= Users: ========================================

User accounts for \\PAYROLL

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0


**** End of log ****

*************************************************************************************************

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.06.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
user1 :: PAYROLL [administrator]

4/6/2012 2:21:47 PM
mbam-log-2012-04-06 (14-21-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299152
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

*******************************************************************

aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-06 14:27:53
-----------------------------
14:27:53.323 OS Version: Windows 5.1.2600 Service Pack 3
14:27:53.323 Number of processors: 2 586 0x170A
14:27:53.323 ComputerName: PAYROLL UserName: user1
14:27:59.042 Initialize success
14:30:55.936 AVAST engine defs: 12040600
14:31:22.108 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:31:22.108 Disk 0 Vendor: ST332041 HP35 Size: 305245MB BusType: 3
14:31:22.124 Disk 0 MBR read successfully
14:31:22.124 Disk 0 MBR scan
14:31:22.139 Disk 0 Windows 7 default MBR code
14:31:22.155 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293406 MB offset 4194304
14:31:22.186 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9781 MB offset 605089792
14:31:22.186 Disk 0 scanning sectors +625121280
14:31:22.296 Disk 0 scanning C:\WINDOWS\system32\drivers
14:31:31.389 Service scanning
14:31:45.983 Modules scanning
14:31:50.561 Disk 0 trace - called modules:
14:31:50.577 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
14:31:50.577 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d12478]
14:31:50.577 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x89d1b028]
14:31:54.858 AVAST engine scan C:\WINDOWS
14:31:59.452 AVAST engine scan C:\WINDOWS\system32
14:34:14.312 AVAST engine scan C:\WINDOWS\system32\drivers
14:34:31.125 AVAST engine scan C:\Documents and Settings\user1
14:36:35.266 AVAST engine scan C:\Documents and Settings\All Users
14:37:15.235 Scan finished successfully
14:37:23.297 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user1\Desktop\MBR.dat"
14:37:23.297 The log file has been saved successfully to "C:\Documents and Settings\user1\Desktop\aswMBR.txt"


*********************************************************************************************

In the course of the Avast scan, Symantec Edpoint Protection popped up 6 messages stating that infections were found and then quarantined. Log of SEP quarantine:

Risk Filename Original Location Status Date
Trojan.Gen.2 unp195386443.tmp C:\Documents and Settings\user1\Local Settings\Temp\_avast4_\ Infected 4/6/2012 14:36
Trojan.Gen.2 unp194647460.tmp C:\Documents and Settings\user1\Local Settings\Temp\_avast4_\ Infected 4/6/2012 14:36
Trojan.Gen.2 unp170200126.tmp C:\Documents and Settings\user1\Local Settings\Temp\_avast4_\ Infected 4/6/2012 14:37
Trojan.Gen.2 APQ15.tmp C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\ Infected 4/6/2012 14:37
Trojan.Gen.2 av4D57.tmp C:\Documents and Settings\user1\Local Settings\Temp\ Infected 4/6/2012 14:37
Trojan.Gen tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Backdoor.Tidserv tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Trojan.Gen tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Hacktool.Rootkit tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Trojan.Gen.2 tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Trojan.Gen tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Backdoor.Trojan tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Trojan.Gen tsk0005.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Backdoor.Tidserv tsk0008.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Backdoor.Tidserv tsk0008.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43
Backdoor.Tidserv tsk0008.dta C:\TDSSKiller_Quarantine\02.04.2012_09.43.27\mbr0000\tdlfs0000\ Infected 4/2/2012 9:43

***************************************************************************************************************************

Note, these scans were run on the user account where the infections were found.

Any further advice will be appreciated.

Edited by peg2012, 06 April 2012 - 03:07 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:22 PM

Posted 06 April 2012 - 03:11 PM

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users