Jump to content

New Topic

gavnut

By gavnut,
in Resolved Malware Removal Logs

 Share

Recommended Posts

gavnut

gavnut

Posted
Posted

Contracted a virus yesterday. Virus redirected some internet searches to "onlinestability.com" and would not let me run or search to malwarebytes. Was able to rename malwarebytes and follow thread instructions. Malwarebytes was run successfully (see log below). Virus alerts were prompted again this morning through McAfee. See logs below:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:50:53, on 1/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Prot_srv.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Emergingsoft\MeetingPlanner\mpcache.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/shockwave/download/tr...om/default.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = divproxywae1.cable.comcast.com:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = teamcomcast.cable.comcast.com;ahcws03.cable.comcast.com;ahcmt26.cable.comcast.co

m;www.teamcomcast.com;*.cable.comcast.com;*.hostedeet.com;*.comcastboardinformat

i

on.com;24.40.*.*;<local>

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .OPT: C:\Program Files\Stellent\IBPM\IBPMVwr.dll

O14 - IERESET.INF: START_PAGE_URL=http://teamcomcast

O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://qualitycenter/qcbin/capicom.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146854662468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146855274921

O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://qualitycenter/qcbin/Spider91.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\Software\..\Telephony: DomainName = corphq.comcast.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe

O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12043 bytes

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twex.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twex.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSoiqt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS1968.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\TDSS1958.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Thank you

Link to post
Share on other sites
gavnut

gavnut

Posted
  • Author
Posted

Ran Spybot last night and updated Malwarebytes. McAfee is still picking up virus alerts throughout the day. See latest logs below

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:11:57, on 1/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Prot_srv.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Emergingsoft\MeetingPlanner\mpcache.exe

C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/shockwave/download/tr...om/default.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = divproxywae1.cable.comcast.com:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = teamcomcast.cable.comcast.com;ahcws03.cable.comcast.com;ahcmt26.cable.comcast.co

m;www.teamcomcast.com;*.cable.comcast.com;*.hostedeet.com;*.comcastboardinformat

i

on.com;24.40.*.*;<local>

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .OPT: C:\Program Files\Stellent\IBPM\IBPMVwr.dll

O14 - IERESET.INF: START_PAGE_URL=http://teamcomcast

O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://qualitycenter/qcbin/capicom.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146854662468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146855274921

O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://qualitycenter/qcbin/Spider91.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\Software\..\Telephony: DomainName = corphq.comcast.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe

O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 12468 bytes

Malwarebytes' Anti-Malware 1.33

Database version: 1668

Windows 5.1.2600 Service Pack 2

1/20/2009 1:07:52 PM

mbam-log-2009-01-20 (13-07-52).txt

Scan type: Quick Scan

Objects scanned: 61582

Time elapsed: 14 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Tigger93

Tigger93

Posted
Posted

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites
gavnut

gavnut

Posted
  • Author
Posted

I do not have full admin rights to this computer and cannot disable McAfee. Combofix warns against running the program while other anit-virus products are running. Should I run combofix without inactivating McAfee? If not, is there another solution?

Thanks.

Link to post
Share on other sites
gavnut

gavnut

Posted
  • Author
Posted

Log file for McAfee virus alert:

2009-01-21 10:25 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe c:\system volume information\_restore{7b403d05-bd1d-42e0-93f8-ce4e5545de2b}\rp331\a0098123.sys Generic Rootkit.d (Trojan)

2009-01-21 10:25 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098123.SYS Generic Rootkit.d (Trojan)

2009-01-21 10:25 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\System Volume Information\_restore{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098123.sys Generic Rootkit.d (Trojan)

2009-01-21 10:47 Cleaned NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe c:\system volume information\_restore{7b403d05-bd1d-42e0-93f8-ce4e5545de2b}\rp331\a0098124.dll FakeAlert-AG.gen.a (Trojan)

2009-01-21 10:47 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098124.DLL FakeAlert-AG.gen.a (Trojan)

2009-01-21 10:47 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\System Volume Information\_restore{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098124.dll FakeAlert-AG.gen.a (Trojan)

2009-01-21 14:06 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098125.DLL Generic.dx (Trojan)

2009-01-21 14:06 Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\System Volume Information\_restore{7B403D05-BD1D-42E0-93F8-CE4E5545DE2B}\RP331\A0098125.dll Generic.dx (Trojan)

Link to post
Share on other sites
gavnut

gavnut

Posted
  • Author
Posted

Thanks for the patience..

Combofix log

ComboFix 09-01-21.02 - vgavit001 2009-01-21 21:02:54.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.527 [GMT -5:00]

Running from: c:\documents and settings\vgavit001\Desktop\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

FW: McAfee Host Intrusion Prevention Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\AutoRun.inf

c:\windows\system32\MabryObj.dll

c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://PACHQSMS01:80

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-21 21:09 . 2008-04-28 15:19 75,072 --a------ c:\windows\system32\HIPIS0e0015b.dll

2009-01-21 21:09 . 2009-01-21 21:09 113 --a------ c:\windows\system32\api_hook_list.dat

2009-01-21 07:36 . 2009-01-21 07:36 <DIR> d-------- c:\windows\ms

2009-01-19 22:31 . 2009-01-19 22:31 95 --a------ c:\windows\wininit.ini

2009-01-19 21:59 . 2009-01-20 22:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-19 21:59 . 2009-01-20 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 20:38 . 2009-01-20 22:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-19 20:38 . 2009-01-20 22:20 <DIR> d-------- c:\documents and settings\vgavit001\Application Data\SUPERAntiSpyware.com

2009-01-19 20:38 . 2009-01-19 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-19 20:23 . 2009-01-19 21:51 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-19 14:49 . 2009-01-19 14:49 <DIR> d-------- c:\program files\Trend Micro

2009-01-19 00:28 . 2009-01-19 00:28 <DIR> d-------- c:\documents and settings\vgavit001\Application Data\Malwarebytes

2009-01-18 23:56 . 2009-01-18 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-17 10:41 . 2009-01-17 10:41 <DIR> d-------- c:\program files\Lavasoft

2009-01-17 10:41 . 2009-01-17 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-16 20:05 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys

2009-01-16 20:05 . 2004-08-03 23:07 59,264 --a--c--- c:\windows\system32\dllcache\usbaudio.sys

2009-01-16 19:34 . 2009-01-16 19:34 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

2009-01-16 19:34 . 2009-01-16 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet

2009-01-16 19:33 . 2009-01-16 19:33 <DIR> d-------- c:\program files\Rosetta Stone

2009-01-16 19:33 . 2009-01-17 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 03:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-20 00:56 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-19 04:03 --------- d-----w c:\program files\Google

2008-12-05 22:11 --------- d-----w c:\program files\Stellent

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-16 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2006-12-04 941424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-14 138008]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-07-09 963904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-14 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-14 162584]

"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.exe" [2007-10-18 337200]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]

"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-09-25 1421328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleNetIDList"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoChangeKeyboardNavigationIndicators"= 1 (0x1)

"NoChangeAnimation"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=add!SrvAcctGroup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-448539723-1801674531-546185\Scripts\Logon\0\0]

"Script"=CHQ-CIS_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-13515\Scripts\Logon\0\0]

"Script"=cabletcc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-13515\Scripts\Logon\0\1]

"Script"=NEW CORP-MapDrives_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-5099\Scripts\Logon\0\0]

"Script"=cabletcc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-5099\Scripts\Logon\0\1]

"Script"=NEW CORP-MapDrives_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2006-12-04 238496]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2008-04-29 42056]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-09-18 100104]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-09-18 30856]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-09-18 27976]

R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2008-09-18 46400]

R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2006-12-04 33664]

R4 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [2008-07-09 1455424]

R4 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2006-12-04 146720]

R4 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2006-12-04 109856]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2008-04-29 42056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4d0d01-96d9-11dc-8c86-001c2311951f}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

HKCU-Run-Aim6 - (no file)

HKLM-Run-Network Associates Error Reporting Service - c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe

.

------- Supplementary Scan -------

.

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/shockwave/download/triggerpages_mmcom/default.html

uInternet Settings,ProxyServer = divproxywae1.cable.comcast.com:80

uInternet Settings,ProxyOverride = teamcomcast.cable.comcast.com;ahcws03.cable.comcast.com;ahcmt26.cable.comcast.co

m;www.teamcomcast.com;*.cable.comcast.com;*.hostedeet.com;*.comcastboardinformat

i

on.com;24.40.*.*;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://qualitycenter/qcbin/capicom.dll

DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://qualitycenter/qcbin/Spider91.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 21:11:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1848)

c:\windows\system32\pssogina.dll

c:\windows\system32\csgina.dll

c:\windows\system32\VPNAPI.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Dell\QuickSet\NicConfigSvc.exe

c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe

c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\McAfee\Common Framework\Mctray.exe

c:\program files\Apoint\hidfind.exe

c:\program files\Apoint\ApntEx.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-01-21 21:16:11 - machine was rebooted [vgavit001]

ComboFix-quarantined-files.txt 2009-01-22 02:16:07

Pre-Run: 40,660,332,544 bytes free

Post-Run: 40,580,526,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

221

Link to post
Share on other sites
Tigger93

Tigger93

Posted
Posted

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Collect::

c:\windows\system32\HIPIS0e0015b.dll

DirLook::

c:\windows\ms

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites
gavnut

gavnut

Posted
  • Author
Posted

ComboFix 09-01-21.02 - vgavit001 2009-01-22 20:46:57.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.557 [GMT -5:00]

Running from: c:\documents and settings\vgavit001\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\vgavit001\Desktop\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

FW: McAfee Host Intrusion Prevention Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\IE4 Error Log.txt

c:\windows\system32\HIPIS0e0015b.dll

----- BITS: Possible infected sites -----

hxxp://PACHQSMS01:80

.

((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))

.

2009-01-22 20:39 . 2009-01-22 20:39 113 --a------ c:\windows\system32\api_hook_list.dat

2009-01-21 07:36 . 2009-01-21 07:36 <DIR> d-------- c:\windows\ms

2009-01-19 22:31 . 2009-01-19 22:31 95 --a------ c:\windows\wininit.ini

2009-01-19 21:59 . 2009-01-20 22:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-19 21:59 . 2009-01-20 22:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 20:38 . 2009-01-20 22:20 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-19 20:38 . 2009-01-20 22:20 <DIR> d-------- c:\documents and settings\vgavit001\Application Data\SUPERAntiSpyware.com

2009-01-19 20:38 . 2009-01-19 20:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-19 20:23 . 2009-01-19 21:51 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-19 14:49 . 2009-01-19 14:49 <DIR> d-------- c:\program files\Trend Micro

2009-01-19 00:28 . 2009-01-19 00:28 <DIR> d-------- c:\documents and settings\vgavit001\Application Data\Malwarebytes

2009-01-18 23:56 . 2009-01-18 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-17 10:41 . 2009-01-17 10:41 <DIR> d-------- c:\program files\Lavasoft

2009-01-17 10:41 . 2009-01-17 10:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-16 20:05 . 2004-08-03 23:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys

2009-01-16 20:05 . 2004-08-03 23:07 59,264 --a--c--- c:\windows\system32\dllcache\usbaudio.sys

2009-01-16 19:34 . 2009-01-16 19:34 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

2009-01-16 19:34 . 2009-01-16 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet

2009-01-16 19:33 . 2009-01-16 19:33 <DIR> d-------- c:\program files\Rosetta Stone

2009-01-16 19:33 . 2009-01-17 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 03:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-01-20 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-01-20 00:56 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-19 04:03 --------- d-----w c:\program files\Google

2008-12-05 22:11 --------- d-----w c:\program files\Stellent

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\windows\ms ----

((((((((((((((((((((((((((((( snapshot@2009-01-21_21.14.40.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-01-23 01:39:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_56c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-16 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]

"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2006-12-04 941424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-14 138008]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"McAfee Host Intrusion Prevention Tray"="c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe" [2008-07-09 963904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-14 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-14 162584]

"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.exe" [2007-10-18 337200]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]

"nwiz"="nwiz.exe" [2006-01-19 c:\windows\system32\nwiz.exe]

"NVHotkey"="nvHotkey.dll" [2006-01-19 c:\windows\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-09-25 1421328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleNetIDList"= 1 (0x1)

"ForceStartMenuLogOff"= 1 (0x1)

"NoChangeKeyboardNavigationIndicators"= 1 (0x1)

"NoChangeAnimation"= 1 (0x1)

"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=add!SrvAcctGroup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2052111302-448539723-1801674531-546185\Scripts\Logon\0\0]

"Script"=CHQ-CIS_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-13515\Scripts\Logon\0\0]

"Script"=cabletcc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-13515\Scripts\Logon\0\1]

"Script"=NEW CORP-MapDrives_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-5099\Scripts\Logon\0\0]

"Script"=cabletcc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-226410062-3810625838-4055646134-5099\Scripts\Logon\0\1]

"Script"=NEW CORP-MapDrives_script2.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 prot_2k;prot_2k;c:\windows\system32\drivers\prot_2k.sys [2006-12-04 238496]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2008-04-29 42056]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2008-09-18 100104]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2008-09-18 30856]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2008-09-18 27976]

R3 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [2008-09-18 46400]

R4 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2006-12-04 33664]

R4 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [2008-07-09 1455424]

R4 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [2006-12-04 146720]

R4 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [2006-12-04 109856]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2008-04-29 42056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4d0d01-96d9-11dc-8c86-001c2311951f}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)

URLSearchHooks-Rank - (no file)

.

------- Supplementary Scan -------

.

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.adobe.com/shockwave/download/triggerpages_mmcom/default.html

uInternet Settings,ProxyServer = divproxywae1.cable.comcast.com:80

uInternet Settings,ProxyOverride = teamcomcast.cable.comcast.com;ahcws03.cable.comcast.com;ahcmt26.cable.comcast.co

m;www.teamcomcast.com;*.cable.comcast.com;*.hostedeet.com;*.comcastboardinformat

i

on.com;24.40.*.*;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} - hxxp://qualitycenter/qcbin/capicom.dll

DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://qualitycenter/qcbin/Spider91.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 20:51:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1852)

c:\windows\system32\pssogina.dll

c:\windows\system32\csgina.dll

c:\windows\system32\VPNAPI.DLL

.

Completion time: 2009-01-22 20:55:34

ComboFix-quarantined-files.txt 2009-01-23 01:55:30

ComboFix2.txt 2009-01-22 02:16:12

Pre-Run: 45,091,725,312 bytes free

Post-Run: 45,076,369,408 bytes free

186

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:03, on 2009-01-22

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Prot_srv.exe

C:\WINDOWS\system32\pstartSr.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adobe.com/shockwave/download/tr...om/default.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = divproxywae1.cable.comcast.com:80

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = teamcomcast.cable.comcast.com;ahcws03.cable.comcast.com;ahcmt26.cable.comcast.co

m;www.teamcomcast.com;*.cable.comcast.com;*.hostedeet.com;*.comcastboardinformat

i

on.com;24.40.*.*;<local>

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95Tray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .OPT: C:\Program Files\Stellent\IBPM\IBPMVwr.dll

O14 - IERESET.INF: START_PAGE_URL=http://teamcomcast

O16 - DPF: {3605B612-C3CF-4AB4-A426-2D853391DB2E} (Certificates Class) - http://qualitycenter/qcbin/capicom.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146854662468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146855274921

O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://qualitycenter/qcbin/Spider91.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\Software\..\Telephony: DomainName = corphq.comcast.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corphq.comcast.com

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: McAfee HIPSCore Service (hips) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pointsec - Unknown owner - C:\WINDOWS\system32\Prot_srv.exe

O23 - Service: Pointsec Service Start (Pointsec_start) - Unknown owner - C:\WINDOWS\system32\pstartSr.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 11251 bytes

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept