Jump to content

Recommended Posts

I ran into an AV Security infection. While I got rid of the EXE files that were created by it, and it no longer stops my functioning, I still have a Trojan that is exploiting the NetworkService user and "ping.exe" to cause unauthorized internet activity. I believe there's also a redirect going on, and I'm afraid I may have a keylogger operating, as well.

MalwareBytes found some things and fixed them, but after restart I find that it's still having troubles. Loads of Temporary Internet files are getting loaded into NetworkService's Local Settings\Teporary Internet Files, and ping.exe is using lots of CPU time.

Attached are the log files from dds. Hope you can help.

Thanks!

attach.zip

dds.txt

Link to post
Share on other sites

OK, I see from other responses that I should have included the text of the attachments in my post, despite the fact that "Attach.txt" specifically includes the instruction to ZIP the file and attach it. Here you go:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 11/6/2006 5:43:39 AM

System Uptime: 11/23/2011 1:41:50 AM (1 hours ago)

.

Motherboard: Dell Computer Corp. | |

Processor: Intel® Pentium® 4 CPU 2.00GHz | Microprocessor | 1993/400mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 74 GiB total, 31.012 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is FIXED (NTFS) - 699 GiB total, 313.643 GiB free.

G: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1636: 10/15/2011 5:31:32 PM - System Checkpoint

RP1637: 10/15/2011 11:38:04 PM - Software Distribution Service 3.0

RP1638: 10/16/2011 9:28:36 AM - Software Distribution Service 3.0

RP1639: 10/17/2011 4:07:56 PM - Software Distribution Service 3.0

RP1640: 10/18/2011 6:05:58 PM - Software Distribution Service 3.0

RP1641: 10/19/2011 7:41:57 PM - Software Distribution Service 3.0

RP1642: 10/21/2011 12:50:33 AM - Software Distribution Service 3.0

RP1643: 10/23/2011 10:12:43 PM - Software Distribution Service 3.0

RP1644: 10/24/2011 10:37:56 PM - Software Distribution Service 3.0

RP1645: 10/25/2011 11:12:32 PM - System Checkpoint

RP1646: 10/26/2011 9:06:56 PM - Software Distribution Service 3.0

RP1647: 10/27/2011 9:10:08 PM - System Checkpoint

RP1648: 10/28/2011 5:25:07 PM - Software Distribution Service 3.0

RP1649: 10/29/2011 10:50:38 PM - Software Distribution Service 3.0

RP1650: 10/30/2011 11:22:58 PM - System Checkpoint

RP1651: 10/31/2011 9:34:49 PM - Software Distribution Service 3.0

RP1652: 11/1/2011 9:44:06 PM - System Checkpoint

RP1653: 11/2/2011 8:27:21 PM - Software Distribution Service 3.0

RP1654: 11/3/2011 9:25:42 PM - System Checkpoint

RP1655: 11/4/2011 4:19:34 PM - Software Distribution Service 3.0

RP1656: 11/5/2011 4:52:58 PM - System Checkpoint

RP1657: 11/5/2011 11:10:31 PM - Software Distribution Service 3.0

RP1658: 11/7/2011 12:50:45 AM - System Checkpoint

RP1659: 11/7/2011 5:34:31 PM - Software Distribution Service 3.0

RP1660: 11/8/2011 7:20:34 PM - System Checkpoint

RP1661: 11/8/2011 11:00:25 PM - Software Distribution Service 3.0

RP1662: 11/9/2011 6:45:15 AM - Software Distribution Service 3.0

RP1663: 11/10/2011 4:16:15 PM - Software Distribution Service 3.0

RP1664: 11/10/2011 7:24:50 PM - Software Distribution Service 3.0

RP1665: 11/13/2011 9:44:26 PM - Software Distribution Service 3.0

RP1666: 11/14/2011 11:07:02 PM - System Checkpoint

RP1667: 11/15/2011 4:45:54 PM - Software Distribution Service 3.0

RP1668: 11/16/2011 10:24:03 PM - Software Distribution Service 3.0

RP1669: 11/17/2011 10:30:13 PM - System Checkpoint

RP1670: 11/18/2011 4:55:12 PM - Software Distribution Service 3.0

RP1671: 11/19/2011 5:21:49 PM - System Checkpoint

RP1672: 11/19/2011 11:09:49 PM - Software Distribution Service 3.0

RP1673: 11/20/2011 12:01:57 AM - Restore Operation

RP1674: 11/20/2011 12:10:11 AM - Software Distribution Service 3.0

RP1675: 11/20/2011 12:12:46 AM - Restore Operation

RP1676: 11/20/2011 12:21:18 AM - Software Distribution Service 3.0

RP1677: 11/20/2011 2:58:38 PM - Software Distribution Service 3.0

RP1678: 11/22/2011 12:26:36 AM - Software Distribution Service 3.0

RP1679: 11/22/2011 12:42:23 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

AAC Decoder

Across Lite 2.0

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 8.3.1

Adobe Shockwave Player 11

AIM 7

AirPort

Amazon MP3 Downloader 1.0.3

AOL Instant Messenger

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ASPCA TriMini Reminder by We-Care.com v5.0.2.1

AutoUpdate

B57Inst

Backup To CD-RW 5.1

Bonjour

Broadcom Driver Installer

Brother's Keeper 6.1

Bugatron 1.51d

Canon Camera Access Library

Canon Camera Support Core Library

Canon G.726 WMP-Decoder

Canon MovieEdit Task for ZoomBrowser EX

Canon RAW Image Task for ZoomBrowser EX

Canon Utilities CameraWindow

Canon Utilities CameraWindow DC

Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX

Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX

Canon Utilities Easy-PhotoPrint EX

Canon Utilities EOS Utility

Canon Utilities My Printer

Canon Utilities MyCamera

Canon Utilities MyCamera DC

Canon Utilities PhotoStitch

Canon Utilities RemoteCapture Task for ZoomBrowser EX

Canon Utilities Solution Menu

Canon Utilities ZoomBrowser EX

Canon ZoomBrowser EX Memory Card Utility

CardRd81

CCScore

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

Clayside

Compatibility Pack for the 2007 Office system

Compton's Interactive Encyclopedia 2000

Conexant HSF V92 56K RTAD Speakerphone PCI Modem

CR2

DeductionPro 2006

Disney's Toontown Online

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

Documents To Go

Download Updater (AOL LLC)

Easy CD Creator 5 Basic

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSSONIC

ESSTOOLS

essvatgt

FLVPlayer4Free Free FLV Player 3.8.0.0

Gabbasoft Cube Demo

Garmin City Navigator North America NT 2010.20

Garmin City Navigator North America NT 2010.30

Garmin Communicator Plugin

Garmin Lifetime Updater

Garmin USB Drivers

Garmin WebUpdater

Google Earth

Google Update Helper

GreenPrint World

H.264 Decoder

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP DeskJet 710C Series (Remove only)

HP Officejet 6500 E710n-z Basic Device Software

HP Officejet 6500 E710n-z Help

HP Officejet 6500 E710n-z Product Improvement Study

HP Update

I.R.I.S. OCR

Inkjet Printer/Scanner Extended Survey Program

Intel® PRO Ethernet Adapter and Software

IrfanView (remove only)

iTunes

Java 6 Update 13

kgcbase

Kidspiration 2 Trial

Kodak EasyShare software

kSolo Recorder

Malwarebytes' Anti-Malware version 1.51.2.1300

Marble Blaster

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Easy Assist v2

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office Live Meeting 2007

Microsoft Office Sounds

Microsoft Office XP Professional

Microsoft Security Client

Microsoft Security Essentials

Microsoft Text-to-Speech Engine 4.0 (English)

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Windows Media Video 9 VCM

Microsoft WinUsb 1.0

Microsoft XML Parser

MKV Splitter

MobileMe Control Panel

Move Media Player

Mozilla Thunderbird (2.0.0.24)

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6.0 Parser (KB933579)

Nanny Shutdown 1.2

netbrdg

Netscape Communicator 4.8

NTI Backup Now EZ

NVIDIA Display Driver

OfotoXMI

Palm Desktop by ACCESS

PowerDVD

QuickTime

Ready For Reading

RealPlayer

Rhapsody

Rhapsody Player Engine

Safari

SAMSUNG CDMA Modem Driver Set

SAMSUNG Mobile Composite Device Software

Samsung Mobile phone USB driver Software

SAMSUNG Mobile USB Modem 1.0 Software

SAMSUNG Mobile USB Modem Software

Samsung PC Studio 3

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SFR

SHASTA

skin0001

SKINXSDK

SmileyBuddy 1.0.6

Sound Blaster Live!

SpongeBob SquarePants Typing

staticcr

Super Solvers Spellbound

Symantec Technical Support Web Controls

Times Reader

tooltips

Tweak UI

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC 9.0 Runtime

VC80CRTRedist - 8.0.50727.4053

Viewpoint Media Player

VLC media player 1.0.1

VPRINTOL

WebEx

WebFldrs XP

Windows Defender

Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

Windows Easy Transfer

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Imaging Component

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

Winmail Reader 1.1.12

WinRAR archiver

WIRELESS

.

==== Event Viewer Messages From Past Week ========

.

11/23/2011 12:58:13 AM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.

11/23/2011 1:44:21 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

11/23/2011 1:42:56 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

11/21/2011 12:16:54 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}

11/21/2011 1:55:50 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.

11/21/2011 1:54:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/21/2011 1:48:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdudf_xp ctxusbm Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss StarOpen Tcpip

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:48:07 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/21/2011 1:40:58 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

11/20/2011 4:03:33 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

11/20/2011 2:48:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

11/20/2011 2:40:42 AM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

.

==== End Of File ===========================

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Mark at 2:03:52 on 2011-11-23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1361 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Nanny Shutdown\NannyShutdown\NannyShutdown.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Program Files\clySmic\Lunar Almanack\Lunabar.exe

C:\Palm\Hotsync.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\ping.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll

BHO: CGreenPrintPDF Object: {df96ba30-57f6-4700-8065-910ec3be9e3b} - c:\program files\greenprint technologies\greenprint world\GPIEPlugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC EA 2; MS-RTC LM 8; .NET4.0C)" -"http://www.shockwave.com/gamelanding/inklink.jsp"

mRun: [NannyShutDown] c:\program files\nanny shutdown\nannyshutdown\NannyShutdown.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\mark\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\Hotsync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\clysmic\lunar almanack\Lunabar.exe

uPolicies-explorer: NoViewOnDrive = 0 (0x0)

uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

uPolicies-explorer: NoTaskGrouping = 1 (0x1)

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\netscape\communicator\program\aim\aim.exe

LSP: mswsock.dll

Trusted Zone: folksamerica.com\portal

Trusted Zone: folksamerica.com\portal1

Trusted Zone: folksamerica.com\portal2

Trusted Zone: go.com\abc

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aon.webex.com/client/T26L10NSP49EP9/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 10.0.1.1

TCP: Interfaces\{CE043A47-1FD9-4B24-8476-8D61B149331B} : DhcpNameServer = 10.0.1.1

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

.

============= SERVICES / DRIVERS ===============

.

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKsl3d553327;MpKsl3d553327;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0121cc3-8b21-4324-802c-853617d9776d}\MpKsl3d553327.sys [2011-11-23 28752]

R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [1998-9-24 52800]

R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2010-9-17 45312]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S1 MpKsl36e12184;MpKsl36e12184;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea0508f4-e12c-498e-9473-c0686db7ba12}\mpksl36e12184.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ea0508f4-e12c-498e-9473-c0686db7ba12}\MpKsl36e12184.sys [?]

S1 MpKsl85909012;MpKsl85909012;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f40916e-fc95-4edc-88b2-aeb6e9539b6b}\mpksl85909012.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3f40916e-fc95-4edc-88b2-aeb6e9539b6b}\MpKsl85909012.sys [?]

S1 MpKsl9615f4f1;MpKsl9615f4f1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5de419f4-8126-47c1-b3b3-fca6525dadbb}\mpksl9615f4f1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5de419f4-8126-47c1-b3b3-fca6525dadbb}\MpKsl9615f4f1.sys [?]

S1 MpKslca02d067;MpKslca02d067;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{27d7902b-127c-49a9-b411-eef92885fe9a}\mpkslca02d067.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{27d7902b-127c-49a9-b411-eef92885fe9a}\MpKslca02d067.sys [?]

S1 MpKslfef728d7;MpKslfef728d7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4b8ac10d-a884-44f9-90c9-1809d23e2f38}\mpkslfef728d7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4b8ac10d-a884-44f9-90c9-1809d23e2f38}\MpKslfef728d7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-19 136176]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-23 24652]

S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

.

=============== Created Last 30 ================

.

2011-11-23 06:42:59 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0121cc3-8b21-4324-802c-853617d9776d}\MpKsl3d553327.sys

2011-11-23 06:42:48 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0121cc3-8b21-4324-802c-853617d9776d}\offreg.dll

2011-11-23 05:57:00 -------- d-----w- c:\documents and settings\mark\application data\Malwarebytes

2011-11-23 05:56:41 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-23 05:56:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-23 05:56:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-23 05:52:08 -------- d-----w- c:\program files\Microsoft Windows OneCare Live

2011-11-22 17:42:31 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0121cc3-8b21-4324-802c-853617d9776d}\mpengine.dll

2011-11-20 23:41:33 -------- d-----w- c:\windows\Hewlett-Packard

2011-11-20 20:36:10 -------- d-----w- C:\Sun

2011-11-20 05:14:21 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-11-20 05:14:21 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2011-11-15 03:29:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 2:05:43.32 ===============

Thank you and hope you all had a great Thanksgiving!

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Are you saying that a hacker may be stealing files from my computer? That's pretty scary!

I would like to clean this out, but how can I tell whether or not it's still infected?

Security Essentials has cleaned out a "uruy" trojan a couple of times, but I'm still having issues.

I would like to clean it out, but if I then have trouble accessing the internet, what do I do? Would switching to Firefox or Google Chrome help? Right now, the internet is active even when my e-mail and IE are both closed. That's no good!

Thank you for your help.

Link to post
Share on other sites

Are you saying that a hacker may be stealing files from my computer? That's pretty scary!
Yes
I would like to clean this out, but how can I tell whether or not it's still infected?
Once infected with a BackDoor it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

In your case though I think a Repair Install would be the way to go if you have important data that would be lost doing a Reformat.

I would like to clean it out, but if I then have trouble accessing the internet, what do I do?
Repair Install
Would switching to Firefox or Google Chrome help?
No
Right now, the internet is active even when my e-mail and IE are both closed. That's no good!
That's the whole purpose of the infection.

The infection you have is called ZA (Zero Access)

In most cases when attempting to remove the infection it disables access to the internet.

I would suggest a Repair Install.

http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Link to post
Share on other sites

Thanks, Larry. I'll try the Repair Install. But, will I then be unable to access the Internet? Or may I still be infected?

I don't have a partitioned hard drive, and I have XP from 10 years ago, with all of the updates, running on my old PC. Reinstalling Windows will be a major headache, which will cost me at least a week of my life to get back to normal (if I ever can recover everything). I'm afraid if I recover from a backup that I'll just be reinstalling the virus.

Anyway, I'll know pretty quickly if the trojan is still active after I do the reinstall. Wish me luck!

Link to post
Share on other sites

It seems to have worked, after having to reinstall SP3 and 106 more updates (!). My main concern was that the instructions said to turn on the Windows Firewall before going on the Internet to avoid being attacked. But neither the Firewall nor Security Essentials would turn on before I installed SP3. But I couldn't get SP3 without going on the Internet. Talk about a Catch 22!! So I made sure to run a Malware Bytes scan and a Security Essentials scan and they're both clean. SE popped up a couple of times but seems to have cleaned out what it found. No more ping.exe running, no more files building up in Network Service, and it's running faster now.

Thank you for your help. You may go ahead and close the topic. I'll start a new one if I run into any more problems.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.