Jump to content

Infected with trojan that redirect to MSN Live login page....


Recommended Posts

Hello,

After clicking on a link I searched for (its a small business site that is valid), I immediately realized that it was a infected since its started downloading something to my sibling's laptop. Of course I tried to stop it and turned off the laptop but it was too late. Since this is an old laptop(Compaq with 224MB RAM), I didn't have Virus Protection running since its can barely run firefox and MS Office 2007 together(reason why I have it). I know that I have to fix that.

The laptop runs fine and surfing resumed as normal...until I try to click any link from a "free virus scan" or " malwarebytes" search. Bascially I can't access this site from this laptop (using my desktop). I ran Malwareytes, both Quick and Full version, but nothing turned up.

Would this infect another laptop if it used the same router port(router has less ports that we have devices) as the infected laptop? Thanks in advance.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33

Run by roaming at 10:03:06 on 2012-07-07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.65 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SMC\EZ ConnectTM g 108Mbps Wireless USB Adapter\SMCWUSBT.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: {74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - No File

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Agtoavl] "c:\documents and settings\roaming\application data\nyqe\zaci.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\roaming\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ezconn~1.lnk - c:\program files\smc\ez connecttm g 108mbps wireless usb adapter\SMCWUSBT.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 192.168.20.1

TCP: Interfaces\{ADECFFDA-2C63-4730-B7C9-355DB3554575} : DhcpNameServer = 192.168.20.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\roaming\application data\mozilla\firefox\profiles\b1j5g1ua.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-23 654408]

R2 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]

R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [2009-5-28 26624]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-23 22344]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]

S3 SMCUSBT;EZ ConnectTM g 108Mbps Wireless USB Adapter Service;c:\windows\system32\drivers\smcusbt1.sys [2009-11-6 360000]

.

=============== Created Last 30 ================

.

2012-06-24 15:33:36 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-24 15:30:24 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-24 15:10:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-24 15:10:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-23 20:34:19 -------- d-----w- c:\documents and settings\roaming\application data\Malwarebytes

2012-06-23 20:33:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-06-23 20:33:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-23 20:33:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-14 07:51:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-06-14 07:51:40 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2012-06-14 07:21:46 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-06-14 07:21:46 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2012-06-24 15:32:51 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-10 10:25:42 230808 ----a-r- c:\windows\system32\cpnprt2.cid

2006-12-29 14:15:42 626688 ----a-w- c:\program files\common files\sapconsaccess.dll

2006-12-29 14:15:42 40960 ----a-w- c:\program files\common files\DigitalSignature.ocx

2006-12-29 14:15:42 3100672 ----a-w- c:\program files\common files\sapxlhelper.dll

2006-12-29 14:15:42 192512 ----a-w- c:\program files\common files\sapconsr3.dll

.

============= FINISH: 10:05:38.21 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/29/2009 2:04:32 AM

System Uptime: 7/7/2012 6:40:17 AM (4 hours ago)

.

Motherboard: Compaq | | 07D4h

Processor: Mobile AMD Athlon™ XP 1600+ | U23 | 1391/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 19 GiB total, 7.064 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Video Controller (VGA Compatible)

Device ID: PCI\VEN_1002&DEV_4336&SUBSYS_00B00E11&REV_00\4&1764180E&0&2808

Manufacturer:

Name: Video Controller (VGA Compatible)

PNP Device ID: PCI\VEN_1002&DEV_4336&SUBSYS_00B00E11&REV_00\4&1764180E&0&2808

Service:

.

Class GUID:

Description: Ethernet Controller

Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&3746BD07&0&0050

Manufacturer:

Name: Ethernet Controller

PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&3746BD07&0&0050

Service:

.

==== System Restore Points ===================

.

RP216: 5/8/2012 11:37:57 PM - System Checkpoint

RP217: 5/11/2012 1:13:16 PM - System Checkpoint

RP218: 5/12/2012 1:51:47 PM - System Checkpoint

RP219: 5/14/2012 5:14:02 AM - System Checkpoint

RP220: 5/17/2012 7:38:01 PM - System Checkpoint

RP221: 5/19/2012 1:26:09 AM - System Checkpoint

RP222: 5/21/2012 3:22:07 AM - System Checkpoint

RP223: 5/23/2012 4:29:32 PM - System Checkpoint

RP224: 5/25/2012 9:17:12 AM - System Checkpoint

RP225: 5/26/2012 1:01:07 PM - System Checkpoint

RP226: 5/27/2012 4:31:04 PM - System Checkpoint

RP227: 5/29/2012 10:28:43 PM - System Checkpoint

RP228: 5/31/2012 1:16:20 PM - System Checkpoint

RP229: 6/1/2012 4:45:26 PM - System Checkpoint

RP230: 6/2/2012 8:50:45 PM - System Checkpoint

RP231: 6/3/2012 9:17:41 PM - System Checkpoint

RP232: 6/4/2012 10:43:05 PM - System Checkpoint

RP233: 6/6/2012 8:37:36 PM - System Checkpoint

RP234: 6/8/2012 11:23:42 PM - System Checkpoint

RP235: 6/10/2012 1:40:12 PM - System Checkpoint

RP236: 6/11/2012 7:19:39 PM - System Checkpoint

RP237: 6/13/2012 7:32:19 PM - System Checkpoint

RP238: 6/14/2012 2:14:15 AM - Restore Operation

RP239: 6/15/2012 5:03:36 PM - System Checkpoint

RP240: 6/23/2012 1:08:17 PM - System Checkpoint

RP241: 6/24/2012 10:27:28 AM - Removed Java™ 6 Update 31

RP242: 6/24/2012 10:31:46 AM - Installed Java™ 6 Update 33

RP243: 6/26/2012 1:35:51 AM - System Checkpoint

RP244: 6/27/2012 12:54:45 PM - System Checkpoint

RP245: 6/28/2012 3:09:09 PM - System Checkpoint

RP246: 6/29/2012 7:12:24 PM - System Checkpoint

RP247: 6/30/2012 7:55:11 PM - System Checkpoint

RP248: 7/1/2012 8:24:37 PM - System Checkpoint

RP249: 7/3/2012 3:02:05 PM - System Checkpoint

RP250: 7/5/2012 2:48:02 PM - System Checkpoint

RP251: 7/6/2012 6:16:54 PM - System Checkpoint

.

==== Installed Programs ======================

.

7-Zip 9.20

Adobe AIR

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.2)

Coupon Printer for Windows

Crystal Reports 2008 SP3

EZ ConnectTM g 108Mbps Wireless USB Adapter

GoToMeeting 4.8.0.723

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB981793)

Java Auto Updater

Java™ 6 Update 23

Java™ 6 Update 33

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft redistributable runtime DLLs VS2005(x86)

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 Redistributable

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox 13.0.1 (x86 en-US)

Mozilla Maintenance Service

MSN

MSXML 4.0 SP2 (KB954430)

MyScribe

SAP GUI 7.10

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971032)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981350)

Security Update for Windows XP (KB982381)

Spybot - Search & Destroy

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB898461)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebEx Training Manager for Firefox or Chrome

WebFldrs XP

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

.

==== Event Viewer Messages From Past Week ========

.

7/3/2012 3:39:30 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the wscsvc service.

7/3/2012 11:55:56 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

7/3/2012 11:55:56 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

7/2/2012 4:36:32 AM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{ADECFFDA-2C63-4730-B7C9-355DB3554575} because another computer on the network has the same name. The server could not start.

7/2/2012 4:11:38 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log. See if you can download it from this link:

http://downloads.malwarebytes.org/file/mbam

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Sorry it took so long...ComboFix couldn't run on my very old laptop....laptop would hang, I would get "virtual memory low" errors etc. Here there are MBAM was run first,the ComboFix and last DDS.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.10.03

Windows XP Service Pack 2 x86 NTFS

Internet Explorer 8.0.6001.18702

roaming :: LAPPIE486 [administrator]

Protection: Enabled

7/10/2012 12:36:49 AM

mbam-log-2012-07-10 (00-36-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 188835

Time elapsed: 16 minute(s), 26 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

*******************************************************************************************************************************

ComboFix 12-07-08.03 - roaming 07/10/2012 2:31.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.19 [GMT -5:00]

Running from: c:\documents and settings\roaming\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\roaming\Application Data\342024875.log

c:\documents and settings\roaming\Application Data\602024875.log

c:\documents and settings\roaming\Application Data\Nyqe

c:\documents and settings\roaming\Application Data\Nyqe\zaci.exe

c:\documents and settings\roaming\g2mdlhlpx.exe

.

c:\windows\system32\drivers\usbehci.sys . . . is missing!!

.

.

((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))

.

.

2012-06-24 15:33 . 2012-06-24 15:32 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-24 15:30 . 2012-06-24 15:32 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-24 15:20 . 2012-06-24 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2012-06-24 15:10 . 2012-06-24 15:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-24 15:10 . 2012-06-24 15:10 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-23 20:34 . 2012-06-23 20:34 -------- d-----w- c:\documents and settings\roaming\Application Data\Malwarebytes

2012-06-23 20:33 . 2012-06-23 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-06-23 20:33 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-23 20:33 . 2012-07-10 05:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-14 07:51 . 2012-06-23 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-06-14 07:51 . 2012-06-14 18:49 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-06-14 07:21 . 2012-06-14 07:21 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-24 15:32 . 2011-07-23 20:36 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-10 10:25 . 2011-07-21 16:29 230808 ----a-r- c:\windows\system32\cpnprt2.cid

2006-12-29 14:15 . 2011-07-20 21:26 3100672 ----a-w- c:\program files\Common Files\sapxlhelper.dll

2006-12-29 14:15 . 2011-07-20 21:26 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll

2006-12-29 14:15 . 2011-07-20 21:26 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll

2006-12-29 14:15 . 2011-07-20 21:26 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx

2009-07-30 18:19 . 2009-07-30 18:19 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2009-07-30 18:20 . 2009-07-30 18:20 185232 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-07-30 18:20 . 2009-07-30 18:20 99216 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2009-07-30 18:22 . 2009-07-30 18:22 42312 ----a-w- c:\program files\mozilla firefox\plugins\wbxtccli.dll

2009-07-30 18:22 . 2009-07-30 18:22 38216 ----a-w- c:\program files\mozilla firefox\plugins\wbxtcholcli.dll

2012-06-24 15:12 . 2012-04-24 22:54 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

c:\documents and settings\roaming\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

EZ ConnectTM g 108Mbps Wireless USB Utility.lnk - c:\program files\SMC\EZ ConnectTM g 108Mbps Wireless USB Adapter\SMCWUSBT.exe [2006-4-26 471040]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/23/2012 3:33 PM 654408]

R2 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]

R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [5/28/2009 8:20 PM 26624]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/23/2012 3:33 PM 22344]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/24/2012 5:54 PM 113120]

S3 SMCUSBT;EZ ConnectTM g 108Mbps Wireless USB Adapter Service;c:\windows\system32\drivers\smcusbt1.sys [11/6/2009 4:46 PM 360000]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - MBAMSwissArmy

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-10 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2011-07-23 03:18]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 196.148.30.1

FF - ProfilePath - c:\documents and settings\roaming\Application Data\Mozilla\Firefox\Profiles\b1j5g1ua.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Agtoavl - c:\documents and settings\roaming\Application Data\Nyqe\zaci.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-10 02:54

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Completion time: 2012-07-10 03:01:43

ComboFix-quarantined-files.txt 2012-07-10 08:01

.

Pre-Run: 7,700,586,496 bytes free

Post-Run: 7,719,743,488 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 3021BEB4D889A36066E0887B7EB68939

******************************************************************************************************************************

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33

Run by roaming at 8:46:46 on 2012-07-10

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.51 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SMC\EZ ConnectTM g 108Mbps Wireless USB Adapter\SMCWUSBT.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

BHO: {74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {E8558D71-5E4E-4217-B608-D2F5D3623AE3} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Agtoavl] "c:\documents and settings\roaming\application data\nyqe\zaci.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\roaming\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ezconn~1.lnk - c:\program files\smc\ez connecttm g 108mbps wireless usb adapter\SMCWUSBT.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

TCP: DhcpNameServer = 196.148.30.1

TCP: Interfaces\{ADECFFDA-2C63-4730-B7C9-355DB3554575} : DhcpNameServer = 196.148.30.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\roaming\application data\mozilla\firefox\profiles\b1j5g1ua.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-6-23 654408]

R2 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]

R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [2009-5-28 26624]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-6-23 22344]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]

S3 SMCUSBT;EZ ConnectTM g 108Mbps Wireless USB Adapter Service;c:\windows\system32\drivers\smcusbt1.sys [2009-11-6 360000]

.

=============== Created Last 30 ================

.

2012-07-10 06:13:51 -------- d-sha-r- C:\cmdcons

2012-07-10 04:49:33 98816 ----a-w- c:\windows\sed.exe

2012-07-10 04:49:33 518144 ----a-w- c:\windows\SWREG.exe

2012-07-10 04:49:33 256000 ----a-w- c:\windows\PEV.exe

2012-07-10 04:49:33 208896 ----a-w- c:\windows\MBR.exe

2012-06-24 15:33:36 476936 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-24 15:30:24 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-24 15:10:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-24 15:10:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-23 20:34:19 -------- d-----w- c:\documents and settings\roaming\application data\Malwarebytes

2012-06-23 20:33:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-06-23 20:33:39 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-23 20:33:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-14 07:51:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-06-14 07:51:40 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2012-06-14 07:21:46 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-06-14 07:21:46 -------- d-----w- c:\windows\system32\wbem\Repository

.

==================== Find3M ====================

.

2012-06-24 15:32:51 472840 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-10 10:25:42 230808 ----a-r- c:\windows\system32\cpnprt2.cid

2006-12-29 14:15:42 626688 ----a-w- c:\program files\common files\sapconsaccess.dll

2006-12-29 14:15:42 40960 ----a-w- c:\program files\common files\DigitalSignature.ocx

2006-12-29 14:15:42 3100672 ----a-w- c:\program files\common files\sapxlhelper.dll

2006-12-29 14:15:42 192512 ----a-w- c:\program files\common files\sapconsr3.dll

.

============= FINISH: 8:49:11.45 ===============

Link to post
Share on other sites

  • Staff

Hi,

What's causing the performance issues is the lack of RAM on this computer. You can upgrade your RAM for very cheap. You just have to figure out which kind you have. I would uninstall Spybot since it's using a fair bit of RAM with TeaTimer.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    c:\windows\system32\drivers\usbehci.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Hi,

I uninstalled Spybot as you instructed. I also ran SystemLook. Here is what I got :

SystemLook 30.07.11 by jpshortstuff

Log created at 11:44 on 10/07/2012 by roaming

Administrator - Elevation successful

========== filefind ==========

Searching for "c:\windows\system32\drivers\usbehci.sys"

No files found.

-= EOF =-

Link to post
Share on other sites

  • Staff

Hi,

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Link to post
Share on other sites

  • Staff

I think you need to update to SP3 first.

Here's my standard set of instructions:

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

Link to post
Share on other sites

Hi,

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

I think I figured it out ..... here is it..... http://pcpitstop.com/betapit/sec.asp?conid=24981600

Link to post
Share on other sites

I think you need to update to SP3 first.

Here's my standard set of instructions:

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

I agree....its time to upgrade to SP3. I'll wait on your feedback on the PCPitstop results before proceeding.

Link to post
Share on other sites

Hi,

I had some concerns with the SP3 installation. I have an old style laptop which I puchased (cheap) mainly becos it had the MS Professional Suite on it. Becos I puchased it privately, I don't have the CD or the product key that usually comes with this package. The laptop also doesn't have a lot of RAM on it. I was wondering if installing SP3 would affect my MS Professional Suite (i.e clean/wipe out)? Or maybe there's way some back-up to ensure it doesn't affect? Pls advise. Thank you.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.