Jump to content

Recommended Posts

Due to some issues, I've run McAfee virus and anti-spyware and Malwarebytes (both are up to date - McAfee missed several malwares/trojans for some reason, but blocked/deleted them when they tried to run). I've run Malwarebytes several times and rebooted as instructed, but four items will not delete despite the reboot. Can I delete them with FileASSASSIN, is there another way to delete them, or are they no longer an issue? (Note: most of the previous errors/application shut downs have gone; I'm still noticing when I click on a Google link or type in a web address, I get instantly redirected to another site(spoof?).

Partial Malwarebytes log:

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nmanidac (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksagatupekamos (Trojan.Agent) -> No action taken.

Files Infected:

C:\Documents and Settings\kgoldman\Local Settings\Application Data\pmtere.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\kgoldman\Local Settings\Application Data\ociraqesaciwi.dll (Trojan.Agent) -> No action taken.

For what it's worth, I ran HijackThis as well (I do get the notice that the system denied write access to the Hosts file - FYI; not sure what this exactly means, but I'm not an admin on this machine). HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:41:31 PM, on 4/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\WINDOWS\System32\CMGShieldUI.exe

C:\WINDOWS\system32\EmsServiceHelper.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Credant\Gatekeeper\GKProbe.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Citrix\PNAgent\pnagent.exe

C:\Program Files\Altiris\AClient\AClntUsr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://*.css

O15 - Trusted Zone: http://*.mcafee.com

O15 - Trusted Zone: http://*.css (HKLM)

O15 - Trusted Zone: http://*.mcafee.com (HKLM)

O15 - Trusted Zone: http://content.nejm.org (HKLM)

O15 - Trusted Zone: http://www.pesgce.com (HKLM)

O15 - Trusted Zone: http://www.thelancet.com (HKLM)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo

Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...cebookPhotoUplo

ader5.cab

O16 - DPF: {322DEFAE-1B12-4203-B4AF-FD858B81FC03} (Siebel High

Interactivity Framework) -

http://sumctmsprodweb.mycompany.com:9001/e...16/applets/Sieb

elAx_HI_Client.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/wuweb_site.cab?1229632562502

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/muweb_site.cab?1229632547377

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield

International Setup Player) -

http://llis/Livelinksupport/webexp/isetup.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -

http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High

Interactivity Framework) -

http://sumctmstrainweb.mycompany.com:9001/...405/applets/Sie

belAx_HI_Client.cab

O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health

Check 1.1) -

http://support.f-secure.com/enu/home/onlin.../fshc/fscax.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)

- https://campbellalliance.webex.com/client/T...bex/ieatgpc.cab

O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink Edit

Control) - http://llis.mycompany.com/Livelinksupport/webedit/lledit.cab

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX

Class) - http://www.royalemedia.com/ampx/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mycompany.com

O17 - HKLM\Software\..\Telephony: DomainName = mycompany.com

O17 -

HKLM\System\CCS\Services\Tcpip\..\{ABADB73A-8AA9-46DE-AB88-521C3A387B1A

}: Domain = mycompany.com

O17 -

HKLM\System\CCS\Services\Tcpip\..\{ABADB73A-8AA9-46DE-AB88-521C3A387B1A

}: NameServer = 10.20.1.10,10.20.1.9

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mycompany.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.

com

,mycompany.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mycompany.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =

mycompany.com,mycompany.com

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = mycompany.com

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: SearchList =

mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.

com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.com,mycompany.

com

,mycompany.com

O20 - AppInit_DLLs: AMINIT.dll

O20 - Winlogon Notify: CMGShieldNP -

C:\WINDOWS\SYSTEM32\CmgShieldNP.dll

O20 - Winlogon Notify: GoToAssist - C:\Program

Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. -

C:\Program Files\Altiris\AClient\AClient.exe

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program

Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris -

C:\WINDOWS\system32\ccsrvc.exe

O23 - Service: CMGShield - Credant Technologies, Inc. -

C:\WINDOWS\system32\CmgShieldSvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,

Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: EMS - CREDANT Technologies, Inc. -

C:\WINDOWS\system32\EMSService.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix

Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: CREDANT Mobile Guardian Gatekeeper (guardian) - CREDANT

Technologies - C:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee,

Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program

Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. -

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) -

Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) -

Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) -

Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown

owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 16274 bytes

Link to post
Share on other sites

Hello KJG

Welcome to Malwarebytes.

=====================

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt.

================

Download the GMER Rootkit Scanner.

Click the Download exe button and save the randomly named file to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click randomlynamed.exe. The program will begin to run.

**Caution**

These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Link to post
Share on other sites

Hello,

I could not run GMER Rootkit Scanner. I attached screenshots of the errors. I believe all other programs were shut down. I'm a Power User on this machine - does that have any bearing.

Thank you for your help.

DDS (Ver_09-03-16.01) - NTFSx86

Run by kgoldman at 16:15:50.86 on Sat 04/11/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1348 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\WINDOWS\System32\CMGShieldUI.exe

C:\WINDOWS\system32\EmsServiceHelper.exe

C:\Program Files\Altiris\AClient\AClntUsr.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Credant\Gatekeeper\GKProbe.exe

C:\Program Files\Palm\Hotsync.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Citrix\PNAgent\pnagent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\kgoldman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ourmycompany/index.php

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [Nmanidac] rundll32.exe "c:\documents and settings\kgoldman\local settings\application data\pmtere.dll",e

uRun: [Ksagatupekamos] rundll32.exe "c:\documents and settings\kgoldman\local settings\application data\ociraqesaciwi.dll",e

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

mRun: [<NO NAME>]

mRun: [CmgShieldUI] c:\windows\system32\CMGShieldUI.exe

mRun: [EmsService] EmsServiceHelper.exe

mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe

mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon

mRun: [AClntUsr] c:\program files\altiris\aclient\AClntUsr.EXE

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-ba7e-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gkprobe.lnk - c:\program files\credant\gatekeeper\GKProbe.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\program files\citrix\pnagent\pnagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico

IE: Compare Prices with &Dealio - c:\documents and settings\kgoldman\application data\dealio\kb124\res\DealioSearch.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: ascopubs.org\jco

Trusted Zone: compliancewire.com\www

Trusted Zone: css

Trusted Zone: educationalconcepts.net\mel

Trusted Zone: hematologylibrary.org\bloodjournal

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: mcafee.com\www

Trusted Zone: nejm.org\content

Trusted Zone: pesgce.com\www

Trusted Zone: thelancet.com\www

Trusted Zone: ascopubs.org\jco

Trusted Zone: compliancewire.com\www

Trusted Zone: css

Trusted Zone: hematologylibrary.org\bloodjournal

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: mcafee.com\www

Trusted Zone: nejm.org\content

Trusted Zone: pesgce.com\www

Trusted Zone: thelancet.com\www

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {322DEFAE-1B12-4203-B4AF-FD858B81FC03} - hxxp://sumctmsprodweb.mycompany.com:9001/eclinical_enu/20416/applets/SiebelAx_HI_Client.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229632562502

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229632547377

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://llis/Livelinksupport/webexp/isetup.cab

DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx

DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} - hxxp://sumctmstrainweb.mycompany.com:9001/eclinical_enu/20405/applets/SiebelAx_HI_Client.cab

DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://campbellalliance.webex.com/client/T26L/webex/ieatgpc.cab

DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxp://llis.mycompany.com/Livelinksupport/webedit/lledit.cab

DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://www.royalemedia.com/ampx/ampx_en_dl.cab

Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll

Notify: CMGShieldNP - CmgShieldNP.dll

Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: AMINIT.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli pmtere.dll

============= SERVICES / DRIVERS ===============

R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2007-7-27 192816]

R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [2007-7-27 88368]

R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]

R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [2007-7-27 1090864]

R2 EMS;EMS;c:\windows\system32\EmsService.exe [2007-7-27 644400]

R2 guardian;CREDANT Mobile Guardian Gatekeeper;c:\program files\credant\gatekeeper\GatekeeperNC.exe [2006-10-18 829952]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-1-16 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-5-18 72904]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-5-18 34344]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-5-18 177672]

S2 owiaqras;Scan Class for IEEE-1284.4Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

S3 CmgShieldNP;CmgShieldNP;c:\windows\system32\CmgShieldNP.dll [2007-7-27 156976]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-04-10 20:48 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner

2009-04-10 20:47 <DIR> --d----- c:\program files\CCleaner

2009-04-10 14:13 <DIR> --d----- c:\docume~1\kgoldman\applic~1\Malwarebytes

2009-04-10 12:56 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-04-10 12:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-10 12:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-04-10 12:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-04-10 11:37 <DIR> --d----- c:\docume~1\kgoldman\applic~1\jckazdrm

2009-04-10 08:52 0 a------- c:\windows\Nhoraz.bin

2009-04-10 08:52 408 a------- c:\windows\Rjepewucobuhog.dat

2009-04-07 18:15 <DIR> --d----- c:\program files\Trend Micro

2009-04-07 17:40 <DIR> --d-h--- c:\windows\PIF

2009-04-07 17:03 <DIR> --dsh--- c:\docume~1\kgoldman\applic~1\lowsec

==================== Find3M ====================

2009-04-10 18:07 2,401 a------- c:\windows\system32\drivers\AlKernel.sys

2009-03-24 08:03 202,323 a------- c:\windows\system32\atasnt40.dll

2009-03-19 13:11 6,607,037 a------- c:\windows\FramePkg.exe

2009-02-24 16:35 41 a------- C:\AClient.dat

2008-07-11 15:03 60,968 a------- c:\documents and settings\kgoldman\GoToAssistDownloadHelper.exe

2005-11-15 16:32 3,638 ac---r-- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 16:16:13.16 ===============

Attach.zip

GMER_error.doc

Attach.zip

GMER_error.doc

Link to post
Share on other sites

Thank you for the pictures it helps.

Gmer says that because you have a rootkit present.

Please do the following:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Link to post
Share on other sites

I will need to get back to this on Monday or Tuesday. Since I am not an Admin on this, I cannot shut off McAfee (received a warning that not shutting it off can interfere with Combo-Fix). I'll have to have IT open this machine to run Combo-Fix - unless of course I can force it off through Task Manager Processes? Just don't know which ones to kill.

Thanks again.

Link to post
Share on other sites

If you are not able to turn it off we will manually remove it.

First I need to see more info:

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post
Link to post
Share on other sites

Thanks - but I'll need to wait until Monday to have my IT department D/C McAfee and give me rights to the machine if I can't just turn it off. Only so much I can do within our company policy. Removing it is not something I will do.

Link to post
Share on other sites

Ok try this one:

Please download Rootkit Revealer

  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::c:\windows\Nhoraz.binc:\windows\Rjepewucobuhog.datC:\documents and settings\kgoldman\Local Settings\Application Data\Nhoraz.binc:\documents and settings\kgoldman\Local Settings\Application Data\Rjepewucobuhog.dat
Folder::c:\documents and settings\kgoldman\Local Settings\Application Data\jckazdrmc:\documents and settings\kgoldman\Application Data\jckazdrmc:\documents and settings\kgoldman\Application Data\lowsec

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.