Jump to content

Trojan infection Win XP Home edition


Recommended Posts

Hi there.

I posted in another thread with some details about what is going on with my OS. You can find those details here:

http://www.malwarebytes.org/forums/index.php?showtopic=14848

This is a copy of my Hijack This log. I usually put the log through some online analyzers, but I wanted to be absolutely positive the Trojan infecting my OS isn't showing up here. Thank you kindly!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:38:21 PM, on 4/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BOINC\boinctray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\BOINC\boincmgr.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-21-1004336348-789336058-725345543-1004\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'boinc_master')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Wireless PCI_CardBus utility V1.01.exe.lnk = ?

O4 - Global Startup: Wireless USB utility V1.02.exe.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 9765 bytes

Link to post
Share on other sites

Hi lilyshift,

First, disable Spybot's TeaTimer or any fixes we make will be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

- Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

Please leave TeaTimer off until we are completely done!

Please run Option 1 of the SmitfraudFix as directed here:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Then post back the log C:\rapport.txt when it is done.

Your HJT log is clean.

Please post the Symantec log that detected the trojan so I can see what file it flagged.

Link to post
Share on other sites

negster22, thank you for the information.

I downloaded SmitfraudFix, followed your instructions, and ran the program. However to this day it still doesn't complete a scan. How long does it take for the program to scan my computer?

I'll try and leave the program running overnight.

Link to post
Share on other sites

Here is a copy of the log so far. It currently stops at "Scanning wininet.dll infection" and then doesn't go on any further.

SmitFraudFix v2.414

Scan done at 18:21:30.40, Wed 05/06/2009

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

Link to post
Share on other sites

Hello!

Please try running SmitfraudFix in Safe Mode:

How to boot into safe mode -

1. Restart the computer

2. Watch the screen while it is black. After the BIOS memory check is done,

start tapping the F8 key. If done right, the Windows Advanced Options Menu will

appear.

3. Select Safe Mode from the menu. Starting Windows in Safe Mode may take

several minutes

Now launch Smitfraudfix,

* Double-click SmitfraudFix.exe

* Select 1 and hit Enter to create a report of the infected files. The report can be found at at C:\rapport.txt

* While still in safe mode, perform "Option 5 of Smitfraudfix - "Search and clean DNS Hijack"

* Reboot normally

Please post the report (C:\Rapport.txt) in your next reply.

If you are still having trouble, we will try another program that deeply scans/analyzes your computer.

Link to post
Share on other sites

I left the program running for four or five hours and it doesn't make it past "scanning wininet.dll infection." The cursor in the program is still flashing though, so that means that the program itself is not in a deadlock. Below is the 'rapport' file:

SmitFraudFix v2.414

Scan done at 10:36:15.04, Fri 05/08/2009

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

Link to post
Share on other sites

I'm sorry you're having so much difficulty with that program.

Let's try another approach then.

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your Symantec antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as lily.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (lily.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back C:\ARK.txt and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

So far, so good. Combofix worked without stalling, unlike Smitfraudfix.

I below is a copy of my new Hijackthis log, and attached to this post is a Combofix log in WPD format.

Please let me know if you have any problems with the file format. Thank you very much!

p.s. General update: Prior to these scans, Spybot would no longer update through the program, and I was still unable to update Malewarebytes. After I receive your instructions, I will try to update the programs again and do another thorough scan.

------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:20:14, on 5/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\BOINC\boinctray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\BOINC\boincmgr.exe

C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-21-1004336348-789336058-725345543-1004\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'boinc_master')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe

O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Wireless PCI_CardBus utility V1.01.exe.lnk = ?

O4 - Global Startup: Wireless USB utility V1.02.exe.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 9323 bytes

ComboFix_09.doc

ComboFix_09.doc

Link to post
Share on other sites

ComboFix 09-05-12.04 - Owner 05/13/2009 13:03.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.257 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\lily.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\rssklan.qwg

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\AutoRun.inf

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))

.

2009-05-12 22:23 . 2009-05-13 16:42 -------- d-----w C:\ark

2009-04-30 21:21 . 2009-04-30 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\FMZilla

2009-04-30 21:21 . 2009-04-30 21:30 -------- d-----w c:\program files\Free Music Zilla

2009-04-30 21:17 . 2009-04-30 21:17 -------- d-----w C:\downloads

2009-04-30 21:17 . 2009-04-30 21:19 -------- d-----w c:\documents and settings\Owner\Application Data\FVZilla

2009-04-29 03:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-29 03:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-29 03:18 . 2009-04-29 03:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\documents and settings\Owner\Application Data\TrojanHunter

2009-04-28 23:02 . 2009-04-30 18:26 -------- d-----w c:\program files\a-squared Free

2009-04-28 21:57 . 2009-04-29 00:20 -------- d-----w c:\program files\TrojanHunter 5.0

2009-04-26 01:30 . 2009-05-07 21:13 -------- d-----w c:\program files\Unlocker

2009-04-26 00:55 . 2009-04-26 00:55 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes

2009-04-26 00:55 . 2009-04-26 00:55 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-25 16:19 . 2009-04-25 16:19 -------- d-----w c:\program files\Trend Micro

2009-04-24 16:43 . 2009-04-24 16:43 -------- d-----w c:\documents and settings\Owner\Application Data\Aim

2009-04-22 22:38 . 2009-04-22 22:37 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-04-22 22:37 . 2009-04-25 15:49 -------- d-----w c:\documents and settings\Owner\.housecall6.6

2009-04-15 14:23 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 14:23 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 14:23 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 14:23 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 14:23 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 14:23 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 14:23 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 14:23 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 14:23 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 14:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 14:22 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-13 17:07 . 2007-09-09 01:28 -------- d-----w c:\program files\Symantec AntiVirus

2009-04-26 05:31 . 2007-10-02 18:15 -------- d-----w c:\program files\Last.fm

2009-04-25 15:36 . 2007-09-15 03:44 -------- d-----w c:\program files\Java

2009-04-22 16:47 . 2007-09-08 14:02 -------- d-----w c:\program files\Winamp

2009-04-01 02:15 . 2004-12-08 03:57 63168 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-01 02:06 . 2009-04-01 02:06 -------- d-----w c:\program files\MSBuild

2009-04-01 02:06 . 2009-04-01 02:06 -------- d-----w c:\program files\Reference Assemblies

2009-04-01 01:28 . 2009-04-01 01:26 -------- d-----w c:\program files\Windows Live Safety Center

2009-03-19 16:55 . 2007-09-09 01:14 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-18 16:08 . 2009-03-18 16:08 -------- d-----w c:\program files\pdfsam

2009-03-09 09:19 . 2008-12-11 05:50 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-23 00:34 . 2009-02-22 18:29 139856 ----a-w c:\windows\hpoins15.dat

2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll

.

------- Sigcheck -------

[-] 2006-02-28 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2006-02-28 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2006-02-28 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2006-02-28 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2006-02-28 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2006-02-28 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2006-02-28 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe

[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2006-02-28 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2006-02-28 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2006-02-28 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe

[-] 2006-02-28 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe

[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2006-02-28 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2006-02-28 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-02-28 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2006-02-28 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[-] 2006-02-28 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-05 98304]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-05 94208]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-09-19 58112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-12-17 16062464]

"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-15 2879488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-9-9 113664]

BOINC Manager.lnk - c:\program files\BOINC\boincmgr.exe [2008-9-19 4190976]

Corel Registration.lnk - c:\program files\Corel\WordPerfect Office 2000\Register\Remind32.exe [2007-9-8 67584]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Wireless PCI_CardBus utility V1.01.exe.lnk - c:\program files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe [2007-9-8 913408]

Wireless USB utility V1.02.exe.lnk - c:\program files\Customer\Wireless USB utility V1.02\Wireless USB utility V1.02.exe [2007-9-8 913408]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Games\\doom\\IDE\\Ide.exe"=

"c:\\Games\\doom\\skulltag\\skulltag.exe"=

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2/5/2008 3:29 PM 10240]

R2 BOINC;BOINC;c:\program files\BOINC\boinc.exe [9/19/2008 12:44 PM 721664]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 AtcL002;NDIS Miniport Driver for Attansic L2 Fast Ethernet Controller;c:\windows\system32\drivers\atl02_xp.sys [9/7/2007 5:19 PM 28416]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:02 PM 101936]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/13/2008 1:49 PM 16512]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-05-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\program files\Free Video Zilla\FVZilla.exe - (no file)

Notify-dimsntfy - (no file)

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iv1eqwue.test\

FF - prefs.js: browser.startup.homepage - hxxp://www.howstuffworks.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-13 13:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP00000018FC2E271E13A167CE 524288 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2544)

c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll

c:\program files\Common Files\Ahead\Lib\MFC71U.DLL

c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\a-squared Free\a2service.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe

c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2009-05-13 13:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-13 17:12

Pre-Run: 105,928,646,656 bytes free

Post-Run: 105,914,212,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

261 --- E O F --- 2009-05-13 16:46

Link to post
Share on other sites

This is not looking good, Lily.

Please browse to and upload the following patched system files to the Virus Total Scanner or the Jotti malware scan page for a threat analysis:

c:\windows\system32\svchost.exe

c:\windows\system32\user32.dll

c:\windows\system32\winlogon.exe

c:\windows\system32\ws2_32.dll

c:\windows\system32\userinit.exe

There are more, but that should be enough to confirm a PE file infector virus is resident.

Link to post
Share on other sites

Below are copies of the basic reports. I am attaching the reanalyzed reports in WPD format since they're just so big. Honestly, is it possible save this OS with a file infector?

SVCHost.exe

File has already been analysed:

MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

First received: 05.01.2008 02:35:20 (CET)

Date: 03.04.2009 20:10:47 (CET) [>70D]

Results: 0/39

Permalink: analisis/f23e6773ec481cc3a4b9fbf0007f0d8d

user32.dll

File has already been analysed:

MD5: b26b135ff1b9f60c9388b4a7d16f600b

First received: 06.03.2008 22:40:10 (CET)

Date: 05.12.2009 14:19:33 (CET) [+1D]

Results: 2/41

Permalink: analisis/ff3e77b37ba0d58253e51eaaca984e12

winlogon.exe

File has already been analysed:

MD5: ed0ef0a136dec83df69f04118870003e

First received: 02.13.2009 08:38:50 (CET)

Date: 02.13.2009 10:00:27 (CET) [>89D]

Results: 1/39

Permalink: analisis/35cd0c6695007190937335e0d01d2896

ws2_32.dll

File has already been analysed:

MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a

First received: 04.21.2009 06:03:37 (CET)

Date: 04.30.2009 02:45:37 (CET) [>13D]

Results: 1/39

Permalink: analisis/be6a030432cd0e1a5910c074b5930762

userinit.exe

File has already been analysed:

MD5: a93aee1928a9d7ce3e16d24ec7380f89

First received: -

Date: 04.29.2009 23:19:29 (CET) [>14D]

Results: 0/40

Permalink: analisis/b04f18b761a42cd521cceb364a94f244

Let me know the next step.

SVCHost.exe.doc

user32.dll.doc

SVCHost.exe.doc

user32.dll.doc

Link to post
Share on other sites

The other three reports are too big to be added via attachment, and I think I would have to post them individual in their own separate posts. Let me know if you'd like me to do that.

Thank you again for your help. If I have to wind up formatting my computer, so be it. I'd just like to be sure that this virus is cleared out first before I do so.

Link to post
Share on other sites

Jotti results:

Filename: svchost.exe

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 14 May 2009 01:22:51 (CET)

Additional info

File size: 14336 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18

SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667

Filename: user32.dll

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 14 May 2009 01:24:20 (CET)

Additional info

File size: 578560 bytes

Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

MD5: b26b135ff1b9f60c9388b4a7d16f600b

SHA1: 08fe9ff1fe9b8fd237adedb10d65fb0447b91fe5

Filename: userinit.exe

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 14 May 2009 01:25:08 (CET)

Additional info

File size: 26112 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: a93aee1928a9d7ce3e16d24ec7380f89

SHA1: 513f8bdf67a5a9e09803cfb61f590b39f2683853

Filename: winlogon.exe

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 14 May 2009 01:26:00 (CET)

Additional info

File size: 507904 bytes

Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

MD5: ed0ef0a136dec83df69f04118870003e

SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07

Filename: ws2_32.dll

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Thu 14 May 2009 01:27:01 (CET)

Additional info

File size: 82432 bytes

Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit

MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a

SHA1: 7cf3366c68e402eb3678046fe97651a586044560

Link to post
Share on other sites

Honestly, is it possible save this OS with a file infector?

No it is not realistic to do that. Reformating in a case like this is the only way to go. The file infector has infected all copies of critical system files present on your system, including the ones in "backup" locations.

There could be literally thousands of executables that are infected. Because Combofix only tests several key system files for authenticity, it only reports on a small sample of executable files present and there are no doubt many others infected, as well..

If your computer was used for online banking, has credit card information or other sensitive data on it:

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive and reformatting will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Link to post
Share on other sites

OK so I'll go ahead with the full format and re-installation of my OS.

I just need to know:

A) Do you know exactly what malware this is?

:( How come Symantec failed to stop this virus?

C) Since it is obvious that my old line of defense failed, what programs would you recommend I use that can protect me against this malware?

D) What about any external harddrives and or storage devices, should I consider those compromised too? If so, would it be possible to clean those storage devices with any specific programs after I reform and install my OS?

Also I haven't used this computer for any online banking, although I have used it in the past to make purchases with my credit card. However, this was before any signs of the infection, and to this day my bank account statements have not shown any type of fraud. Regardless I will take your advice fully and notify my bank ASAP that my identity could have been compromised.

Link to post
Share on other sites

I am glad you haven't used the computer for any financial transactions once you became infected.

Any past financial transactions which occurred before you were infected should not put you at risk now.

My guess is that this threat is virut, sality or vitro worm.

http://www.theregister.co.uk/2009/02/12/new_virut_strain/

How come Symantec failed to stop this virus?

Could be that it did not have the definition for it when it installed. There are always some threats that can bypass and antivirus. If you look at the Virus Total reports, you will see that there are mixed detection results among all the scanners.

Of course, I recommend MBAM, and for an AV, I recommend ESET Nod32, Avira Antivir, and Kaspersky. Thus far, I have seen these antiviruses consistently giving the best detection results at Virus Total.

Although, I do recommend a reformat and reinstall, it may help to run the Malicious Software Removal Tool, because it detects and removes Virut. This will help in identifying the threat but I am not suggesting it will completely cure it. My aim here is to identify it, and I still recommend a reformat and reinstall.

Follow the instructions to install and scan with the Malicious Software Removal Tool:

http://www.pchell.com/virus/malicioussoftw...movaltool.shtml

Since a new Malicious Software Removal Tool was released May 12, it would be better if you can download that new version to portable media (ie USB flash) from here:

http://www.microsoft.com/downloads/details...;displaylang=en

Allow the tool to extract, and then rename the extracted EXE from mrt.exe -> begone.exe

Transfer begone.exe to the infected PC and run a complete scan by double-clicking begone.exe.

The MSRT log will open automatically but should you need to reaccess it you can follow these instructions to open the MSRT log below, and post in your next reply:

1) Click on Start, Run

2) Type the following and Press Enter

notepad c:\windows\debug\mrt.log

===============

Another program that can most likely identify this threat is DrWeb Cureit!

Dr. Web CureIt! is downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. Her asre the directions, if you want to try it:

1. Please download DrWeb-CureIt by clicking the "Download now!!!" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.

2. Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, an Advanced Options Menu should appear
  • Select the first option, to run Windows in Safe Mode.

3. Double-click on randomly namedEXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear.

4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".

5. Once the short scan has finished, Click Options --> Change settings

6. Choose the "Scan tab" and UNcheck "Heuristic analysis"

7. Back at the main window, click "Complete Scan"

8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.

9. When done, a message will be displayed at the bottom advising if any threats were found.

10. Click "Yes to all" if it asks if you want to cure/move the file.

11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".

(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.

13. Save the DrWeb.csv report to your desktop.

14. Exit Dr.Web Cureit when done.

15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.

16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.

Link to post
Share on other sites

Thank you again negster22, I will run that software either tonight or tomorrow, and generate a report for you. I'd really like to have data on this malware, so I can forward it to the proper authorities. Even if the software you recommended were able to clean my system, I'm still going to format and reinstall. At this point I'd rather start fresh.

By the way, Spybot and Malwarebytes are both able to update once again after running Combofix. I also have noticed that I am no longer being redirected to sites I have not clicked on. My scans again are turning up nothing.

Just to be thorough, I ran Smitfraudfix once again and I was able to generate a report. Here it is below:

SmitFraudFix v2.414

Scan done at 8:56:04.98, Thu 05/14/2009

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.