Jump to content

Trojans & Registry


Recommended Posts

Hi:

I've got Trojans everywhere on laptop. Ran MBAM & Avira 3 times. Still there on reboot.

Following is Malwarebytes log and HijackThis log. Help!

Malwarebytes' Anti-Malware 1.36

Database version: 2105

Windows 5.1.2600 Service Pack 3

5/10/2009 5:52:08 PM

mbam-log-2009-05-10 (17-52-08).txt

Scan type: Quick Scan

Objects scanned: 83930

Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.

C:\Documents and Settings\Bob\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bob\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.

C:\Documents and Settings\Bob\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:14:35 PM, on 5/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\System32\gearsec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

\?\globalroot\C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Bob\protect.dll,_IWMPEvents@16

O4 - HKUS\S-1-5-21-2817279206-2474923443-3543751849-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-21-2817279206-2474923443-3543751849-1007\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')

O4 - HKUS\S-1-5-21-2817279206-2474923443-3543751849-1007\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Bob\protect.dll,_IWMPEvents@16 (User '?')

O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User '?')

O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')

O4 - S-1-5-21-2817279206-2474923443-3543751849-1007 Startup: ChkDisk.lnk = ? (User '?')

O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')

O4 - Startup: ChkDisk.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop

O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://tky09.celartem.com/en/download/data...ntrol_en_US.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167503653870

O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://getdway.com/dwayready/dpcsysinfo.cab

O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} - http://ispe.sdc.hp.com/awebui/jsp/answerwe...EActiveChat.CAB

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: bddnxo.dll

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Link to post
Share on other sites

Hi:

Thank you for your response. ComboFix is attached. Please note that upon a restart to 'prepare the log', Avira was automatically activated. Don't know if it's a cause for concern. Maybe our friends over at Bleepingcomputer may wish to amend the steps shown on their website to deactivate Avira in order to prevent an accidental activation of Avira upon a restart. Here's the ComboFix log:

ComboFix 09-05-12.04 - Bob 05/12/2009 18:13.1 - NTFSx86

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Bob\Local Settings\Temporary Internet Files\CPV.stt

c:\documents and settings\Bob\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\IE4 Error Log.txt

c:\windows\system32\drivers\TDSSrvdc.sys

c:\windows\system32\mdm.exe

c:\windows\system32\msbind32.exe

c:\windows\system32\TDSSkfkl.dll

c:\windows\system32\TDSSnmxh.log

c:\windows\system32\TDSSoaha.dll

c:\windows\system32\TDSSoxum.dll

c:\windows\system32\TDSSqkhc.dll

c:\windows\system32\TDSSqrde.log

c:\windows\system32\TDSSshkx.log

c:\windows\system32\TDSSurxb.dll

c:\windows\system32\TDSSweat.dat

c:\windows\system32\TDSSxehr.dll

c:\windows\system32\ukctrlfh.ini

c:\windows\system32\wmvds32.dll

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - The cat ate it :(

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_TDSSSERV.SYS

-------\Legacy_TDSSSERV.SYS

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))

.

2009-05-10 19:28 . 2009-05-10 19:28 -------- d-----w c:\program files\Trend Micro

2009-05-02 23:44 . 2009-05-02 23:44 -------- d-----w c:\documents and settings\Bob\Application Data\GlarySoft

2009-05-02 21:45 . 2009-05-02 21:45 -------- d-----w c:\program files\Avira GmbH

2009-04-30 22:10 . 2009-04-30 22:10 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-04-30 22:10 . 2009-04-30 22:10 -------- d-----w c:\program files\Avira

2009-04-26 00:06 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-26 00:06 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-26 00:06 . 2009-04-26 00:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-23 23:35 . 2009-05-10 21:15 -------- d-----w c:\program files\MSECACHE

2009-04-18 00:25 . 2009-04-18 00:25 -------- d-----w c:\documents and settings\Bob\Application Data\PeaZip

2009-04-16 22:50 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-16 22:50 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-16 22:50 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-16 22:50 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-16 22:50 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-16 22:50 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 22:50 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-16 22:50 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-16 22:50 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-16 22:50 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-16 22:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-16 22:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-12 22:16 . 2003-03-31 02:00 578560 ----a-w c:\windows\system32\user32.dll

2009-05-12 22:13 . 2003-03-31 02:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys

2009-05-02 22:57 . 2004-05-06 19:15 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-25 23:55 . 2007-10-13 20:12 752 ----a-w C:\smbios.bin

2009-04-23 23:46 . 2004-05-06 19:33 -------- d-----w c:\program files\Java

2009-04-12 00:16 . 2004-05-06 19:52 -------- d-----w c:\program files\Microsoft Works

2009-04-12 00:16 . 2008-09-26 22:00 -------- d-----w c:\program files\Free RAR Extract Frog

2009-04-12 00:16 . 2007-01-29 16:47 -------- d-----w c:\program files\DivX

2009-04-11 02:38 . 2009-04-11 02:38 -------- d-----w c:\program files\uTorrent

2009-03-09 09:19 . 2008-12-20 00:47 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-06 14:22 . 2003-03-31 02:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-20 18:09 . 2004-11-21 22:34 78336 ----a-w c:\windows\system32\ieencode.dll

2007-08-23 23:57 . 2007-08-23 23:57 10091750 ----a-w c:\program files\PAF5EnglishSetup.exe

2006-04-10 16:13 . 2006-04-10 16:13 3653632 ----a-w c:\program files\Ica32Pkg.msi

.

Infected c:\windows\system32\user32.dll hex repaired

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"EnableProfileQuota"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"MIDI1"= SYNCOR11.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]

backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]

backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^ChkDisk.dll]

path=c:\documents and settings\Bob\Start Menu\Programs\Startup\ChkDisk.dll

backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^ChkDisk.lnk]

path=c:\documents and settings\Bob\Start Menu\Programs\Startup\ChkDisk.lnk

backup=c:\windows\pss\ChkDisk.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphct46j0e50w

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcp46j0e50w

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 b31a30a5;b31a30a5;c:\windows\System32\drivers\b31a30a5.sys [x]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys [x]

S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\Drivers\WBSD.SYS [2004-03-18 27008]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD

*Deregistered* - Alerter

*Deregistered* - ALG

*Deregistered* - AntiVirScheduler

*Deregistered* - AntiVirService

*Deregistered* - Arp1394

*Deregistered* - ASCTRM

*Deregistered* - Ati HotKey Poller

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - avgio

*Deregistered* - avgntflt

*Deregistered* - Beep

*Deregistered* - BITS

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - Compbatt

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - GEARSecurity

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTP

*Deregistered* - ImapiService

*Deregistered* - IntelIde

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - irda

*Deregistered* - Irmon

*Deregistered* - JavaQuickStarterService

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - Pml Driver HPZ12

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasirda

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RDPWD

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - SoundMAX Agent Service (default)

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - symlcbrd

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TDTCP

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - UMWdf

*Deregistered* - Update

*Deregistered* - UPHClean

*Deregistered* - uphcleanhlp

*Deregistered* - VgaSave

*Deregistered* - ViaIde

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - WinDefend

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\System Restore.job

- c:\windows\system32\Restore\rstrui.exe [2003-03-31 00:12]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-dmyeo - (no file)

MSConfigStartUp-yaemu - (no file)

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/oem

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-12 18:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\drivers\ovfsthkpdwatnaywqrnawnpvkqihsrgofixokj.sys 83968 bytes executable

c:\docume~1\Bob\LOCALS~1\Temp\ovfsth000 0 bytes

c:\docume~1\Bob\LOCALS~1\Temp\ovfsthx000 0 bytes

c:\windows\system32\ovfsthaaiwtqisbouvbjchkntdwyxcqdcuryiw.dll 18944 bytes executable

c:\windows\system32\ovfsthbxiartbseuflibkkwwejyxenawvreiws.dll 18432 bytes executable

c:\windows\system32\ovfsthlanppfbdjfoayfihgrfciroukmxxmxmr.dat 185875 bytes

c:\windows\system32\ovfsthxdvudxascqpgrphjegfibtjxuwvjnvqe.dat 43 bytes

c:\windows\system32\ovfsthyldfeafoxigqhfkafdkubvebfcryalvj.dll 60928 bytes executable

scan completed successfully

hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ovfsthmhtmysjmuckmtcscqodsmxlnqlteiyui]

"imagepath"="\systemroot\system32\drivers\ovfsthkpdwatnaywqrnawnpvkqihsrgofixokj.sys"

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\windows\system32\gearsec.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-12 18:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-12 22:26

Pre-Run: 23,715,930,112 bytes free

Post-Run: 23,700,967,424 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

325 --- E O F --- 2009-04-29 23:02

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

In case you lost internet access after performing above instructions:

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Link to post
Share on other sites

  • Staff

Hi,

Yikes, this computer was and still is severly infected. Even some important system files were infected here.

Keep in mind that the malware already caused a lot of damage and that cannot always be restored.

Also keep in mind that, when a computer is so severly infected and you decide to clean this up manually, as we are doing now, that you have to understand that you'll never be able to trust this computer anymore - this because it's too badly infected/compromised.

I rather make you aware of this, so you know what you still may expect in the future.

It also looks that this isn't the first time that this computer got infected :(

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\pss\ChkDisk.lnkStartup

c:\windows\pss\ChkDisk.dllStartup

Rootkit::

c:\windows\system32\drivers\ovfsthkpdwatnaywqrnawnpvkqihsrgofixokj.sys

c:\docume~1\Bob\LOCALS~1\Temp\ovfsth000

c:\docume~1\Bob\LOCALS~1\Temp\ovfsthx000

c:\windows\system32\ovfsthaaiwtqisbouvbjchkntdwyxcqdcuryiw.dll

c:\windows\system32\ovfsthbxiartbseuflibkkwwejyxenawvreiws.dll

c:\windows\system32\ovfsthlanppfbdjfoayfihgrfciroukmxxmxmr.dat

c:\windows\system32\ovfsthxdvudxascqpgrphjegfibtjxuwvjnvqe.dat

c:\windows\system32\ovfsthyldfeafoxigqhfkafdkubvebfcryalvj.dll

DDS::

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=localhost:7171

Driver::

ovfsthmhtmysjmuckmtcscqodsmxlnqlteiyui

b31a30a5

Registry::

[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

[-HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^ChkDisk.dll]

[-HKLM\~\startupfolder\C:^Documents and Settings^Bob^Start Menu^Programs^Startup^ChkDisk.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphct46j0e50w]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcp46j0e50w]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnSpyPC]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Hi:

Thank you for your help with this 5-year-old laptop. I passed your opening thoughts to the other members of this household and everyone hung their heads way down low and murmured in shame. One of our youngsters had the nerve to ask if our laptop ranks in the top 5 of infested computers because he thought it would be cool to brag about it at school. As a result, he's missing out on fine dinner tonight. On the brighter side, we do some file backups often.

We had Norton running for a long time, then dumped it last year because it was doing a poor job of catching things that Ad-Aware would catch. We went to AVG, then Avast, and finally Avira. We've been running Malwarebytes for about 6 months or so, but with the way the heads just went down around here, I suppose the damage was already done. I'll make it a point to print "Prevention" in your blog and post it next to the laptop. Maybe it'll do some good.

So anyway, after following your instructions, attached is latest ComboFix file . Please note that pc rebooted and Avira again reactivated itself upon restart... and even found a detection in the middle of ComboFix, which i quickly ignored. Again, thank you so much for your help.

ComboFix 09-05-13.01 - Bob 05/13/2009 17:55.2 - NTFSx86

Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\pss\ChkDisk.dllStartup

c:\windows\pss\ChkDisk.lnkStartup

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\pss\ChkDisk.lnkStartup

c:\windows\system32\drivers\ovfsthkpdwatnaywqrnawnpvkqihsrgofixokj.sys

c:\windows\system32\ovfsthaaiwtqisbouvbjchkntdwyxcqdcuryiw.dll

c:\windows\system32\ovfsthbxiartbseuflibkkwwejyxenawvreiws.dll

c:\windows\system32\ovfsthlanppfbdjfoayfihgrfciroukmxxmxmr.dat

c:\windows\system32\ovfsthxdvudxascqpgrphjegfibtjxuwvjnvqe.dat

c:\windows\system32\ovfsthyldfeafoxigqhfkafdkubvebfcryalvj.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ovfsthmhtmysjmuckmtcscqodsmxlnqlteiyui

-------\Service_b31a30a5

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))

.

2009-05-10 19:28 . 2009-05-10 19:28 -------- d-----w c:\program files\Trend Micro

2009-05-02 23:44 . 2009-05-02 23:44 -------- d-----w c:\documents and settings\Bob\Application Data\GlarySoft

2009-05-02 21:45 . 2009-05-02 21:45 -------- d-----w c:\program files\Avira GmbH

2009-04-30 22:10 . 2009-04-30 22:10 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-04-30 22:10 . 2009-04-30 22:10 -------- d-----w c:\program files\Avira

2009-04-26 00:06 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-26 00:06 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-26 00:06 . 2009-04-26 00:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-23 23:35 . 2009-05-10 21:15 -------- d-----w c:\program files\MSECACHE

2009-04-18 00:25 . 2009-04-18 00:25 -------- d-----w c:\documents and settings\Bob\Application Data\PeaZip

2009-04-16 22:50 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-16 22:50 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-16 22:50 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-16 22:50 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-16 22:50 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-16 22:50 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-16 22:50 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-16 22:50 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-16 22:50 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-16 22:50 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-16 22:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-16 22:49 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-12 22:16 . 2003-03-31 02:00 578560 ----a-w c:\windows\system32\user32.dll

2009-05-12 22:13 . 2003-03-31 02:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys

2009-05-02 22:57 . 2004-05-06 19:15 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-25 23:55 . 2007-10-13 20:12 752 ----a-w C:\smbios.bin

2009-04-23 23:46 . 2004-05-06 19:33 -------- d-----w c:\program files\Java

2009-04-12 00:16 . 2004-05-06 19:52 -------- d-----w c:\program files\Microsoft Works

2009-04-12 00:16 . 2008-09-26 22:00 -------- d-----w c:\program files\Free RAR Extract Frog

2009-04-12 00:16 . 2007-01-29 16:47 -------- d-----w c:\program files\DivX

2009-04-11 02:38 . 2009-04-11 02:38 -------- d-----w c:\program files\uTorrent

2009-03-09 09:19 . 2008-12-20 00:47 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-06 14:22 . 2003-03-31 02:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-20 18:09 . 2004-11-21 22:34 78336 ----a-w c:\windows\system32\ieencode.dll

2007-08-23 23:57 . 2007-08-23 23:57 10091750 ----a-w c:\program files\PAF5EnglishSetup.exe

2006-04-10 16:13 . 2006-04-10 16:13 3653632 ----a-w c:\program files\Ica32Pkg.msi

.

((((((((((((((((((((((((((((( SnapShot@2009-05-12_22.19.50 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-13 22:00 . 2009-05-13 22:00 16384 c:\windows\Temp\Perflib_Perfdata_704.dat

+ 2004-05-06 20:28 . 2009-05-12 23:03 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2007-03-22 23:05 . 2007-03-22 23:05 97632 c:\windows\Installer\$PatchCache$\Managed\9040211900063D11C8EF10054038389C\11.0.8173\PP7X32.DLL

- 2004-05-06 20:28 . 2009-04-29 23:01 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2004-05-06 20:28 . 2009-05-12 23:03 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2004-05-06 20:28 . 2009-04-29 23:01 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2009-05-12 23:00 . 2009-05-07 04:16 24699336 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 618496]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

AutoTBar.exe [2003-9-30 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"EnableProfileQuota"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"MIDI1"= SYNCOR11.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]

backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]

backup=c:\windows\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

R2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;c:\windows\system32\drivers\zpmodemnt.sys [x]

S3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\Drivers\WBSD.SYS [2004-03-18 27008]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD

*Deregistered* - Alerter

*Deregistered* - ALG

*Deregistered* - AntiVirScheduler

*Deregistered* - AntiVirService

*Deregistered* - Arp1394

*Deregistered* - ASCTRM

*Deregistered* - Ati HotKey Poller

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - avgio

*Deregistered* - avgntflt

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - Compbatt

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - GEARSecurity

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTP

*Deregistered* - ImapiService

*Deregistered* - IntelIde

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - irda

*Deregistered* - Irmon

*Deregistered* - JavaQuickStarterService

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - Pml Driver HPZ12

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasirda

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RDPWD

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - SoundMAX Agent Service (default)

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - symlcbrd

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TDTCP

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - UMWdf

*Deregistered* - Update

*Deregistered* - UPHClean

*Deregistered* - uphcleanhlp

*Deregistered* - VgaSave

*Deregistered* - ViaIde

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - WinDefend

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\System Restore.job

- c:\windows\system32\Restore\rstrui.exe [2003-03-31 00:12]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://www.symantec.com/techsupp/oem

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-13 18:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\windows\system32\gearsec.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

c:\program files\UPHClean\uphclean.exe

c:\windows\system32\MRT.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-13 18:07 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-13 22:06

ComboFix2.txt 2009-05-12 22:28

Pre-Run: 23,713,501,184 bytes free

Post-Run: 23,714,545,664 bytes free

304 --- E O F --- 2009-05-12 23:03

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hi,

Yikes, this computer was and still is severly infected. Even some important system files were infected here.

Keep in mind that the malware already caused a lot of damage and that cannot always be restored.

Also keep in mind that, when a computer is so severly infected and you decide to clean this up manually, as we are doing now, that you have to understand that you'll never be able to trust this computer anymore - this because it's too badly infected/compromised.

I rather make you aware of this, so you know what you still may expect in the future.

It also looks that this isn't the first time that this computer got infected :(

Anyway, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

  • Staff

Hi,

THis looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

Hi:

Hi:

Laptop is now running the best it has in a long time <family kisses your hand>. Automatic Microsoft updates are back, Google no longer redirects to that silly cow, W/Defender is operational, and W/Firewall actually stays on. You've allowed the laptop to live another day! Please close the thread...and thank you very much. Our best to you.

Bob...and his mischievous underlings.

Hi,

THis looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.