Jump to content

HJT Log Inside, I'm infected.


Recommended Posts

Hello,

Here is my HJT Log.

I downloaded malwarebytes and was unable to update it. I ran it anyway and it didn't find anything. I ran McAffee before that and it found some stuff in my cookies. I can't find that log, but I know that it found a "pup" called Yieldmaster or yieldmanager.

The issue I'm having is that this is a new laptop and I think I have that "gumblar.cn" virus from a website that I maintain for an old boss. (Touchgraphics.com) On my laptop I get redirects from google links. It's annoying. On the website, it was hacked and script inserted and was generally a total mess. I had fixed it last week (reuploaded all files, changed passwords) but it is messed up again I fear because I think whatever virus I have just stole the new passwords again (maybe from my laptop).

Any help would be really appreciated.

Thanks,

Nikki

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:38:25 PM, on 5/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\DRIVERS\o2flash.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\OEM13Mon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USSMB/1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [OEM13Mon.exe] C:\WINDOWS\OEM13Mon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe

O4 - HKLM\..\Run: [McAfee Managed Services Tray] C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyAgtTry.Exe

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe

O23 - Service: EngineServer - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.Exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10637 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Link to post
Share on other sites

Sorry it took me so long to reply. I'm on a deadline at work. I do really appreciate your help.

Here is my log file from combofix:

ComboFix 09-05-12.06 - Bunny Mendelbaum 05/13/2009 7:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2661 [GMT -4:00]

Running from: c:\documents and settings\Bunny Mendelbaum\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\BUNNYM~1\LOCALS~1\Temp\install_flash_player.exe

c:\windows\whp.mqg

.

((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))

.

2009-05-13 11:24 . 2006-12-05 22:17 240 ----a-w c:\windows\myClean.bat

2009-05-12 01:37 . 2009-05-12 01:37 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\Malwarebytes

2009-05-12 01:37 . 2009-05-12 01:37 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-10 04:29 . 2009-05-10 04:29 -------- d-----w c:\windows\Sun

2009-05-09 23:34 . 2008-04-14 04:15 26368 -c--a-w c:\windows\system32\dllcache\usbstor.sys

2009-05-07 23:33 . 2009-05-07 23:33 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\AdobeUM

2009-05-07 23:31 . 2009-05-07 23:31 -------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems

2009-05-07 23:17 . 2009-05-07 23:17 -------- d-----w c:\program files\Common Files\Adobe Systems Shared

2009-05-07 23:08 . 2009-05-13 11:22 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2009-05-07 22:45 . 2009-05-07 22:46 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Google

2009-05-07 22:41 . 2009-05-07 22:45 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Deployment

2009-05-07 20:24 . 2003-06-18 21:31 17920 ----a-w c:\windows\system32\mdimon.dll

2009-05-07 20:23 . 2009-05-07 20:23 -------- d-----w c:\program files\Microsoft ActiveSync

2009-05-07 20:23 . 2009-05-07 20:23 -------- d-----w c:\windows\SHELLNEW

2009-05-07 20:20 . 2009-05-07 20:20 -------- d--h--r C:\MSOCache

2009-05-07 20:05 . 2009-05-07 20:05 -------- d-s---w c:\documents and settings\Bunny Mendelbaum\UserData

2009-05-07 19:48 . 2009-05-07 19:48 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\Windows Search

2009-05-07 19:44 . 2009-05-07 19:44 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Autodesk

2009-05-07 19:42 . 2009-05-07 20:32 -------- d-----w c:\program files\Common Files\Autodesk Shared

2009-05-07 19:42 . 2009-05-07 19:42 -------- d-----w c:\program files\Autodesk

2009-05-07 19:42 . 2009-05-07 19:44 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\Autodesk

2009-05-07 19:39 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-05-07 19:39 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-05-07 19:33 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-05-07 19:33 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-05-07 19:33 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-05-07 19:33 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-05-07 19:33 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-05-07 19:33 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-05-07 19:33 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-07 19:33 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-05-07 19:33 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-05-07 19:33 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-05-07 19:33 . 2009-05-07 19:33 -------- d-----w c:\program files\MSXML 6.0

2009-05-07 19:32 . 2009-05-07 19:32 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Microsoft Help

2009-05-07 19:32 . 2009-05-07 19:32 -------- d-----w c:\program files\Microsoft.NET

2009-05-07 19:32 . 2009-05-07 19:32 -------- d-----w c:\program files\Microsoft Visual Studio 8

2009-05-07 19:32 . 2009-05-07 19:32 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-07 19:31 . 2009-05-07 19:31 -------- d-----w c:\program files\Common Files\Java

2009-05-07 19:31 . 2009-05-07 20:32 -------- d-----w c:\documents and settings\All Users\Application Data\Autodesk

2009-05-07 19:31 . 2009-05-07 19:31 -------- d-----w c:\program files\Autodesk Network License Manager

2009-05-07 19:27 . 2009-05-07 20:32 -------- d-----w c:\program files\Revit Architecture 2009

2009-05-07 19:24 . 2009-05-07 19:24 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\CyberLink

2009-05-07 19:23 . 2009-05-07 19:23 -------- d-----w c:\windows\system32\LogFiles

2009-05-07 19:22 . 2009-05-07 19:22 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\SupportSoft

2009-05-07 17:56 . 2009-05-07 17:56 -------- d-----w c:\documents and settings\Bunny Mendelbaum\Application Data\Dell

2009-04-30 21:34 . 2009-04-30 21:34 -------- d-----w c:\windows\nview

2009-04-30 21:32 . 2008-04-14 12:06 10240 ----a-w c:\windows\system32\drivers\compbatt.sys

2009-04-30 21:32 . 2008-04-14 12:06 14208 ----a-w c:\windows\system32\drivers\battc.sys

2009-04-30 21:32 . 2008-04-14 12:06 13952 ----a-w c:\windows\system32\drivers\CmBatt.sys

2009-04-30 17:29 . 2009-05-07 19:14 -------- d-----w C:\DELL

2009-04-30 14:48 . 2009-04-30 14:48 -------- d-----w c:\program files\Microsoft Silverlight

2009-04-30 14:47 . 2009-04-30 14:47 -------- d-----w c:\program files\Microsoft Sync Framework

2009-04-30 14:47 . 2006-11-29 18:06 3426072 ----a-w c:\windows\system32\d3dx9_32.dll

2009-04-30 14:47 . 2009-04-30 14:47 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition

2009-04-30 14:46 . 2009-04-30 14:46 -------- d-----w c:\program files\Microsoft

2009-04-30 14:46 . 2009-04-30 14:46 -------- d-----w c:\program files\Windows Live SkyDrive

2009-04-30 14:46 . 2009-04-30 14:48 -------- d-----w c:\program files\Windows Live

2009-04-30 14:45 . 2009-04-30 14:45 -------- d-----w c:\program files\Common Files\Windows Live

2009-04-30 14:45 . 2009-05-12 01:40 43144 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 14:45 . 2009-04-30 14:45 -------- d-----w c:\documents and settings\All Users\Application Data\Dell

2009-04-30 14:45 . 2009-04-30 14:45 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\PowerDVD DX

2009-04-30 14:45 . 2008-02-26 15:57 1047552 ----a-w c:\windows\system32\MFC71u.dll

2009-04-30 14:45 . 2008-02-26 15:57 89088 ----a-w c:\windows\system32\atl71.dll

2009-04-30 14:45 . 2009-04-30 14:45 -------- d-----w c:\program files\CyberLink

2009-04-30 14:43 . 2009-05-13 11:31 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-04-30 14:43 . 2009-05-13 11:31 -------- d-----w c:\program files\McAfee

2009-04-30 14:43 . 2009-04-30 14:43 -------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft

2009-04-30 14:43 . 2009-04-30 14:43 -------- d-----w c:\program files\Dell Support Center

2009-04-30 14:43 . 2009-04-30 14:43 -------- d-----w c:\program files\Common Files\supportsoft

2009-04-30 14:41 . 2009-05-07 23:30 -------- d-----w c:\program files\Common Files\Adobe

2009-04-30 14:41 . 2005-08-12 22:50 16128 ----a-w c:\windows\system32\drivers\APPDRV.SYS

2009-04-30 14:41 . 2009-04-30 14:41 76 --sh--r c:\windows\CT4CET.bin

2009-04-30 14:41 . 2009-04-30 14:41 -------- d-----w c:\program files\Common Files\Reallusion

2009-04-30 14:41 . 2007-11-06 02:31 348160 ------w c:\windows\system32\msvcr71.dll

2009-04-30 14:41 . 2007-11-06 02:31 499712 ------w c:\windows\system32\msvcp71.dll

2009-04-30 14:41 . 2007-11-06 02:31 1060864 ------w c:\windows\system32\MFC71.DLL

2009-04-30 14:41 . 2009-04-30 14:41 -------- d-----w c:\program files\Creative Live! Cam

2009-04-30 14:41 . 2009-04-30 14:41 -------- d-----w c:\program files\Creative

2009-04-30 14:41 . 2009-04-30 14:45 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-30 14:41 . 2009-04-30 14:42 -------- d-----w c:\program files\Common Files\InstallShield

2009-04-30 14:39 . 2009-04-30 14:39 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Identities

2009-04-30 14:38 . 2008-06-24 16:43 74240 -c----w c:\windows\system32\dllcache\mscms.dll

2009-04-30 14:37 . 2009-02-20 08:10 666112 -c----w c:\windows\system32\dllcache\wininet.dll

2009-04-30 14:37 . 2009-02-20 08:10 619520 -c----w c:\windows\system32\dllcache\urlmon.dll

2009-04-30 14:37 . 2009-03-02 23:04 1499136 -c----w c:\windows\system32\dllcache\shdocvw.dll

2009-04-30 14:37 . 2009-02-20 08:11 3068416 -c----w c:\windows\system32\dllcache\mshtml.dll

2009-04-30 14:37 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll

2009-04-30 14:37 . 2009-05-07 20:14 -------- d--h--w c:\windows\$hf_mig$

2009-04-30 14:37 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys

2009-04-30 14:36 . 2009-04-30 14:36 -------- d-----w c:\windows\system32\Lang

2009-04-30 14:36 . 2009-05-07 22:57 43604 ----a-w c:\windows\system32\nvModes.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-09 13:15 . 2009-04-30 14:42 -------- d-----w c:\program files\Roxio

2009-05-07 19:32 . 2009-04-30 14:40 -------- d-----w c:\program files\Java

2009-04-30 21:34 . 2009-04-30 21:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf

2009-04-30 21:34 . 2009-04-30 21:34 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-04-30 21:34 . 2009-04-30 21:34 -------- d-----w c:\program files\DellTPad

2009-04-30 17:30 . 2009-04-30 17:30 4080 ----a-w c:\windows\system32\drivers\1028_Dell_VOS_2510.mrk

2009-04-30 14:45 . 2009-05-07 17:55 12328 ----a-w c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-30 14:42 . 2009-04-30 14:42 -------- d-----w c:\program files\Sonic

2009-04-30 14:42 . 2009-04-30 14:42 -------- d-----w c:\program files\Common Files\Sonic Shared

2009-04-30 14:42 . 2009-04-30 14:42 -------- d-----w c:\program files\Common Files\SureThing Shared

2009-04-30 14:42 . 2009-04-30 14:42 -------- d-----w c:\program files\Common Files\Roxio Shared

2009-04-30 14:42 . 2009-04-30 14:42 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-04-30 14:41 . 2009-04-30 14:40 -------- d-----w c:\program files\Dell

2009-04-30 14:40 . 2009-04-30 14:40 410984 ----a-w c:\windows\system32\deploytk.dll

2009-04-30 14:39 . 2009-04-30 14:39 -------- d-----w c:\program files\Windows Desktop Search

2009-04-30 14:37 . 2008-04-25 21:28 87263 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-03-06 14:22 . 2008-04-25 16:16 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-20 08:10 . 2008-04-25 16:16 666112 ----a-w c:\windows\system32\wininet.dll

2009-02-20 08:10 . 2008-04-25 16:16 81920 ----a-w c:\windows\system32\ieencode.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"Google Update"="c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-07 13537280]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-07 86016]

"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 136600]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-17 2289664]

"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-05-07 1245184]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-07-07 16862720]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-07-07 1630208]

"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-07-07 90112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-5-7 25214]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=

R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [12/4/2008 5:03 PM 226640]

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [4/30/2009 1:30 PM 51288]

R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [4/30/2009 1:30 PM 43608]

R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [4/30/2009 1:30 PM 141376]

R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [4/30/2009 1:30 PM 7424]

R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [4/30/2009 1:30 PM 235840]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2906a96-3cf1-11de-ad89-0024e89b8fbc}]

\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe

.

Contents of the 'Scheduled Tasks' folder

2009-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2503768344-879035454-3273783330-1006.job

- c:\documents and settings\Bunny Mendelbaum\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-07 22:45]

.

.

------- Supplementary Scan -------

.

mStart Page = hxxp://www.dell.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-13 07:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\BUNNYM~1\LOCALS~1\Temp\GUR4.tmp 0 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1536)

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\drivers\o2flash.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\ApntEx.exe

c:\program files\DellTPad\hidfind.exe

c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

.

**************************************************************************

.

Completion time: 2009-05-13 7:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-13 11:38

Pre-Run: 304,170,119,168 bytes free

Post-Run: 304,207,663,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

246 --- E O F --- 2009-05-10 01:18

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

Normally you should be able to update malwarebytes again, so please do this first, because malwarebytes detects the malware as well.

From what I understand here is, it's your site that is getting infected everytime with it?

What webhost do you use? Because this is actually most probably an security issue on the server. For example users of IX Webhosting and Godaddy may encounter this.

I've blogged about this infection and IX Webhosting compromise a couple of months ago. See here:

The infection you were dealing with and how it is spread: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

And IX Webhosting: http://miekiemoes.blogspot.com/2009/01/ix-...g-reliable.html

What I suggest in your case is to use Firefox with the noscript extension + update all your programs, such as adobe reader, flash etc, as it may be spread through it as well.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

I'm replying from my 'real' job, so I'll do the steps above on my laptop at home.

The site that was infected is hosted on lunarpages, but we are in the process of transferring to nexcess.net. Lunarpages was infected and I think when I transferred the files to nexcess that it got infected too. I haven't completed the switch yet, but it seems like since I re-uploaded and changed all the passwords that it hasn't come back. I would bet that both of those hosts are pretty cheap ones, but because this company makes computer products for the blind, we have to keep the overhead pretty low, (so I went with a cheap host).

From what I could gather, the gumblar.cn virus inserted a bad script into all of my html and php files. I think it got my password either from dreamweaver or filezilla. I use dreamweaver to upload and my boss uses filezilla. I've asked him to stop using filezilla all together because I read that it was most likely the culprit. Now I upload files directly thru the control panel in a web browser or an explorer window. Do you know if either of those (or something else) is the safest way to upload files?

Thanks so much again and I'll update later.

Link to post
Share on other sites

  • Staff

Hi,

Afaik, It just got in because of a vulnerability in one of the scripts you're using (for example outdated Joomla, other php applications etc) and got "rootaccess" because of that, or because of a vulnerability on the host itself... cheaper hosts, outdated applications, insecure servers...

It has nothing to do with the FTP program you're using though, so really don't worry about that. :)

I don't know if you understand French, but here's another excellent article about the malware in detail: http://mad.internetpol.fr/archives/44-Daon...-Superstar.html

As you'll see, the infection also targets me and blocks everything with my name in it :(

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.