Jump to content

Internet Connection Problems


Recommended Posts

I have been trying to fix my in-law's computer, but to no avail. After about 5-10 min they're not able to browse anymore unless a you restart the computer. I have contacted the ISP, but there is nothing wrong with the DSL modem. When I could not browse on the desktop computer, at the same time I connected my laptop to another port on the modem and was able to browse. So I disconnected the ethernet cord from the back of the desktop computer and plugged it back in and I was able to browse. So I figured the ethernet port on the computer is going bad. So I installed a wireless adapter to the USB port and the same thing happened. I was able to browse, but after a little while I could not browse. I ran Malwarebytes and ComboFix and have logs. Malwarebytes does not delete the files upon reboot. So I ran ComboFix. After ComboFix, I did another quick scan with Malwarebytes, but it still does not delete the files it finds after a reboot. Whatelse do i need to do to fix this issue? Thanks in Advance!!! Here are the logs:

Malwarebytes' Anti-Malware 1.36

Database version: 2118

Windows 5.1.2600 Service Pack 3

5/12/2009 5:35:54 PM

mbam-log-2009-05-12 (17-35-54).txt

Scan type: Quick Scan

Objects scanned: 83070

Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lzzdxord (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\qykdttu.dll (Trojan.Vundo.H) -> Delete on reboot.

------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 09-05-12.04 - Owner 05/12/2009 17:10.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.473 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\earthday.exe

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))

.

2009-05-10 23:17 . 2009-05-12 21:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-10 23:17 . 2009-05-12 21:56 -------- d-----w c:\program files\SpywareBlaster

2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat

2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE

2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache

2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache

2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates

2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8

2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp

2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive

2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll

2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe

2009-04-16 16:16 . 2009-04-16 16:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{339B899D-1382-4419-BF98-F9A7FFE09B90}

2009-04-16 02:02 . 2009-04-16 02:02 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys

2009-04-15 15:42 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll

2009-04-15 15:42 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe

2009-04-15 15:42 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 15:42 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe

2009-04-15 15:42 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 15:42 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 15:42 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 15:42 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 15:42 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 15:42 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 15:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 15:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games

2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster

2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix

2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo!

2009-04-16 02:02 . 2006-06-17 09:23 213120 ----a-w c:\windows\system32\drivers\ndis.sys

2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys

2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys

.

------- Sigcheck -------

[-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys

[-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6060DAE-068A-4D56-8CF3-71FA5529FECE}]

2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-19 98304]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzzdxord]

2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=

R0 lneddqdi;lneddqdi;c:\windows\system32\drivers\lneddqdi.sys [6/17/2006 4:23 AM 23424]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368]

R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wejnocdg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\At1.job

- c:\windows\system32\qykdttu.dll [2006-06-17 19:00]

2009-05-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55]

2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-12 17:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2984)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Trend Micro\BM\TMBMSRV.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Trend Micro\Internet Security\SfCtlCom.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\ehome\ehmsas.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

.

**************************************************************************

.

Completion time: 2009-05-12 17:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-12 22:19

Pre-Run: 178,843,172,864 bytes free

Post-Run: 178,767,695,872 bytes free

223 --- E O F --- 2009-05-11 01:39

Link to post
Share on other sites

  • Staff

Hi,

Your problem may be caused by three possibilities..

1st, the malware you are dealing with, 2nd, the ndis.sys file which appears to be infected, and 3rd, your Trendmicro Internet security

In anyway, what I FIRST suggest/strongly recommend is... Please run Combofix again but let it install the Recovery Console.

I cannot stress how important this is.

Then let it proceed with the scan and post the new log in your next reply. Then we'll start from there.

Link to post
Share on other sites

Hi,

Your problem may be caused by three possibilities..

1st, the malware you are dealing with, 2nd, the ndis.sys file which appears to be infected, and 3rd, your Trendmicro Internet security

In anyway, what I FIRST suggest/strongly recommend is... Please run Combofix again but let it install the Recovery Console.

I cannot stress how important this is.

Then let it proceed with the scan and post the new log in your next reply. Then we'll start from there.

I will do this ASAP. Please, do not close this topic. The computer is at my in-law's house so it might be a couple of days until I am able to reply to your instructions. Thank you, once again!

Link to post
Share on other sites

...In anyway, what I FIRST suggest/strongly recommend is... Please run Combofix again but let it install the Recovery Console.

I cannot stress how important this is.

Also, I did press yes to install the recovery console, but I guess it did not do it. I noticed that ComboFix has to access the web to do it, so I guess during that time was when my internet was not accessible.

Link to post
Share on other sites

Here's my latest logs. I manually installed the recovery console and re-ran ComboFix, then rebooted, then re-scanned with Malwarebytes, then rebooted and re-scanned Malwarebytes after the deletion after rebooting:

ComboFix 09-05-11.08 - Owner 05/15/2009 16:35.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.449 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\earthday.exe

Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))

.

2009-05-12 23:54 . 2009-05-12 23:54 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-12 23:50 . 2009-05-12 23:50 20747 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\rt73.sys

2009-05-12 23:50 . 2003-10-13 20:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-12 23:50 . 2003-09-26 03:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\drivers\rt73.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\bcm42rly.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\drivers\bcm42rly.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\bcm42rly.sys

2009-05-12 23:50 . 2005-11-03 22:41 32768 ----a-w c:\windows\system32\GTGina.dll

2009-05-12 23:50 . 2009-05-12 23:50 -------- d-----w c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor

2009-05-12 23:49 . 2009-05-12 23:49 -------- d-----w C:\Linksys Driver

2009-05-10 23:17 . 2009-05-12 21:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-10 23:17 . 2009-05-12 21:56 -------- d-----w c:\program files\SpywareBlaster

2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat

2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE

2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache

2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache

2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates

2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8

2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp

2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive

2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll

2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe

2009-04-16 16:16 . 2009-04-16 16:16 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\{339B899D-1382-4419-BF98-F9A7FFE09B90}

2009-04-16 02:02 . 2009-04-16 02:02 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-12 23:50 . 2006-08-19 07:51 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games

2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster

2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix

2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo!

2009-04-16 02:02 . 2006-06-17 09:23 213120 ----a-w c:\windows\system32\drivers\ndis.sys

2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys

2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys

.

------- Sigcheck -------

[-] 2004-08-10 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys

[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys

[-] 2009-04-16 02:02 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6060DAE-068A-4D56-8CF3-71FA5529FECE}]

2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-08-19 98304]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lzzdxord]

2004-08-10 19:00 103424 ----a-w c:\windows\system32\qykdttu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=

R0 lneddqdi;lneddqdi;c:\windows\system32\drivers\lneddqdi.sys [6/17/2006 4:23 AM 23424]

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368]

R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

wejnocdg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd6dd551-2f55-11db-b3c1-806d6172696f}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\At1.job

- c:\windows\system32\qykdttu.dll [2006-06-17 19:00]

2009-05-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55]

2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-15 16:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)

c:\windows\system32\GTGina.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2444)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-05-15 16:40

ComboFix-quarantined-files.txt 2009-05-15 21:40

ComboFix2.txt 2009-05-12 22:19

Pre-Run: 178,616,803,328 bytes free

Post-Run: 178,614,022,144 bytes free

206 --- E O F --- 2009-05-11 01:39

-------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.36

Database version: 2138

Windows 5.1.2600 Service Pack 3

5/15/2009 4:58:07 PM

mbam-log-2009-05-15 (16-58-07).txt

Scan type: Quick Scan

Objects scanned: 83846

Time elapsed: 7 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lzzdxord (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{a6060dae-068a-4d56-8cf3-71fa5529fece} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lneddqdi (Rootkit.Sentinel) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\qykdttu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\drivers\lneddqdi.sys (Rootkit.Sentinel) -> Delete on reboot.

--------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.36

Database version: 2138

Windows 5.1.2600 Service Pack 3

5/15/2009 5:08:31 PM

mbam-log-2009-05-15 (17-08-31).txt

Scan type: Quick Scan

Objects scanned: 84409

Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----------------------------------------------------------------------------------------

Everthing seems to be deleted after reboot. I'll continue to test my online time to see if the problem persist. By looking at my logs, is there anything else that I need to do? Thanks in Advance!!!

Link to post
Share on other sites

Hi,

According to the Combofix log, the Recovery console was not installed, so can you run Combofix once more please?

I followed your instructions for a manual install of the recovery console. They have XP Media Center installed so according to your instructions I should download XP Pro SP2. I dragged the icon onto ComboFix. After the dialog, "Attempt to create a new System Restore Point," an error message popped up and says, "Boot Partition cannot be enumerated correctly." Then ComboFix continues with the scanning for malware. I should've mentioned this before, sorry. I'll run ComboFix again right now, and post my log results in my next reply.

Link to post
Share on other sites

  • Staff

Ok, do the following..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

FCOPY::

c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

Please make sure Fcopy:: on top is included!!!

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

We'll see how your Windows behaves after above steps. There's already a lot of damage anyway that we cannot fix anymore, so it will be a matter of keeping fingers crossed. Nrmally, in your case, people would format and reinstall Windows.

Link to post
Share on other sites

Ok, do the following..

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Please make sure Fcopy:: on top is included!!!

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

We'll see how your Windows behaves after above steps. There's already a lot of damage anyway that we cannot fix anymore, so it will be a matter of keeping fingers crossed. Nrmally, in your case, people would format and reinstall Windows.

F.Y.I. yesterday Microsoft Windows Malicious Software Removal Tool detected this, ndis.sys file, to be infected and supposedly cleaned it. Well I followed your instructions and dragged the CFScript file onto ComboFix. When it got to the Installation of the Recovery Console that error message popped up again, but I still continued with the malware scan this time. It did not ask to reboot and here are the results:

ComboFix 09-05-15.08 - Owner 05/17/2009 10:01.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.893.488 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ndis.sys --> c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))

.

2009-05-15 22:22 . 2009-05-15 22:22 -------- d-----w C:\earthday

2009-05-12 23:54 . 2009-05-12 23:54 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-12 23:50 . 2003-10-13 20:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-12 23:50 . 2003-09-26 03:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-12 23:50 . 2005-11-25 00:51 245248 ----a-w c:\windows\system32\drivers\rt73.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\bcm42rly.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\drivers\bcm42rly.sys

2009-05-12 23:50 . 2005-02-01 23:18 17992 ----a-w c:\windows\system32\bcm42rly.sys

2009-05-12 23:50 . 2005-11-03 22:41 32768 ----a-w c:\windows\system32\GTGina.dll

2009-05-12 23:49 . 2009-05-12 23:49 -------- d-----w C:\Linksys Driver

2009-05-10 23:17 . 2009-05-17 14:59 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-10 23:17 . 2009-05-17 14:55 -------- d-----w c:\program files\SpywareBlaster

2009-05-10 21:59 . 2009-05-10 22:00 8 ----a-w C:\settings.dat

2009-05-10 20:42 . 2009-05-10 20:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-04-20 17:19 . 2009-04-20 17:19 -------- d-sh--w c:\documents and settings\Owner\IECompatCache

2009-04-20 17:17 . 2009-04-20 17:17 -------- d-sh--w c:\documents and settings\Owner\PrivacIE

2009-04-20 17:16 . 2009-04-20 17:16 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache

2009-04-20 17:13 . 2009-04-20 17:13 -------- d-sh--w c:\documents and settings\Owner\IETldCache

2009-04-20 17:11 . 2009-04-20 17:11 -------- d-----w c:\windows\ie8updates

2009-04-20 17:10 . 2009-04-20 17:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-04-20 17:07 . 2009-04-20 17:08 -------- dc-h--w c:\windows\ie8

2009-04-20 17:07 . 2009-04-20 17:11 -------- d--h--w c:\windows\msdownld.tmp

2009-04-20 17:04 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\documents and settings\All Users\Application Data\Motive

2009-04-20 15:45 . 2005-07-12 07:28 6048 ----a-w c:\windows\system32\MCC16.dll

2009-04-20 15:45 . 2005-07-12 07:28 69632 ----a-w c:\windows\system32\MCCDevice.dll

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\Common Files\Motive

2009-04-20 15:45 . 2009-04-20 15:45 -------- d-----w c:\program files\ATT

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Application Data\pmwppcbk

2009-04-19 21:30 . 2009-04-19 21:30 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-19 21:28 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pmwppcbk

2009-04-19 21:28 . 2009-04-20 15:16 10752 ----a-w c:\windows\DCEBoot.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-12 23:50 . 2006-08-19 07:51 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-20 17:38 . 2009-01-05 19:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-20 17:32 . 2006-08-19 07:58 -------- d-----w c:\program files\Gateway Games

2009-04-20 17:29 . 2006-08-19 08:02 -------- d-----w c:\program files\Napster

2009-04-20 17:23 . 2006-08-19 08:04 -------- d-----w c:\program files\BigFix

2009-04-20 17:10 . 2008-01-12 23:26 -------- d-----w c:\program files\Yahoo!

2009-04-06 20:32 . 2009-01-05 19:29 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 20:32 . 2009-01-05 19:29 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys

2009-04-02 23:08 . 2009-01-01 02:39 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys

2009-04-02 23:08 . 2009-01-01 02:39 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys

2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-06 02:17 . 2009-01-01 02:45 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys

2009-03-06 02:17 . 2009-01-01 02:45 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys

2009-03-03 23:12 . 2008-07-30 16:59 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]

"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\ehome\\ehtray.exe"=

"c:\\Program Files\\Digital Media Reader\\readericon45G.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [12/31/2008 9:39 PM 50192]

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [12/31/2008 9:45 PM 36368]

R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [12/31/2008 9:39 PM 677128]

R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/19/2006 2:50 AM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

Contents of the 'Scheduled Tasks' folder

2009-05-17 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-17 14:55]

2006-11-25 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2006-11-25 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yov1zt5d.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll

FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-17 10:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1396)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-05-17 10:05

ComboFix-quarantined-files.txt 2009-05-17 15:05

Pre-Run: 179,109,900,288 bytes free

Post-Run: 179,117,219,840 bytes free

191 --- E O F --- 2009-05-16 17:08

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Glad I could help. :P

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.