Jump to content

rootkit activity? please help


Recommended Posts

Hi,

Here's a little background info:

Initially I found out that my desktop got infected because it was taken over by 'privacy center'. When I looked at C drive there were also items that never existed before, including isass.exe and purdrh.exe. I tried to do a system restore but it's been disabled. I tried spybot (which didn't do anything), avg and malwarebytes, and finally got rid of privacy center, isass, purdrh and other apparent infections. I also went to registry and re-enabled system restore. However, avg continues to find new trojans every time the system restarted and my friends on msn noted that I sent out random links when i reply to msgs (I never clicked on any msn spams and this never happened before 'privacy center' existed on this system).

I don't think the drive is completely clean. My concern is, could there be system modifications by rootkit and what not, that went undetected and not gotten rid of? If that's the case how could I check and get rid of the problem completely?

On a side note, I suspect my desktop got infected from the USB I use for work, as there's a computer at my workplace taken over by privacy center and other stuff. Could it be possible that the USB is carrying w/e malware that's infecting the work comp and my desktop? If that's possible, is there a way to check whether the USB is clean and is there a safe way to transfer/secure/backup the data on the USB?

I've already backed-up all the important files on my desktop C drive and I'm prepared to reformat it if needed. Just thought I should check with you guys before I do anything else. Please see below for the most recent logs from malwarebytes and highjackthis. Please also let me know if it'd help for me to send you the malwarebytes log of the scan that got rid of the apparent infections.

Thank you in advance for your time and assistance <_<

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:26:41 PM, on 8/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\RocketDock\RocketDock.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (file missing)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm

O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm

O8 - Extra context menu item: 妏蚚捃濘狟婥 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm

O8 - Extra context menu item: 妏蚚捃濘狟婥窒蟈諉 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm

O9 - Extra button: Ao?

Link to post
Share on other sites

  • Staff

Hi,

Yes, it looks like you are/were indeed dealing with a flashdrive infection. You could have prevented this if your Windows was up to date, because that now handles autorun.

Anyway,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Sorry for the delay. I think I blocked all antivirus stuff. Here's the log:

ComboFix 09-08-22.06 - Meeeow 08/22/2009 22:53.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.2046.1496 [GMT -4:00]

Running from: c:\documents and settings\Meeeow\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Meeeow\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat

c:\recycled\Recycled

c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1077

c:\recycler\S-1-5-21-0621517984-3898076087-151959637-9448

c:\recycler\S-1-5-21-0686443166-5270837285-241486154-5398

c:\recycler\S-1-5-21-2573346284-2336271518-409723028-6704

c:\recycler\S-1-5-21-3193362069-7439764638-517447342-2159

c:\recycler\S-1-5-21-3193362069-7439764638-517447342-2159\Desktop.ini

c:\recycler\S-1-5-21-3193362069-7439764638-517447342-2159\sysdate.exe

c:\recycler\S-1-5-21-5497633860-4031374603-697526225-0942

c:\recycler\S-1-5-21-5931568600-2811820653-914443296-9981

c:\recycler\S-1-5-21-6004224137-2790071280-108408253-8666

c:\windows\Fonts\mlog

c:\windows\Install.txt

c:\windows\Installer\102f30.msi

c:\windows\Installer\13477393.msi

c:\windows\Installer\13477399.msi

c:\windows\Installer\1347739f.msi

c:\windows\Installer\20fedb68.msi

c:\windows\Installer\368e5.msp

c:\windows\Installer\368f8.msp

c:\windows\Installer\3e30f36.msi

c:\windows\Installer\bcfa5.msp

c:\windows\Installer\bcfb4.msp

c:\windows\system32\drivers\19326b6d.sys

c:\windows\system32\drivers\f3880ba.sys

c:\windows\system32\drivers\fc9db923.sys

c:\windows\system32\Install.txt

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ias

-------\Legacy_nwcworkstation

-------\Service_19326b6d

-------\Service_fc9db923

-------\Service_ias

-------\Service_nwcworkstation

-------\Service_f3880ba

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))

.

2009-08-21 03:40 . 2009-07-24 13:55 1090816 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll

2009-08-20 16:55 . 2009-08-20 16:55 -------- d-----w- c:\program files\Trend Micro

2009-08-18 23:08 . 2009-08-18 23:08 -------- d-----w- c:\documents and settings\Meeeow\Local Settings\Application Data\AVG Security Toolbar

2009-08-18 05:00 . 2009-08-22 12:09 -------- d--h--w- C:\$AVG8.VAULT$

2009-08-18 04:52 . 2009-08-18 04:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-18 04:52 . 2009-08-18 04:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-18 04:52 . 2009-08-18 04:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-18 04:52 . 2009-08-18 04:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-18 04:52 . 2009-08-22 22:28 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-18 04:52 . 2009-08-21 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-08-18 04:52 . 2009-08-18 04:52 -------- d-----w- c:\program files\AVG

2009-08-18 04:52 . 2009-08-18 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-18 04:37 . 2009-08-18 04:37 -------- d-----w- c:\documents and settings\Meeeow\Application Data\AVG8

2009-08-17 10:53 . 2009-08-17 10:53 -------- d-s---w- c:\documents and settings\LocalService\UserData

2009-08-16 04:53 . 2009-08-16 04:53 -------- d-----w- c:\documents and settings\Meeeow\Application Data\Malwarebytes

2009-08-16 04:53 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-16 04:53 . 2009-08-16 04:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-16 04:53 . 2009-08-16 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-16 04:53 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-16 04:31 . 2009-08-16 12:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-16 04:04 . 2009-08-16 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-16 04:04 . 2009-08-16 04:07 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-16 04:00 . 2009-08-16 04:27 -------- d-----w- c:\program files\PrivacyCenter

2009-08-06 23:07 . 2009-08-06 23:07 -------- d-----w- c:\program files\iPod

2009-08-06 23:07 . 2009-08-06 23:08 -------- d-----w- c:\program files\iTunes

2009-08-06 23:07 . 2009-08-06 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-08-06 23:07 . 2009-08-06 23:07 -------- d-----w- c:\program files\Bonjour

2009-08-06 23:06 . 2009-08-06 23:06 -------- d-----w- c:\program files\QuickTime

2009-08-06 23:04 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-23 02:48 . 2007-04-04 20:17 42952 ----a-w- c:\documents and settings\Meeeow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 19:34 . 2009-06-09 18:24 -------- d-----w- c:\program files\Yahoo! Games

2009-08-16 12:03 . 2008-08-08 22:36 26 ----a-w- c:\windows\system32\xlhcc.dat

2009-08-10 13:49 . 2007-05-13 01:30 -------- d-----w- c:\documents and settings\Meeeow\Application Data\U3

2009-08-06 23:06 . 2007-12-25 00:30 -------- d-----w- c:\program files\Common Files\Apple

2009-08-06 23:04 . 2007-12-25 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-06 03:11 . 2009-02-26 01:57 1924440 ----a-w- c:\documents and settings\Meeeow\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe

2009-07-25 21:32 . 2009-04-20 02:23 -------- d-----w- c:\documents and settings\Meeeow\Application Data\Skype

2009-07-24 04:07 . 2008-08-13 18:29 -------- d-----w- c:\documents and settings\Meeeow\Application Data\GetRightToGo

2009-07-23 23:23 . 2008-08-08 22:36 9768 ----a-w- c:\windows\system32\cid_store.dat

2009-07-22 16:53 . 2007-04-12 19:51 -------- d-----w- c:\program files\DivX

2009-07-22 16:53 . 2009-07-22 16:53 -------- d-----w- c:\program files\Common Files\DivX Shared

2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-09 16:16 . 2007-12-25 00:31 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-09 18:24 . 2009-06-09 18:24 1245321 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_ChessmasterChallenge\IAF.dll

2008-07-12 13:53 . 2008-08-08 22:19 36864 ----a-w- c:\program files\mozilla firefox\components\NsThunderLoader.dll

2008-07-12 13:53 . 2008-08-08 22:19 53248 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll

2005-04-04 06:45 . 2007-09-07 01:47 24848 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2005-04-04 06:45 . 2007-09-07 01:47 74000 ----a-w- c:\program files\mozilla firefox\plugins\cgpcore.dll

2005-04-04 06:45 . 2007-09-07 01:47 45328 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2005-04-04 06:45 . 2007-09-07 01:47 28944 ----a-w- c:\program files\mozilla firefox\plugins\pscript.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2005-04-04 06:45 . 2007-09-07 01:47 69904 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2005-04-04 06:45 . 2007-09-07 01:47 24848 ----a-w- c:\program files\mozilla firefox\plugins\tcppserv.dll

.

------- Sigcheck -------

[7] 2004-08-04 01:07 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\system32\dllcache\tcpip.sys

[-] 2004-08-04 01:07 359040 C1783498EDB152656303B5D5BCABD86C c:\windows\system32\drivers\tcpip.sys

[-] 2005-07-26 04:39 243200 34BBD9ACC1538818F2C878898C64E793 c:\windows\system32\es.dll

[7] 2004-08-04 01:07 243200 ACD36A2DD7D1E9D8A060AA651DC07E63 c:\windows\system32\dllcache\es.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-03-11 3885408]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

c:\documents and settings\Meeeow\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-18 04:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\rtcshare.exe"=

"c:\\Program Files\\GridService\\peer.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder5.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/18/2009 12:52 AM 335240]

R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/18/2009 12:52 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/18/2009 12:52 AM 297752]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/11/2009 1:17 AM 55152]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-796845957-1801674531-1003Core.job

- c:\documents and settings\Meeeow\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 17:00]

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-796845957-1801674531-1003UA.job

- c:\documents and settings\Meeeow\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-08 17:00]

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe

Notify-AtiExtEvent - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ask.askredir.com/search/cfg_redir2.jhtml?id=IF&ptb=D0087022-9CE0-42D0-BC61-7FF16A97B6DF&url=http://www.ask.com/&l=dis&o=13010

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://ask.askredir.com/search/cfg_redir2.jhtml?id=IF&ptb=D0087022-9CE0-42D0-BC61-7FF16A97B6DF&url=http://www.ask.com/web&q=%s&l=dis&o=13010

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: ?????? - c:\program files\Thunder Network\Thunder\Program\geturl.htm

IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\getallurl.htm

IE: ?????? - c:\program files\Thunder Network\Thunder\Program\GetUrl.htm

IE: ?????????? - c:\program files\Thunder Network\Thunder\Program\GetAllUrl.htm

IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder Network\Thunder\Thunder.exe

FF - ProfilePath - c:\documents and settings\Meeeow\Application Data\Mozilla\Firefox\Profiles\4yipqlst.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ig?hl=en

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Meeeow\Application Data\Mozilla\Firefox\Profiles\4yipqlst.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\Meeeow\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npican.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-22 22:58

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2104)

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\nvsvc32.exe

c:\progra~1\MICROS~3\rapimgr.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-23 23:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-23 03:02

Pre-Run: 13,888,593,920 bytes free

Post-Run: 13,943,889,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

247

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Combofix disabled autorun on the flashdrive in a meanwhile, so this means, when you insert the flashdrive, the malicious files should stay there.

Then let your AV scan the flashdrive and backup the data on it (you're sure which is clean).

Once you've backed up the data, then format the flashdrive.

BTW, computers at your work are obviously also infected, so please contact the IT department there so they can clean those computers.

Also, change all passwords since they may be known.

Glad I could help. :lol:

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Hmmz sorry not sure if I understood completely...would I have to install and run ComboFix again in order to back up the flash drive?

Thank you for all the extra reminders and advices as well :lol: At my workplace we're already looking into fixing those problematic computers, maybe I could refer our IT guys to your forum lol

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.