Jump to content

Infection prevents Malwarebytes from running


Recommended Posts

Got a virus last night just surfing the Net (no downloads/risky sites). Running XP home with SP2 and I believe all the most recent XP updates. It appears to be one of the fake antivirus programs (maybe called antivirus pro or something like that). (little white cross in red background in the system tray at the lower right corner - with the popup about having spotted an infection on my computer). Norton Antivirus with relatively recent definitions (updated about two or three weeks ago) spotted the thing breaking in but could not do anything about it. A Norton scan doesn't get very far but does say trojan metajuan is present (but can't be removed).

Anywho this monster won't let me run MBAM (I had it already installed and was updated as of 8/15/09). It also gives me popups saying that I don't have permission to edit the registry. When I tried a restore point it said something similar - that I don't have permission. It has even prevented imgburn from accessing my CD writer and DVD writer to prevent me from evacuating files (insidious).

I tried the trick of renaming MBAM and it loaded. I did not update, but just started the quick scan. The quick scan lasted about 10 seconds and then the program closed. Now when I try to load or even rename it says something about the disk being write-protected (this is true in both safe and regular mode). The most recent time I tried to access the internet there now appears to be 4 or 5 of these fake programs running (I have 3 or 4 different little icons in the system tray). Sorry I don't know what the specific infection is, but given that it seems to be rapidly shutting down access to the computer I thought I'd see if anyone had seen this before. I really don't want to reformat (and by the way this thing has taken over, I'm not sure it will let me anyway).

Any help is greatly appreciated.

Link to post
Share on other sites

  • Staff
Norton Antivirus with relatively recent definitions (updated about two or three weeks ago)
That is not recent. Three weeks old is considerably outdated.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

-screen317

Link to post
Share on other sites

I downloaded and ran Win32Kdiag and will post the log below. I will also mention that I updated Norton Antivirus - which appeared to update fine. However, when I attempted to launch it to run a scan -- nothing. While I was running the Win32Kdiag, however, Norton alert popped up and indicated it had nabbed 6 viruses or trojans and that I should restart. I let win32kdiag finish and then rebooted. Now instead of the three or four little icons in the system tray, I just have two new installed programs - the so-called Windows Antivirus Pro and the PC_Antispyware. Additionally the virus has appeared to have knocked out norton from the system tray but the pop-ups appear to have stopped. Worse - every program I click on says "This file does not have a program associated with it....." I get this not just from clicking on shortcuts but the actual program .exe files. I then attempted to manually delete some files with a modified date of 3/23/09 (when the virus struck), but it wouldn't delete in normal mode. Those files did delete in safe mode. The only way I was able to get on the internet is that we had some website shortcuts saved to the desktop that appear to be working now. Anyway here is the win32kdiag log. Let me know if you want to run it again since the thing with Norton happened right in the middle of its running.

Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP210.tmp\ZAP210.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP26F.tmp\ZAP26F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40D.tmp\ZAP40D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP428.tmp\ZAP428.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP448.tmp\ZAP448.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2003-03-31 07:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2003-03-31 07:00:00 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 02:56:42 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 02:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Futuremark\MSC\MSC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-08-26 23:24:21 1040 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4412.tmp\slu4412.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi,

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM.

-screen317

Link to post
Share on other sites

No dice. I can get avenger open by right clicking and then clicking on "run as". However, when I try to execute that code, I get the first prompt, but then a series of error messages like -- error: can't open file 'c:\zip.exe' (error 5:access denied) followed by error: could not open zipfile aborting execution! (error 6: the handle is invalid), and then Error: can't open file 'c:\avenger.txt' (error 5:access denied) and then perhaps another error.

Link to post
Share on other sites

I was actually just able to run avenger without errors and it rebooted, when it got back to the desktop a message popped up that said "cannot fined cleanup.exe....." (I avoided the above referenced errors by unchecking the box next to the "protect my computer and data from unauthorized program activity in the "run as" dialog box). I also did not get a command prompt screen. I found an avenger text log which follows on the c drive main directory. I also found a cleanup.bat file which I clicked on and it disappeared. Tried run MBAM - still get the "windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item."

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Staff

See if MBAM will run now.

If no joy, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Good news: I uninstalled MBAM and was able to download it again and install. I was able to run it using the "run as" trick and unchecking the "protect my computer" box. I ran a complete quick scan with log report below. It ran to completion and reported being able to successfully address all of the listed infections. It then stated it had to reboot. The antivirus pro and pc spyware 2010 icons are gone from the desktop upon reboot.

Bad news: upon rebooting and before the desktop came up, I received the old error dialog box - "Windows cannot open this file: mbamgui.exe. To open this file windows needs to know what program created it ........". It also gave me another one after I clicked cancel regarding mbam.exe, so I don't know if the quarantining process was complete. Also, when I try regular left clicking of programs (e.g. opera) I still get the "This file does not have a program associated with it..." error. As noted I can apparent open things by right clicking run as and then unchecking the "protect my computer". I did another MBAM quick scan and no infections came up. I'll try a regular scan next.

What's next - combofix or hijack this? Or both?

Here's the MBAM log

Malwarebytes' Anti-Malware 1.40

Database version: 2715

Windows 5.1.2600 Service Pack 2

8/30/2009 12:50:17 AM

mbam-log-2009-08-30 (00-50-17).txt

Scan type: Quick Scan

Objects scanned: 100114

Time elapsed: 15 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 13

Registry Values Infected: 5

Registry Data Items Infected: 5

Folders Infected: 6

Files Infected: 61

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pc_antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\data (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\RECYCLER\S-1-5-21-73586283-706699826-839522115-1003\Dc6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACeewdpayxoo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACxjkaxlqgoo.dll (Rogue.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\smss.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\1895136240.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\1909031596.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\199.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\winamp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\winlogon.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\install.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\services.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\system.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\784387694.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\notepad.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\AVEngn.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\htmlayout.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\pthreadVC2.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Uninstall.exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\wscui.cpl (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\data\daily.cvd (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirusPro) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Desktop\PC_Antispyware2010.lnk (Rogue.PCAntispy) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr2 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr3 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr4 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr5 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr6 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr7 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr8 (Rogue.Install) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\tmpwr9 (Rogue.Install) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACpjyidomppy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACtuhalttddc.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACvkkksxobnl.dat (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACruodtvrqcb.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

Link to post
Share on other sites

The following is the combofix log. At some point this virus knocked NAV out of the system tray, but Combofix detected NAV running. Of course when I tried to load NAV with the "run as" method in order to disable auto protect it was stuck on "refreshing". Long story short, I tried to disable autoprotect, but not sure I was successful. All program icons are still giving me the "this file does not have a program associated with it for performing this action....." business. Anyway here is the log. I will run hijack this next and post that.

ComboFix 09-09-01.04 - Owner 09/01/2009 22:56.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.204 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Shared

c:\program files\Shared\lib.sig

c:\recycler\NPROTECT

c:\windows\Installer\1cfe1c.msi

c:\windows\patch.exe

c:\windows\system32\_000006_.tmp.dll

c:\windows\system32\resdll.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-30 05:30 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-30 05:30 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-27 04:39 . 2009-08-27 04:59 46640 ----a-w- c:\windows\system32\msln.exe

2009-08-24 03:27 . 2009-08-24 03:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-15 23:43 . 2009-08-15 23:57 -------- d-----w- c:\program files\fvpubo

2009-08-15 14:18 . 2009-08-15 14:41 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn

2009-08-15 13:40 . 2009-08-15 13:40 -------- d-----w- c:\program files\ImgBurn

2009-08-12 03:55 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll

2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-30 05:30 . 2009-04-01 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-27 04:27 . 2004-02-21 05:15 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-05 09:11 . 2003-11-14 11:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 05:53 . 2009-07-26 05:52 -------- d-----w- c:\program files\iTunes

2009-07-26 05:53 . 2009-07-26 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-26 05:52 . 2009-07-26 05:52 -------- d-----w- c:\program files\iPod

2009-07-26 05:51 . 2009-07-26 05:51 -------- d-----w- c:\program files\Bonjour

2009-07-26 05:50 . 2009-07-26 05:49 -------- d-----w- c:\program files\QuickTime

2009-07-26 05:41 . 2009-07-26 05:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-26 03:14 . 2008-01-28 05:45 -------- d-----w- c:\program files\Apple Software Update

2009-07-17 18:55 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-07 14:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-14 03:40 . 2004-08-29 18:30 19312 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-09 17:16 . 2009-07-26 05:46 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 17:16 . 2008-01-28 05:45 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-05 14:16 . 2009-07-05 14:17 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-07-05 14:16 . 2003-12-09 04:23 -------- d-----w- c:\program files\Java

2009-07-05 14:15 . 2009-07-05 14:15 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-16 14:55 . 2003-03-31 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 11:50 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 07:42 . 2003-11-14 08:16 655872 ----a-w- c:\windows\system32\mstscax.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Disk Monitor"="c:\program files\\IC Card Reader Driver v1.8e4\Disk_Monitor.exe" [2003-03-28 469504]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-24 3309568]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-24 46080]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-05 148888]

"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2002-03-29 36864]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2007-11-20 731136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-03-24 782336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Versato.lnk - c:\program files\MediaKey\Versato.exe [2004-5-22 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [5/22/2004 3:54 PM 14624]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [3/6/2009 11:56 PM 101936]

S3 UNDPX1K;UNDPX1K;\??\c:\windows\system32\drivers\UNDPX1K.SYS --> c:\windows\system32\drivers\UNDPX1K.SYS [?]

S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\DRIVERS\WebSTAR.sys --> c:\windows\system32\DRIVERS\WebSTAR.sys [?]

S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;c:\windows\system32\DRIVERS\SACMXP1.sys --> c:\windows\system32\DRIVERS\SACMXP1.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-08-22 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job

- c:\progra~1\NORTON~1\Navw32.exe [2005-09-24 17:13]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.locators.com/search.php?que=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-01 23:08

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3964)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE

c:\windows\system32\nvsvc32.exe

.

**************************************************************************

.

Completion time: 2009-09-02 23:14 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-02 04:14

Pre-Run: 32,748,728,320 bytes free

Post-Run: 34,347,659,264 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

170 --- E O F --- 2009-08-12 12:07

Link to post
Share on other sites

The following is the Hijack This log. I should also note regarding the NAV - I even tried to uninstall it, but the add/remove item on the control panel, like all the other programs, gave me the "this file does not have a program associated with it for performing this action. Create an association in the folder options control panel" error..

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:42 PM, on 9/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader Driver v1.8e4\Disk_Monitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Versato.lnk = C:\Program Files\MediaKey\Versato.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)

O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://citrix.ecave.net/cab/8.1/wficat.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 7002 bytes

Link to post
Share on other sites

  • Staff

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

-screen317

Link to post
Share on other sites

Oyyy - and I thought we were making progress. I guess I'll do the clean wipe - but I need to evacuate some files from the computer. Not sure whether imgburn works using the run as trick, but I'm also worried about whether this trojan could be transferred to the DVD or CDs that I burn and then infect the computer all over again when I load them back on.

Another question - I have an old pre-SP2 XP cd. Am I going to be able to install with firewall protection? Is there a way to slipstream the XP and SP2 (or SP3 for that matter)? I've reinstalled windows 98 before, but never xp.

Thanks for your help.

Link to post
Share on other sites

  • Staff

ligerjack,

Oyyy - and I thought we were making progress. I guess I'll do the clean wipe - but I need to evacuate some files from the computer. Not sure whether imgburn works using the run as trick, but I'm also worried about whether this trojan could be transferred to the DVD or CDs that I burn and then infect the computer all over again when I load them back on.
It is unlikely that the trojan(s) will make their way to your burned media. I would have told you if I saw that kind of infection.
Another question - I have an old pre-SP2 XP cd. Am I going to be able to install with firewall protection? Is there a way to slipstream the XP and SP2 (or SP3 for that matter)? I've reinstalled windows 98 before, but never xp.
It's possible to slipstream SP2 and SP3; however, I do not recommend doing so at this time.

I would format with your SP1 (or original XP CD), but before you connect to the Internet, install an antivirus, firewall, and other protection software (burn the installer of one of each to a CD from a known clean computer). Then connect to the Internet, update your protection programs, and download all Windows Updates. Continue to download Windows Updates until you get to SP1, then you will get some intermittent updates, then SP2, then additional updates, then SP3.

Keep that in mind. Here is my standard prevention speech.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. ;)

All of the following are excellent free antiviruses. Be sure to only install one.

AVG

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

Thanks Chris. I take it from your response that assuming imgburn is operable, I can go ahead and start evacuating the files even with the trojan still present (as long as I'm not connected to the internet). Or should I attempt to kill it before burning?

Also do you have a link for a site that describes the walk through for a reformatting/reinstallation of XP?

Finally - more of a general question - as time goes on MBAM and the other software get better at better at detecting and removing viruses/trojans. Of course the virus and trojan authors are making better and better malware. Is it possible that in a few months MBAM or other program will be able to spot and remove the backdoor trojan I have or will the backdoor trojan I have always elude these programs. (or always leave potential remnants behind that eludes these programs). In other words if I didn't touch the computer for several months and then downloaded the latest version of MBAM, would MBAM spot my trojan and be able to fix it and whatever it had messed with on my system?

Thanks again for your help.

Link to post
Share on other sites

  • Staff

Hi ligerjack,

Thanks Chris. I take it from your response that assuming imgburn is operable, I can go ahead and start evacuating the files even with the trojan still present (as long as I'm not connected to the internet). Or should I attempt to kill it before burning?
Yes please do as soon as possible. One less backdoor trojan active is one less threat to the world.
Also do you have a link for a site that describes the walk through for a reformatting/reinstallation of XP?
Yes, Microsoft has a good writeup on the necessary steps.
Finally - more of a general question - as time goes on MBAM and the other software get better at better at detecting and removing viruses/trojans. Of course the virus and trojan authors are making better and better malware. Is it possible that in a few months MBAM or other program will be able to spot and remove the backdoor trojan I have or will the backdoor trojan I have always elude these programs. (or always leave potential remnants behind that eludes these programs). In other words if I didn't touch the computer for several months and then downloaded the latest version of MBAM, would MBAM spot my trojan and be able to fix it and whatever it had messed with on my system?

Thanks again for your help.

I can see the trojans, and we can remove them, but the problem is that when a backdoor trojan is installed, it is transmitting data back to its author, and its author is transmitting commands back to the trojan for it to execute (communicating through a backdoor). We can remove the trojans, but due to this unauthorized activity, we cannot be sure of what damage has been done and what commands have been issued. As such we cannot deem this computer to be trustworthy without formatting it. We can detect the trojans, but the payloads they carry are not something that can be "detected" in that sense. Clear as mud?

-screen317

Link to post
Share on other sites

I've got a lot of documents and pdfs on the system and instead of saving them all I was justing going to look at them to see if I still needed them. Problem is the little "no program associated with it....." error prevents me from loading word or acrobat to even give them a look-see.

I saw a reference to this utility which fixes the exe file associations in the registry automatically on bleepingcomputer.

http://windowsxp.mvps.org/exefile.htm. Sounded like the same problem I have, but didn't know if it would work given my backdoor trojan problem.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.