Jump to content

Win Firewall Disabled, Redirects, Remote Attacks

Slider51
 Share

Recommended Posts

Slider51

Slider51

Posted
Posted

A week or so ago while browsing the web my machine was infected with 2 or 3 virus/malware applications. Two types of rogue anti-virus attacks, complete with fake infection alerts and attempted redirects to fake "scanner" sites, and a remote takeover trojan. The rogue AV attack included a persistent attempt at uninstalling AVG9.0 free, which I use as my AV solution. I was able to stop the uninstall both times. A couple of full scans with free MBAM and AVG free each seemingly cleaned everything up. I then registered MBAM and I'm now running the full paid version. My machine accesses the internet through a cable modem and a wired DLink router, which is used only as an internet "splitter" for this machine and another PC of my wife's. The two PC's are not networked or connected in any way other than through the wired router.

I'm left with two types of problems...

(1) My Win firewall is stopped and I cannot restart it...The red "X" Shield for Windows Security Alerts is on in my tray, indicating the Win firewall is disabled. Attempting to turn the firewall back on results in a query window advising that Win Firewall/ICS is not running and asking if I want to start the service. Selecting "yes" results in an error window stating that the Win Firewall/ICS service cannot be started. I get the same result whether trying to start the service thorugh the Security Center or through Control Panel. Checking the system Event Viewer, I find repeated sets of two Information events followed by an error Event, as follows:

Service Control Manager Event 7035: "The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a start control."

Service Control Manager Event 7036: "The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state."

Service Control Manager Event 7023: "The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified."

In addition, I see several occurances of FTDisk Error 49: "Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory." immediately followed by FTDisk Error 45: "The system could not sucessfully load the crash dump driver."

I have had several instances of my machine hanging on shutdown or during program launches and having no choice other than a hard shutdown to get out of the hang. I am assuming the "crash dump" is a service to help shut the system down in a hang situation?

Also affected was my ability to download Windows updates and install them when notified that they are available by the yellow shield appreaing in my system tray. I have always had the option "Prompt me, but do not download or install updates automatically" selected, but after this attack, the shield would apprear but clicking on it would not start the download. I reset to Automatic downloads to try to re-enable the updates, but I don;t now if either service is working properly now.

(2) Since cleaning the system as best as is possible with AVG and MBAM, I get continual remote attacks being noted in the system tray by MBAM, both while not connected to the internet and while connected. The following is a list of the attacker's IP's, and is not necessarily complete:

91.212.226.67

91.212.226.59

91.228.209.200

85.12.46.157

85.12.46.155

85.12.46.158

These come in waves, 15-20 minutes apart, and generally go through the entire list above. Meantime, I am getting occasional redirects upon launching IE8, mostly to "get rich quick" scheme websites, although other times to what seem to just be random legit sites.

I believe I have been infected on some level for months, my machine often runs incredibly slow, with command latencies up to 10-15 seconds in any number of applications, including extremely slow start-ups and shutdowns of the machine.

Whatever I am infected with is also apparently preventing me from posting on this forum

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello ,

And :D My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Thanks Elise,

Still trying to succesfully run the GMER scan, my machine is shutting down or rebooting by itself several hours into the scan. Trying a Safe Mode scan this time, but here are the OTL and Extras logs...I tried copying the logs directly into this reply, but I get an error saying they are too long to post, so I attached them instead.

Hope you can get started with these logs while I try to get the GMER scan to complete - very frustrating, that scan takes 7-8 hours, and I seem to lose it when it's close to being complete.

Slider

OTL.Txt

Extras.Txt

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello there,

Its quite possible the infection you have is giving you the trouble posting the logs. For now, please skip GMER and continue with the steps below.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Elise,

I am not sending the replies from the infected machine, due to getting the "IE8 cannot display the requested page" error page every time I try to post.

OK - I installed ComboFix and ran it - first, it did indicate it had encountered rootkit activity and had to restart the machine, which it did just fine. Upon restart, the machine showed a Microsoft Error window stating "The Generic Host Processor has encountered an error and needs to close" so I clicked the "OK" button and the ComboFix scan restarted.

Recovery Console has already been installed on my machine. Awaiting your next reply, I depserately need this machine back up and running, I am way behind on a past-due project. Thanks for your prompt replies!

Here is the log:

------------------------------------------------

ComboFix 10-06-30.03 - Administrator 07/01/2010 12:06:31.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.631 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

2010-06-27 00:42 . 2010-07-01 15:44 -------- d-----w- c:\windows\system32\NtmsData

2010-06-24 15:28 . 2010-06-24 15:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-24 15:27 . 2010-06-24 15:28 -------- d--h--w- c:\windows\ie8

2010-06-24 15:11 . 2010-06-24 15:27 -------- dc----w- c:\windows\ie8(2)

2010-06-22 01:03 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2010-06-22 01:02 . 2001-08-17 17:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys

2010-06-22 01:01 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys

2010-06-22 01:00 . 2008-04-14 00:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll

2010-06-22 01:00 . 2008-04-14 00:12 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll

2010-06-22 01:00 . 2004-08-04 02:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys

2010-06-22 01:00 . 2001-08-17 16:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys

2010-06-22 01:00 . 2001-08-17 16:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys

2010-06-22 01:00 . 2001-08-18 02:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll

2010-06-22 01:00 . 2001-08-17 16:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys

2010-06-22 01:00 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys

2010-06-22 01:00 . 2001-08-18 02:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll

2010-06-22 01:00 . 2001-08-17 16:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys

2010-06-22 01:00 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys

2010-06-22 00:58 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys

2010-06-22 00:57 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys

2010-06-22 00:57 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys

2010-06-22 00:57 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys

2010-06-22 00:57 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2010-06-22 00:57 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys

2010-06-22 00:57 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll

2010-06-22 00:57 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys

2010-06-22 00:57 . 2008-04-13 18:41 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys

2010-06-22 00:57 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll

2010-06-22 00:57 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys

2010-06-22 00:57 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2010-06-22 00:57 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys

2010-06-22 00:48 . 2001-08-17 16:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys

2010-06-22 00:47 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-06-22 00:46 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll

2010-06-22 00:46 . 2001-08-17 16:15 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys

2010-06-22 00:46 . 2001-08-17 16:15 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys

2010-06-22 00:46 . 2001-08-17 16:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys

2010-06-22 00:46 . 2001-08-17 16:14 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys

2010-06-22 00:46 . 2001-08-17 16:14 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys

2010-06-22 00:46 . 2004-08-04 02:31 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys

2010-06-22 00:46 . 2001-08-18 02:36 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll

2010-06-22 00:46 . 2001-08-17 16:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys

2010-06-22 00:46 . 2001-08-17 16:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys

2010-06-22 00:42 . 2001-08-18 02:36 614429 -c--a-w- c:\windows\system32\dllcache\digiview.exe

2010-06-22 00:41 . 2001-08-17 18:04 171264 -c--a-w- c:\windows\system32\dllcache\camdrv30.sys

2010-06-10 13:55 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 17:49 . 2010-06-02 17:49 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-02 17:49 . 2010-06-02 17:49 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-01 00:02 . 2006-12-21 15:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-29 22:05 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2010-06-29 22:05 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2010-06-26 17:42 . 2004-10-02 13:20 165912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-26 14:29 . 2009-11-27 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-26 00:32 . 2004-10-02 12:47 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-26 00:32 . 2007-06-19 21:48 -------- d-----w- c:\program files\Trend Micro

2010-06-26 00:28 . 2004-10-06 00:05 -------- d-----w- c:\program files\hp deskjet 970c series

2010-06-26 00:18 . 2009-06-13 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-06-26 00:17 . 2004-10-04 15:46 -------- d-----w- c:\program files\Ahead

2010-06-21 23:54 . 2007-08-29 19:48 -------- d--h--r- c:\documents and settings\Administrator\Application Data\yahoo!

2010-06-21 23:54 . 2007-08-28 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-06-02 17:49 . 2009-03-28 00:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 17:49 . 2009-03-28 00:07 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-28 16:05 . 2009-12-04 00:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-06 10:41 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-12-04 00:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-12-04 00:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 303104]

"Panasonic Device Manager for Multi-Function Station software"="c:\program files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 126976]

"Panasonic PCFAX for Multi-Function Station software"="c:\program files\Panasonic\MFStation\KmPcFax.exe" [2007-08-28 757760]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]

"SoundMan"="SOUNDMAN.EXE" [2008-08-19 77824]

"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 13:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

2008-06-19 21:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2004-03-17 19:10 61952 ------w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWOTOOLBOX]

2006-11-03 19:01 352256 ----a-w- c:\program files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]

2007-02-22 23:53 2209224 ----a-w- c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Manager for Multi-Function Station software]

2007-05-21 16:46 126976 ----a-w- c:\program files\Panasonic\MFStation\PCCMFSDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Monitor Wakeup]

2006-11-02 18:54 303104 ----a-w- c:\program files\Panasonic\Device Monitor\DMWakeup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic PCFAX for Multi-Function Station software]

2007-08-28 19:04 757760 ----a-w- c:\program files\Panasonic\MFStation\KmPcFax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]

2004-05-12 20:04 196608 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-08-31 03:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WinDefend"=2 (0x2)

"ThreatFire"=3 (0x3)

"sdCoreService"=2 (0x2)

"sdAuxService"=2 (0x2)

"Panasonic Trap Monitor Service"=2 (0x2)

"Panasonic Local Printer Service"=2 (0x2)

"ose"=3 (0x3)

"JavaQuickStarterService"=3 (0x3)

"gusvc"=3 (0x3)

"C-DillaCdaC11BA"=2 (0x2)

"AVGEMS"=2 (0x2)

"Avg7UpdSvc"=2 (0x2)

"Avg7Alrt"=2 (0x2)

"ATI Smart"=2 (0x2)

"APC UPS Service"=2 (0x2)

"AcrSch2Svc"=2 (0x2)

"aawservice"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/6/2009 3:08 PM 28552]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 8:07 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 8:07 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 9:40 AM 308064]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2009 8:03 PM 304464]

R2 Panasonic Local Printer Service;Panasonic Local Printer Service;c:\progra~1\PANASO~1\LocalCom\lmsrvnt.exe [8/13/2009 12:01 PM 36864]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2009 8:03 PM 20952]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 6:35 PM 206608]

S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

S3 CryptSvcFastUserSwitchingCompatibility;CryptSvcFastUserSwitchingCompatibility; [x]

S3 GAGPDrv;GAGPDrv; [x]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 6:35 PM 206608]

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.comcast.net/a/

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

Trusted Zone: comcast.net\www

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/home.html

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-01 12:14

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,32,5f,78,0b,6b,4f,4d,a4,2c,3e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,32,5f,78,0b,6b,4f,4d,a4,2c,3e,\

[HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(636)

c:\windows\system32\relog_ap.dll

.

Completion time: 2010-07-01 12:18:41

ComboFix-quarantined-files.txt 2010-07-01 16:18

ComboFix2.txt 2009-12-05 17:24

Pre-Run: 209,749,344,256 bytes free

Post-Run: 209,919,930,368 bytes free

- - End Of File - - D83AE397FA2AD3D619EA6A312850597E

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello again,

No worries we'll get it up and running as fast as possible :)

You had indeed a nasty rootkit on board. Please consider the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please let me also know how things are running now and what problems you still have left.

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Thanks Elise,

So far everything is looking much better. The machine runs crisply again, Win Firewall is operational and running again, I believe Windows Auto Update is working again. Also, this is the first I have been able to reply to the forum using the infected machine, so that apparently is fixed.

I read all of the links you included regarding back doors, and I appreciate your professionalism and concern. The only online banking we do is paying CC bills, and I logged into each (using my wife's clean machine) and there have been no unrecognized trasactions, but I did change our passwords to all. Although, I HAVE paid the cc bills from this machine in the past, those are now paid with the other PC which is clean. Other than that, this machine is used primarily as a CAD workstation and does not contain any info that would be valuable to anyone else. That said, I am going to say we need to go ahead and finish the cleaning as best as is possible. A format and re-install is pretty much out of the question on this machine, it has alot of obsolete software than I cannot replace and disks were long lost...

I do have one new problem, that of the Generic Process Host error that shows up on every reboot. The attached JPG is a screenshot of that eror window.

Below is the most recent ComboFix log. I'm here for several hours yet, so if we need to do more, please post instructions asap.

Thank you!

Slider51

--------------

ComboFix 10-07-01.02 - Administrator 07/01/2010 14:33:48.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.486 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))

.

2010-06-27 00:42 . 2010-07-01 15:44 -------- d-----w- c:\windows\system32\NtmsData

2010-06-24 15:28 . 2010-06-24 15:28 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-24 15:27 . 2010-06-24 15:28 -------- d--h--w- c:\windows\ie8

2010-06-24 15:11 . 2010-06-24 15:27 -------- dc----w- c:\windows\ie8(2)

2010-06-22 01:03 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2010-06-22 01:02 . 2001-08-17 17:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys

2010-06-22 01:01 . 2001-08-17 16:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys

2010-06-22 01:00 . 2008-04-14 00:12 29696 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll

2010-06-22 01:00 . 2008-04-14 00:12 27648 -c--a-w- c:\windows\system32\dllcache\rw430ext.dll

2010-06-22 01:00 . 2004-08-04 02:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys

2010-06-22 01:00 . 2001-08-17 16:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys

2010-06-22 01:00 . 2001-08-17 16:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys

2010-06-22 01:00 . 2001-08-18 02:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll

2010-06-22 01:00 . 2001-08-17 16:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys

2010-06-22 01:00 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys

2010-06-22 01:00 . 2001-08-18 02:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll

2010-06-22 01:00 . 2001-08-17 16:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys

2010-06-22 01:00 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys

2010-06-22 00:58 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys

2010-06-22 00:57 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys

2010-06-22 00:57 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys

2010-06-22 00:57 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys

2010-06-22 00:57 . 2001-08-17 17:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2010-06-22 00:57 . 2001-08-17 17:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys

2010-06-22 00:57 . 2001-08-17 18:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll

2010-06-22 00:57 . 2001-08-17 16:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys

2010-06-22 00:57 . 2008-04-13 18:41 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys

2010-06-22 00:57 . 2001-08-18 02:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll

2010-06-22 00:57 . 2001-08-17 17:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys

2010-06-22 00:57 . 2001-08-17 16:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys

2010-06-22 00:57 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys

2010-06-22 00:48 . 2001-08-17 16:12 70730 -c--a-w- c:\windows\system32\dllcache\lne100tx.sys

2010-06-22 00:47 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2010-06-22 00:46 . 2001-08-18 02:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll

2010-06-22 00:46 . 2001-08-17 16:15 455296 -c--a-w- c:\windows\system32\dllcache\fusbbase.sys

2010-06-22 00:46 . 2001-08-17 16:15 455680 -c--a-w- c:\windows\system32\dllcache\fus2base.sys

2010-06-22 00:46 . 2001-08-17 16:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys

2010-06-22 00:46 . 2001-08-17 16:14 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys

2010-06-22 00:46 . 2001-08-17 16:14 444416 -c--a-w- c:\windows\system32\dllcache\fpcibase.sys

2010-06-22 00:46 . 2004-08-04 02:31 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys

2010-06-22 00:46 . 2001-08-18 02:36 71680 -c--a-w- c:\windows\system32\dllcache\fnfilter.dll

2010-06-22 00:46 . 2001-08-17 16:13 27165 -c--a-w- c:\windows\system32\dllcache\fetnd5.sys

2010-06-22 00:46 . 2001-08-17 16:10 22090 -c--a-w- c:\windows\system32\dllcache\fem556n5.sys

2010-06-22 00:42 . 2001-08-18 02:36 614429 -c--a-w- c:\windows\system32\dllcache\digiview.exe

2010-06-22 00:41 . 2001-08-17 18:04 171264 -c--a-w- c:\windows\system32\dllcache\camdrv30.sys

2010-06-10 13:55 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-01 18:15 . 2004-10-02 13:20 165912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-01 00:02 . 2006-12-21 15:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-29 22:05 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2010-06-29 22:05 . 2009-06-13 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2010-06-26 14:29 . 2009-11-27 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-06-26 00:32 . 2004-10-02 12:47 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-26 00:32 . 2007-06-19 21:48 -------- d-----w- c:\program files\Trend Micro

2010-06-26 00:28 . 2004-10-06 00:05 -------- d-----w- c:\program files\hp deskjet 970c series

2010-06-26 00:18 . 2009-06-13 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-06-26 00:17 . 2004-10-04 15:46 -------- d-----w- c:\program files\Ahead

2010-06-21 23:54 . 2007-08-29 19:48 -------- d--h--r- c:\documents and settings\Administrator\Application Data\yahoo!

2010-06-21 23:54 . 2007-08-28 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2010-06-02 17:49 . 2010-06-02 17:49 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-06-02 17:49 . 2010-06-02 17:49 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-06-02 17:49 . 2009-03-28 00:07 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-06-02 17:49 . 2009-03-28 00:07 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-05-28 16:05 . 2009-12-04 00:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-06 10:41 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 19:39 . 2009-12-04 00:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-12-04 00:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Panasonic Device Monitor Wakeup"="c:\program files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 303104]

"Panasonic Device Manager for Multi-Function Station software"="c:\program files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 126976]

"Panasonic PCFAX for Multi-Function Station software"="c:\program files\Panasonic\MFStation\KmPcFax.exe" [2007-08-28 757760]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]

"SoundMan"="SOUNDMAN.EXE" [2008-08-19 77824]

"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-15 13:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

2008-06-19 21:42 2808832 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2004-03-17 19:10 61952 ------w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWOTOOLBOX]

2006-11-03 19:01 352256 ----a-w- c:\program files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]

2007-02-22 23:53 2209224 ----a-w- c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Manager for Multi-Function Station software]

2007-05-21 16:46 126976 ----a-w- c:\program files\Panasonic\MFStation\PCCMFSDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic Device Monitor Wakeup]

2006-11-02 18:54 303104 ----a-w- c:\program files\Panasonic\Device Monitor\DMWakeup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panasonic PCFAX for Multi-Function Station software]

2007-08-28 19:04 757760 ----a-w- c:\program files\Panasonic\MFStation\KmPcFax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]

2004-05-12 20:04 196608 ----a-w- c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-06-29 10:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-08-31 03:58 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WinDefend"=2 (0x2)

"ThreatFire"=3 (0x3)

"sdCoreService"=2 (0x2)

"sdAuxService"=2 (0x2)

"Panasonic Trap Monitor Service"=2 (0x2)

"Panasonic Local Printer Service"=2 (0x2)

"ose"=3 (0x3)

"JavaQuickStarterService"=3 (0x3)

"gusvc"=3 (0x3)

"C-DillaCdaC11BA"=2 (0x2)

"AVGEMS"=2 (0x2)

"Avg7UpdSvc"=2 (0x2)

"Avg7Alrt"=2 (0x2)

"ATI Smart"=2 (0x2)

"APC UPS Service"=2 (0x2)

"AcrSch2Svc"=2 (0x2)

"aawservice"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/6/2009 3:08 PM 28552]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/27/2009 8:07 PM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/27/2009 8:07 PM 242896]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/15/2010 9:40 AM 308064]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2009 8:03 PM 304464]

R2 Panasonic Local Printer Service;Panasonic Local Printer Service;c:\progra~1\PANASO~1\LocalCom\lmsrvnt.exe [8/13/2009 12:01 PM 36864]

R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2009 8:03 PM 20952]

R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 6:35 PM 206608]

S3 CryptSvcFastUserSwitchingCompatibility;CryptSvcFastUserSwitchingCompatibility; [x]

S3 GAGPDrv;GAGPDrv; [x]

S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [12/3/2009 6:35 PM 206608]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://www.comcast.net/a/

Trusted Zone: comcast.net\www

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\su9gakqb.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/home.html

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-01 14:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,32,5f,78,0b,6b,4f,4d,a4,2c,3e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,32,5f,78,0b,6b,4f,4d,a4,2c,3e,\

[HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(648)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2564)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\PANASO~1\TRAPMO~1\Trapmnnt.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Completion time: 2010-07-01 14:54:14 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-01 18:54

ComboFix2.txt 2010-07-01 16:18

ComboFix3.txt 2009-12-05 17:24

Pre-Run: 209,852,575,744 bytes free

Post-Run: 209,845,751,808 bytes free

- - End Of File - - 876B0A7355971707785FF134B5A258A0

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted
Sorry, I neglected to attach the screen shot of the error window. It is attached to this message.

ACCCKK!!! :) I need to slow down and THINK before posting...that attachment is just the Combofix Log all over again...Sorry...HERE is the correct screenshot of the Windows error....

post-45303-1278013195_thumb.jpg

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Surely Elise,

Sorry I was away this morning - I'll be here now for several hours...

Here is the "Extras" scan - I also saved the OTL scan log if you need it. I am very curious - are the first four error scans listed as error 1007 related to the remote attacks? A remnant of when the machine was accessed through a back door?

__________________________________________

OTL Extras logfile created on: 7/2/2010 2:23:40 PM - Run 3

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 558.00 Mb Available Physical Memory | 55.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 232.88 Gb Total Space | 195.37 Gb Free Space | 83.89% Space Free | Partition Type: NTFS

Drive D: | 232.88 Gb Total Space | 121.34 Gb Free Space | 52.10% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MJ-STATION1

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1614895754-1004336348-682003330-500\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- Reg Error: Key error. File not found

.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1A3E23D7-7A1E-43EC-B35D-EB8A31BED943}" = FinalBurner Free v1.23.0.113

"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth

"{2300EE96-0A41-4FAB-BD03-989EC44577A0}" = Acronis

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Please click Start > Run, type chkdsk /r in the runbox and press enter.

When asked, type Y to schedule the disk check for the next boot. Reboot your computer and let the disk check run unhindered.

Note - based on your disk size, this may take a while.

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Thanks, Elise...

I am going to have to run chkdisk overnight - I need to use the machine for a few hours yet, but I will post the results in the morning, USA EST.

I should make you aware I have a second identical 250Gb hard disk as a D: drive on this machine - it is used only as a storage disk for Acronis backups. I have not run any of the scans on the D: drive up to this point as I have several full backups of the C drive stored on there (not incremental, full backups). I suppose the possibility is good that one or more of those backups may be infected also, although I have scanned them in the past with AVG and MBAM. Do you see any need to work on the D drive as well? I realize if I have a crash and need to mount one of the backups, I'll have any infections that may be present on the disk, but if none of my software calls anything from D: or saves to D:, are they not isolated enough to not worry about on a day to day basis?

Thank you very much for all your help so far, what you do is amazing and way beyond my capabilities!

Link to post
Share on other sites
Elise

Elise

Posted
Posted

The best thing would be to leave the backup drive as it is for now and to create a new backup once you are all cleaned up. That way you know for sure its clean as well.

Its not very reliable to scan this kind of backup and its better to be safe than sorry.

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Elise,

I ran chkdsk last night. I cannot recall, does chkdsk produce a log or results page? This morning the PC had either finished starting up after the scan or had rebooted. I guess I expected to see a "scan complete" screen or something like that, with results shown. I checked the C: directory but found no "fileXXX" files. I was nmot able to monitor the process, but it looks to me as if the scan did not complete itself.

In any case, the GHP Error is still there. Waiting for instructions....

Link to post
Share on other sites
Elise

Elise

Posted
Posted

This is a very general error, thats why its very hard to pinpoint its cause.

Please try this: Click Start > Run, type sfc /scannow and press enter.

Allow the System File Checker to run unhindered. Note - you might be prompted for your XP CD.

Make also sure you have all latest priority updates for XP installed.

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

post-45303-1278186466_thumb.jpg[

Done, however - at the end of the download when I ran the fix, I got this message.

I have Googled this problem and I see several fixes out there, but all are from 2005-6-7 and are for XP SP2, of course I'm running SP3.

I did find a thrid party fix but am hesitant to try it...it's here: http://hubpages.com/hub/How-to-Fix-Generic...-needs-to-close

Link to post
Share on other sites
Elise

Elise

Posted
Posted

You can try that, but first make a backup of your registry, just in case... I don't know if this fix will work, but it does nothing malicious and with a backup we know for sure we can revert the changes in case something goes wrong.

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Link to post
Share on other sites
Slider51

Slider51

Posted
  • Author
Posted

Done, backed up the regostry using Erunt, downloaded and ran the batch file. but the same problem still exists.

Elise, you have almost certainly rid my machine of anything dangerous. This is a Windows-based error that apparently is simply a nuisance. I have had the problem before, but I dont remember how I fixed it.

There are people here with very serious malware problems, and I hate to tie up your expertise when you could be helping them. Why don't we do this...leave the thread open and don't forget about me. When you have some extra time to look around or reasearch a fix, I would still appreciate some help. Meantime I'll look around myself for more info and maybe give something I may find a try. I just hate to make someone else with a really serious problem wait on account of this small nuisance.

Thank you so much for resotring my machine back to good running condition. :P People like you are true lifesavers for alot of us out here who are way over our heads when something happens that our AV and Malware solutiuons can't fix. Thanks to you and MBAM for this forum and the great help you've given me!

Slider

Link to post
Share on other sites
Elise

Elise

Posted
Posted

You are welcome Slider :P

If this problem started happening after the infection, its possible the malware messed something up. What you can try ultimately, is performing a repair installation of XP (see here for more information), this will leave all data intact, however you will have to reinstall all updates and servicepack that are not included on your XP CD.

Please let me know if you have any more questions.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.