Jump to content

I thought it was a Win32 trojan and now I don't know what it is


Recommended Posts

alright ima go ahead and say that i used combofix to delete these two files:

C:\DOCUME~1\JOEYWA~1\LOCALS~1\Temp\WERf203.dir00\svchost.exe.mdmp

C:\DOCUME~1\JOEYWA~1\LOCALS~1\Temp\WERf203.dir00\appcompat.txt

I have the log from combofix but I don't know how to post it up.

Heres a recent Hijack.txt

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:17:00 PM, on 6/30/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AIM6\aim6.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\rpcnet.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Ant.com\IE add-on\AntUpdaterService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Ant.com\IE add-on\AntMaintainer.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\hijackthis\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1033

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Ant.com Toolbars browser helper (video detector) - {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} - C:\Program Files\Ant.com\IE add-on\Download.antplugin

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ant.com Download Toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files\Ant.com\IE add-on\AntToolbar.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iDTSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O9 - Extra button: Download videos by Ant.com - {70AF6C9F-0818-4cf7-924A-BBDBB24211D3} - C:\Program Files\Ant.com\IE add-on\Download.antplugin

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1256273138421

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ant Toolbar updater service (AntUpdaterService) - Ant.com - C:\Program Files\Ant.com\IE add-on\AntUpdaterService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - E:\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 8794 bytes

Link to post
Share on other sites

here is the combofix log from when it worked the second time

ComboFix 10-06-29.02 - joey walters 06/29/2010 15:20:04.1.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.827 [GMT -7:00]

Running from: c:\documents and settings\joey walters\Desktop\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\1028_DELL_XPS_MP061 .MRK

c:\windows\system32\drivers\DELL_XPS_MP061 .MRK

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FAD

-------\Legacy_XPROTECTOR

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))

.

2010-06-29 21:43 . 2010-06-29 21:43 -------- d-----w- c:\windows\LastGood

2010-06-27 23:51 . 2010-06-27 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-06-27 22:07 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-27 22:06 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-27 14:28 . 2010-06-27 14:28 -------- d-----w- c:\documents and settings\joey walters\Local Settings\Application Data\WMTools Downloaded Files

2010-06-27 00:25 . 2010-06-27 00:25 388096 ----a-r- c:\documents and settings\joey walters\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-29 22:37 . 2009-08-08 00:24 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2010-06-29 21:45 . 2010-05-05 11:58 -------- d-----w- c:\documents and settings\joey walters\Application Data\Research In Motion

2010-06-29 21:45 . 2010-01-15 04:21 -------- d-----w- c:\program files\Research In Motion

2010-06-29 20:26 . 2009-08-12 04:46 57752 ----a-w- c:\windows\system32\rpcnet.dll

2010-06-29 20:26 . 2009-12-21 00:35 183136 ----a-w- c:\windows\system32\drivers\sthdae.log

2010-06-29 15:00 . 2009-08-08 08:07 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2010-06-28 17:35 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\vlc

2010-06-28 17:13 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\dvdcss

2010-06-27 22:07 . 2010-02-19 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-27 00:55 . 2010-02-14 03:14 13160 ----a-w- c:\windows\system32\Upgrd.exe

2010-06-27 00:55 . 2009-08-12 04:46 57752 ------w- c:\windows\system32\rpcnet.exe

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-27 18:40 . 2009-08-22 05:42 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-04-27 18:40 . 2009-08-22 05:42 133616 ------w- c:\windows\system32\pxafs.dll

2010-04-27 18:40 . 2009-08-22 05:42 126448 -c----w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40 . 2009-08-22 05:42 123888 -c----w- c:\windows\system32\pxcpyi64.exe

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-08 18:40 . 2010-04-08 18:40 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-04-01 02:34 . 2009-08-10 18:47 18496 ----a-w- c:\documents and settings\joey walters\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-14 13:48 . 2010-02-25 02:01 524288 ----a-w- c:\program files\Sakura.dll

2009-10-14 13:29 . 2010-02-25 02:01 532480 ----a-w- c:\program files\Sawer.dll

2009-10-14 13:13 . 2010-02-25 02:01 499712 ----a-w- c:\program files\PoiZone.dll

2009-10-14 13:09 . 2010-02-25 02:02 671744 ----a-w- c:\program files\Toxic Biohazard.dll

2009-09-26 14:14 . 2010-02-25 02:01 512000 ----a-w- c:\program files\Hardcore.dll

2009-05-29 12:02 . 2009-05-29 12:02 818176 ----a-w- c:\program files\FL Studio VSTi.dll

2009-05-29 12:01 . 2009-05-29 12:01 818176 ----a-w- c:\program files\FL Studio VSTi (Multi).dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-11 136512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

c:\documents and settings\joey walters\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"Midi1"=ma_cmidn.dll

"Midi2"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/12/2009 2:47 PM 67904]

S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [8/7/2009 5:24 PM 17408]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/12/2009 2:47 PM 64432]

S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [8/10/2009 1:12 PM 367616]

S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [8/10/2009 1:12 PM 18944]

S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [8/10/2009 1:12 PM 33792]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/6/2009 3:55 PM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RPCNETP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:1033

uInternet Settings,ProxyOverride = <local>

FF - ProfilePath - c:\documents and settings\joey walters\Application Data\Mozilla\Firefox\Profiles\9c5mt8ab.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=en&tab=iw

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-bhrtsbtr - c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe

HKCU-Run-AlcoholAutomount - e:\alcohol 120\axcmd.exe

HKLM-Run-bhrtsbtr - c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe

AddRemove-MagicDisc 2.7.106 - e:\progra~1\MAGICD~1\UNWISE.EXE

AddRemove-ProInst - c:\windows\Installer\iProInst.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-29 16:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

  • Root Admin

Please delete your current copy of Combofix and download a new fresh copy and then run the following.

Combofix download

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::

rpcnetp

File::

c:\windows\system32\rpcnetp.exe

DDS::

uInternet Settings,ProxyServer = http=127.0.0.1:1033

uInternet Settings,ProxyOverride = <local>

RegNull::

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

ComboFix 10-07-06.05 - joey walters 07/07/2010 6:29.1.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.792 [GMT -7:00]

Running from: G:\ComboFix.exe

Command switches used :: g:\docs\CFscript.txt.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\system32\rpcnetp.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\rpcnetp.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FAD

-------\Legacy_RPCNETP

-------\Legacy_XPROTECTOR

-------\Service_rpcnetp

((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))

.

2010-07-05 19:29 . 2010-07-05 19:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-27 23:51 . 2010-06-27 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-07 10:08 . 2009-08-12 04:46 57752 ----a-w- c:\windows\system32\rpcnet.dll

2010-07-07 10:07 . 2009-12-21 00:35 189732 ----a-w- c:\windows\system32\drivers\sthdae.log

2010-07-07 06:29 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\vlc

2010-07-05 19:29 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\dvdcss

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-07-05 19:28 . 2010-05-05 11:58 -------- d-----w- c:\documents and settings\joey walters\Application Data\Research In Motion

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Hewlett-Packard

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\HP

2010-07-05 19:27 . 2010-07-05 19:27 -------- d-----w- c:\program files\Common Files\Java

2010-07-05 19:27 . 2010-06-30 04:06 -------- d-----w- c:\program files\Common Files\Java(2)

2010-07-05 19:27 . 2010-06-30 04:18 -------- d-----w- c:\program files\ESET(2)

2010-07-01 16:51 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-07-01 11:26 . 2009-08-30 03:36 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-30 23:06 . 2010-06-30 23:06 -------- d-----w- c:\program files\Ant.com

2010-06-29 21:45 . 2010-01-15 04:21 -------- d-----w- c:\program files\Research In Motion

2010-06-27 22:07 . 2010-02-19 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-26 23:08 . 2009-08-08 08:07 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-27 18:40 . 2009-08-22 05:42 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-04-27 18:40 . 2009-08-22 05:42 133616 ------w- c:\windows\system32\pxafs.dll

2010-04-27 18:40 . 2009-08-22 05:42 126448 -c----w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40 . 2009-08-22 05:42 123888 -c----w- c:\windows\system32\pxcpyi64.exe

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-08 18:40 . 2010-04-08 18:40 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2009-10-14 13:48 . 2010-02-25 02:01 524288 ----a-w- c:\program files\Sakura.dll

2009-10-14 13:29 . 2010-02-25 02:01 532480 ----a-w- c:\program files\Sawer.dll

2009-10-14 13:13 . 2010-02-25 02:01 499712 ----a-w- c:\program files\PoiZone.dll

2009-10-14 13:09 . 2010-02-25 02:02 671744 ----a-w- c:\program files\Toxic Biohazard.dll

2009-09-26 14:14 . 2010-02-25 02:01 512000 ----a-w- c:\program files\Hardcore.dll

2009-05-29 12:02 . 2009-05-29 12:02 818176 ----a-w- c:\program files\FL Studio VSTi.dll

2009-05-29 12:01 . 2009-05-29 12:01 818176 ----a-w- c:\program files\FL Studio VSTi (Multi).dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"bhrtsbtr"="c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe" [bU]

"Google Update"="c:\documents and settings\joey walters\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-25 136176]

"AlcoholAutomount"="e:\alcohol 120\axcmd.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-11 136512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

"bhrtsbtr"="c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe" [bU]

c:\documents and settings\joey walters\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"Midi1"=ma_cmidn.dll

"Midi2"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/12/2009 2:47 PM 67904]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/12/2009 2:47 PM 64432]

S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [8/10/2009 1:12 PM 367616]

S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [8/10/2009 1:12 PM 18944]

S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [8/10/2009 1:12 PM 33792]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/6/2009 3:55 PM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\joey walters\Application Data\Mozilla\Firefox\Profiles\9c5mt8ab.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Aim6 - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-07 06:54

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\autochk(10).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(3).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(4).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(6).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(7).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(8).exe:BAK 22528 bytes executable

c:\windows\system32\autochk(9).exe:BAK 22528 bytes executable

scan completed successfully

hidden files: 7

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

  • Root Admin

Please uninstall the Alcohol software for now.

Here is a link to remove the SPTD driver: http://www.duplexsecure.com/en/faq

The logs show you're not running Combofix from the correct location either.

Running from: G:\ComboFix.exe

Command switches used :: g:\docs\CFscript.txt.txt

Please move Combofix.exe to c:\documents and settings\joey walters\desktop and that is where the CFscript.txt is supposed to run as well.

Also note how it is named wrong. CFscript.txt.txt it should be CFscript.txt

You also show that you have not disabled your Anti-Virus.

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled*

You did not install the Recovery Console as requested, please do so.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

You need to please correct these items and follow the directions as posted or it is going to make it harder to fix your system.

You also have extra folders that should not exist in a normal install situation.

c:\program files\Common Files\Java(2)

c:\program files\ESET(2)

Once you've removed the SPTD and Disabled your Anti-Virus please download a new copy of CF and run it from the correct location and post back the new log. Also making sure to allow Combofix to install the Recovery Console.

Thank you.

Link to post
Share on other sites

  • Root Admin

Don't try to uninstall combofix, just move it to your Desktop. Then run the following.

STEP 01

Click on START - RUN and Copy/Paste the following into the Run line and click OK

CMD /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /v Midi1 /t REG_SZ /d wdmaud.drv /f

Click on START - RUN and Copy/Paste the following into the Run line and click OK

CMD /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32" /v Midi2 /t REG_SZ /d wdmaud.drv /f

STEP 02

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bhrtsbtr"=-
"AlcoholAutomount"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bhrtsbtr"=-
Driver::
sptd
File::
c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe
c:\windows\system32\drivers\sptd.sys
c:\windows\system32\autochk(10).exe
c:\windows\system32\autochk(3).exe
c:\windows\system32\autochk(4).exe
c:\windows\system32\autochk(6).exe
c:\windows\system32\autochk(7).exe
c:\windows\system32\autochk(8).exe
c:\windows\system32\autochk(9).exe

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/9/2010 8:39:38 AM

mbam-log-2010-07-09 (08-39-38).txt

Scan type: Quick scan

Objects scanned: 125214

Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

ComboFix 10-07-06.05 - joey walters 07/09/2010 4:53.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.514 [GMT -7:00]

Running from: c:\documents and settings\joey walters\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\joey walters\Desktop\CFscript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\documents and settings\joey walters\local settings\application data\axfsmsntv\ispnyr.exe"

"c:\windows\system32\autochk(10).exe"

"c:\windows\system32\autochk(3).exe"

"c:\windows\system32\autochk(4).exe"

"c:\windows\system32\autochk(6).exe"

"c:\windows\system32\autochk(7).exe"

"c:\windows\system32\autochk(8).exe"

"c:\windows\system32\autochk(9).exe"

"c:\windows\system32\drivers\sptd.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\autochk(10).exe

c:\windows\system32\autochk(3).exe

c:\windows\system32\autochk(4).exe

c:\windows\system32\autochk(6).exe

c:\windows\system32\autochk(7).exe

c:\windows\system32\autochk(8).exe

c:\windows\system32\autochk(9).exe

c:\windows\system32\drivers\sptd.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SPTD

-------\Service_sptd

((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))

.

2010-07-07 18:05 . 2010-07-09 12:19 17408 ----a-w- c:\windows\system32\rpcnetp.exe

2010-07-05 19:29 . 2010-07-05 19:29 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\Research In Motion

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Hewlett-Packard

2010-07-05 19:28 . 2010-07-05 19:28 -------- d-----w- c:\program files\Common Files\HP

2010-07-05 19:27 . 2010-07-05 19:27 -------- d-----w- c:\program files\Common Files\Java

2010-06-30 23:06 . 2010-06-30 23:06 -------- d-----w- c:\program files\Ant.com

2010-06-30 04:18 . 2010-07-05 19:27 -------- d-----w- c:\program files\ESET(2)

2010-06-30 04:06 . 2010-07-05 19:27 -------- d-----w- C:\RECYCLER(2)

2010-06-30 04:06 . 2010-07-05 19:27 -------- d-----w- c:\program files\Common Files\Java(2)

2010-06-27 23:51 . 2010-06-27 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-09 12:19 . 2009-08-12 04:46 57752 ----a-w- c:\windows\system32\rpcnet.dll

2010-07-09 12:18 . 2009-12-21 00:35 191672 ----a-w- c:\windows\system32\drivers\sthdae.log

2010-07-09 09:34 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\vlc

2010-07-09 09:23 . 2009-08-10 19:46 -------- d-----w- c:\documents and settings\joey walters\Application Data\dvdcss

2010-07-09 06:19 . 2009-08-08 08:07 17408 ----a-w- c:\windows\system32\rpcnetp.dll

2010-07-05 19:28 . 2010-05-05 11:58 -------- d-----w- c:\documents and settings\joey walters\Application Data\Research In Motion

2010-07-01 16:51 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2010-07-01 11:26 . 2009-08-30 03:36 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 21:45 . 2010-01-15 04:21 -------- d-----w- c:\program files\Research In Motion

2010-06-27 22:07 . 2010-02-19 02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-02 05:22 . 2004-08-04 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-27 18:40 . 2009-08-22 05:42 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-04-27 18:40 . 2009-08-22 05:42 133616 ------w- c:\windows\system32\pxafs.dll

2010-04-27 18:40 . 2009-08-22 05:42 126448 -c----w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40 . 2009-08-22 05:42 123888 -c----w- c:\windows\system32\pxcpyi64.exe

2010-04-20 05:30 . 2004-08-04 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2009-10-14 13:48 . 2010-02-25 02:01 524288 ----a-w- c:\program files\Sakura.dll

2009-10-14 13:29 . 2010-02-25 02:01 532480 ----a-w- c:\program files\Sawer.dll

2009-10-14 13:13 . 2010-02-25 02:01 499712 ----a-w- c:\program files\PoiZone.dll

2009-10-14 13:09 . 2010-02-25 02:02 671744 ----a-w- c:\program files\Toxic Biohazard.dll

2009-09-26 14:14 . 2010-02-25 02:01 512000 ----a-w- c:\program files\Hardcore.dll

2009-05-29 12:02 . 2009-05-29 12:02 818176 ----a-w- c:\program files\FL Studio VSTi.dll

2009-05-29 12:01 . 2009-05-29 12:01 818176 ----a-w- c:\program files\FL Studio VSTi (Multi).dll

.

((((((((((((((((((((((((((((( SnapShot@2010-07-08_11.04.38 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-04 10:00 . 2010-07-08 10:14 67714 c:\windows\system32\perfc009.dat

+ 2004-08-04 10:00 . 2010-07-09 11:41 67714 c:\windows\system32\perfc009.dat

+ 2004-08-04 10:00 . 2010-07-09 11:41 432924 c:\windows\system32\perfh009.dat

- 2004-08-04 10:00 . 2010-07-08 10:14 432924 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\joey walters\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-25 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-11 136512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]

c:\documents and settings\joey walters\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [9/29/2008 8:07 AM 19456]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/12/2009 2:47 PM 67904]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/12/2009 2:47 PM 64432]

S3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;c:\windows\system32\drivers\tascusb2.sys [8/10/2009 1:12 PM 367616]

S3 TASCAM_US122L_MIDI;TASCAM US-122L WDM MIDI Device;c:\windows\system32\drivers\tscusb2m.sys [8/10/2009 1:12 PM 18944]

S3 TASCAM_US122L_WDM;TASCAM US-122L WDM;c:\windows\system32\drivers\tscusb2a.sys [8/10/2009 1:12 PM 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\joey walters\Application Data\Mozilla\Firefox\Profiles\9c5mt8ab.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-09 05:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\

Link to post
Share on other sites

  • Root Admin

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

  • Root Admin

Great.

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

combofix_run_uninstall.png

This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

Please read the following: So how did I get infected in the first place?

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.