Infected!

Magiclure · August 6, 2010

My Windows XP Pro computer is infected. I ran Malwarebytes Quick Scan and found nothing. Then ran Avira and found TR/Crypt.ZPack.Gen at itcqzsv.sys, but Avira couldn't repair. Then ran DeFogger per Malwarebytes' guide, but it failed to finalize. Logs are attached for Avira and DeFogger. Please help!

AVSCAN_20100806_143204_BE01B1EE.txt

defogger_disable.txt

Elise · August 7, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Please download OTL from one of the following mirrors:
- This is THE Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

A detailed description of your problems
A new OTL log (don't forget extra.txt)
GMER log

Magiclure · August 8, 2010

Hi Elise, thanks for your response. I ran OTL as you said, but after multiple attempts including running in Safe Mode I was unable to get Gmer to complete its scan. Finally in desperation/frustration I ran Combofix which now seems to have fixed my problem. After multiple scans I find no further infactions, and everything seems to work fine. Thanks for your time anyway!

Elise · August 8, 2010

If you wish you can post the combofix log for my review.

Note - combofix is a very powerful tool. It is not intended to be run without supervision. In most cases it will run fine, but every now and then something goes wrong which may cause a computer no longer to be able to boot.

Magiclure · August 8, 2010

Thanks, I know Combofix can go awry, but I was getting so frustrated with trying to get Gmer to run I was ready to turn this computer to scrap and buy a Mac. Anyway I would apreciate your review of the Combofix log, however I guess Combofix wrote over the original log as I ran another scan today to be sure everything was OK. The file below is from the most recent scan. Bob

ComboFix 10-08-07.01 - Bob Howe 08/08/2010 12:17:21.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.493 [GMT -7:00]

Running from: c:\documents and settings\Bob Howe\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))

.

2010-08-08 01:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2010-08-08 01:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2010-07-27 01:45 . 2010-07-27 01:45 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-07-27 00:15 . 2010-07-27 00:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-07-26 19:34 . 2010-07-26 19:56 -------- d-----w- C:\2d8e158d4ab85a19979042e50804

2010-07-26 18:54 . 2010-07-26 18:54 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-07-26 18:52 . 2010-07-26 18:52 -------- d-sh--w- c:\documents and settings\Bob Howe\IECompatCache

2010-07-26 18:51 . 2010-07-26 18:51 -------- d-sh--w- c:\documents and settings\Bob Howe\PrivacIE

2010-07-26 18:45 . 2010-07-26 18:45 -------- d-sh--w- c:\documents and settings\Bob Howe\IETldCache

2010-07-26 18:41 . 2010-07-26 20:02 -------- d-----w- c:\windows\ie8updates

2010-07-26 18:37 . 2010-07-26 18:39 -------- dc-h--w- c:\windows\ie8

2010-07-26 18:34 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-07-26 18:34 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-07-26 18:34 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-07-26 18:34 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-07-26 04:37 . 2010-07-26 04:37 -------- d-----w- c:\documents and settings\Bob Howe\Local Settings\Application Data\FixItCenter

2010-07-26 04:34 . 2010-07-26 04:34 -------- d-----w- c:\windows\MATS

2010-07-26 04:34 . 2010-07-26 04:34 -------- d-----w- c:\program files\Microsoft Fix it Center

2010-07-26 03:42 . 2010-07-26 03:42 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-22 18:16 . 2010-07-22 18:16 249920 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-07-21 00:32 . 2001-08-17 20:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-07-21 00:32 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-07-21 00:32 . 2008-04-13 23:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll

2010-07-21 00:32 . 2008-04-13 23:11 21504 ----a-w- c:\windows\system32\hidserv.dll

2010-07-21 00:32 . 2008-04-13 17:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-07-21 00:32 . 2008-04-13 17:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-07-21 00:05 . 2010-07-23 20:27 -------- d-----w- c:\documents and settings\Bob Howe\Local Settings\Application Data\hruoiarny

2010-07-14 13:54 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-07 18:44 . 2008-06-15 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-07-26 17:06 . 2009-03-11 17:09 -------- d-----w- c:\program files\Windows Live Safety Center

2010-07-21 21:39 . 2003-10-06 15:39 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-21 17:33 . 2009-03-04 23:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-21 15:25 . 2009-09-18 04:18 0 ----a-w- c:\windows\Apemevubeqovuzi.bin

2010-07-21 00:06 . 2009-09-18 04:18 120 ----a-w- c:\windows\Imekodusexuyo.dat

2010-06-14 14:31 . 2003-06-28 19:28 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe

2005-05-26 21:35 . 2009-03-09 18:52 1422 ----a-w- c:\program files\ReadMe.txt

2003-08-24 15:24 . 2003-08-24 15:24 6290926 -c--a-w- c:\program files\streetsmartproLI.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 774144]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 315392]

"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]

"fspr"="c:\program files\Folder Shield\FolderShield.exe" [2003-05-26 315904]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-09-08 180269]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-9-15 503869]

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-5-28 106496]

officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]

TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-3-9 270336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Esohomura]

2008-04-14 00:12 187904 ----a-w- c:\windows\agayewec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Discovery Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundRouterRequest"= 0 (0x0)

"AllowOutboundTimeExceeded"= 0 (0x0)

R0 bxShield;BAxBEx File Protector;c:\windows\system32\drivers\bxShield.sys [5/26/2003 2:13 AM 45056]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/17/2009 1:59 PM 108289]

S1 SABKUTIL;SABKUTIL;\??\c:\documents and settings\Bob Howe\Local Settings\Temporary Internet Files\Content.IE5\04IAKNN3\SABKUTIL.sys --> c:\documents and settings\Bob Howe\Local Settings\Temporary Internet Files\Content.IE5\04IAKNN3\SABKUTIL.sys [?]

S2 FSService;FSService;c:\program files\Folder Shield\FSService.exe [5/26/2003 2:13 AM 28672]

S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [5/8/2008 9:59 AM 204800]

S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [4/10/2010 5:05 PM 266544]

S4 AloPar;AloPar;c:\windows\system32\drivers\AloPar.sys [7/3/2003 6:37 PM 4112]

.

Contents of the 'Scheduled Tasks' folder

2010-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2003-11-29 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p officejet 6100 series5E771253C1676EBED677BF361FDFC537825E15B8062089891.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 07:52]

2010-08-08 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-04 17:22]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5643

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-08 12:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*]

"DisplayName"="?\13?\13"

"DeviceDesc"="?\13?\13"

"ProviderName"=""

"MFG"="???\\"

"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"

"DeviceInstanceIds"=multi:"p_inf\\cx_08040.inf\00"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2432)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-08 12:30:37

ComboFix-quarantined-files.txt 2010-08-08 19:30

ComboFix2.txt 2010-08-08 02:00

ComboFix3.txt 2009-03-09 18:13

ComboFix4.txt 2009-03-06 15:44

ComboFix5.txt 2010-08-08 19:15

Pre-Run: 6,859,165,696 bytes free

Post-Run: 6,845,399,040 bytes free

- - End Of File - - 113677C2777ED8736653B95BB1F8C966

Elise · August 9, 2010

There are still some malware leftovers showing.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Esohomura]

File::
c:\windows\agayewec.dll

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Magiclure · August 9, 2010

ComboFix 10-08-07.01 - Bob Howe 08/09/2010 9:51.8.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.716 [GMT -7:00]

Running from: c:\documents and settings\Bob Howe\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bob Howe\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::

"c:\windows\agayewec.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\agayewec.dll

.

((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))