Jump to content
BruceF

Popup when exploring files

Recommended Posts

Strange....

Alright, evidently something isn't as it's claiming to be.. So lets get a 2nd opinion real quick:

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine


Make sure you read this document to understand how to use the program.

Basically there are 3 parts that need to be downloaded from these links:


  • As an example on 2008-10-17 the files to download are:
    sysclean.com
    |
    lpt605.zip
    |
    ssapiptn697.zip
  • NOTE!
    These file names are examples and you must visit Trend Micro for the very latest files which may have different names.

  • Create a brand new folder to copy these files to.

  • As an example:
    C:\DCE

  • Then open each of the zipped archive files and copy their contents to
    C:\DCE

  • Copy the file
    sysclean.com
    to the new folder
    C:\DCE
    as well.

  • Double-click on the file
    sysclean.com
    that is in the
    C:\DCE
    folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file
    sysclean.log
    that will be left behind by sysclean.

  • This self-extracting archive is a stand-alone fix package that incorporates the Trend Micro VSAPI Malware and Spyware scanning engines as well as the Trend Micro Damage Cleanup Engine and Template.

    This tool supports the following features:

    o Terminate all detected malware/spyware instances in memory

    o Remove malware/spyware registry entries

    o Remove malware/spyware entries from system files

    o Scan for and delete all detected malware/spyware copies in all local drives

http://windowshelp.microsoft.com/windows/en-us/help/7050d809-c761-43d4-aae7-587550cd341a1033.mspx' rel="external nofollow">

Share this post


Link to post
Share on other sites

Thanks again for your help and patience.

I'm going to take the time to look all of this over and run it tomorrow evening. I'll post the results as soon as I have them.

Share this post


Link to post
Share on other sites

Here is the result of sysclean.log:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-11-18, 17:20:54, Auto-clean mode specified.

2008-11-18, 17:20:54, Initialized Rootkit Driver version 2.2.0.1004.

2008-11-18, 17:20:54, Running scanner "C:\DCE\TSC.BIN"...

2008-11-18, 17:22:33, Scanner "C:\DCE\TSC.BIN" has finished running.

2008-11-18, 17:22:33, TSC Log:

Share this post


Link to post
Share on other sites

I then updated MBAM did a scan, rebooted, and rescanned:

Malwarebytes' Anti-Malware 1.30

Database version: 1410

Windows 5.1.2600 Service Pack 3

11/18/2008 10:10:18 PM

mbam-log-2008-11-18 (22-10-18).txt

Scan type: Quick Scan

Objects scanned: 49290

Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\ombha.dll (Trojan.BHO.H) -> Delete on reboot.

Share this post


Link to post
Share on other sites

Yes. C:\WINDOWS\system32\ombha.dll is showing up. But, I've tried to delete it and it says access denied. I've even tried booting into safe mode with command prompt to delete it with the same results.

FWIW, I haven't had the popup in a couple of days.

Share this post


Link to post
Share on other sites

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

Had a scary moment when running this. When I dragged the recovery console download onto combofix it started and installed it okay. But, then combofix said the recovery console was not installed and asked if it should install it. I said yes and then it said the console was already installed. It seemed to run fine from there. Here are the results:

ComboFix 08-11-18.A2 - Bruce 2008-11-19 21:54:59.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.651 [GMT -5:00]

Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bruce\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://onestopstation.net

.

((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))

.

2008-11-17 22:39 . 2008-11-18 21:33 <DIR> d-------- C:\DCE

2008-11-16 16:47 . 2008-11-16 16:47 17,709 --a------ c:\windows\system32\drivers\johknkyd.zip

2008-11-16 13:39 . 2008-11-16 13:45 250 --a------ c:\windows\gmer.ini

2008-11-14 23:52 . 2008-11-14 23:52 44,951 --a------ c:\windows\SM1bg.zip

2008-11-14 16:02 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-14 16:01 . 2008-11-14 16:01 <DIR> d-------- c:\program files\Panda Security

2008-11-14 01:58 . 2008-11-14 02:04 <DIR> d-------- c:\documents and settings\Bruce\.housecall6.6

2008-11-14 01:38 . 2008-11-14 01:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-11-14 01:19 . 2008-11-14 01:19 <DIR> d-------- c:\program files\Trend Micro

2008-11-13 17:31 . 2008-11-13 17:45 <DIR> d-------- c:\documents and settings\Bruce\Application Data\Download Manager

2008-11-11 18:07 . 2008-11-11 20:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-09 22:50 . 2008-11-09 22:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8

2008-11-09 21:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-09 21:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\system32\scripting

2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\system32\en

2008-11-08 18:38 . 2008-11-08 18:38 <DIR> d-------- c:\windows\l2schemas

2008-11-08 17:58 . 2008-04-13 19:12 712,704 --------- c:\windows\system32\windowscodecs.dll

2008-11-08 17:58 . 2008-04-13 19:12 346,112 --------- c:\windows\system32\windowscodecsext.dll

2008-11-08 17:58 . 2008-04-13 19:12 290,304 --------- c:\windows\system32\rhttpaa.dll

2008-11-08 17:58 . 2008-04-13 19:12 276,992 --------- c:\windows\system32\wmphoto.dll

2008-11-08 17:58 . 2008-04-13 19:12 76,800 --------- c:\windows\system32\qutil.dll

2008-11-08 17:58 . 2008-04-13 19:12 69,120 --------- c:\windows\system32\wlanapi.dll

2008-11-08 17:58 . 2008-04-13 19:12 61,952 --------- c:\windows\system32\rasqec.dll

2008-11-08 17:58 . 2008-04-13 19:12 53,248 --------- c:\windows\system32\tsgqec.dll

2008-11-08 17:58 . 2008-04-13 19:12 50,688 --------- c:\windows\system32\tspkg.dll

2008-11-08 17:58 . 2008-04-13 19:12 32,768 --------- c:\windows\system32\setupn.exe

2008-11-08 17:58 . 2008-04-13 13:40 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys

2008-11-08 17:56 . 2008-04-13 19:11 650,752 --------- c:\windows\system32\dot3ui.dll

2008-11-08 17:25 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-11-08 17:24 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-11-08 17:24 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-11-08 17:24 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-11-08 17:24 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2008-11-08 17:24 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-11-08 17:24 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-11-04 17:12 . 2008-11-04 17:12 <DIR> d-------- c:\program files\Common Files\Macrovision Shared

2008-11-01 13:59 . 2008-11-13 17:45 116,480 --a------ c:\windows\system32\ombha.dll

2008-10-30 17:26 . 2008-10-30 17:26 <DIR> d--hs---- c:\windows\ftpcache

2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx0c.dll

2008-10-28 17:36 . 2008-10-28 17:36 823,296 --a------ c:\windows\system32\divx_xx07.dll

2008-10-28 17:35 . 2008-10-28 17:35 815,104 --a------ c:\windows\system32\divx_xx0a.dll

2008-10-28 17:35 . 2008-10-28 17:35 802,816 --a------ c:\windows\system32\divx_xx11.dll

2008-10-28 17:35 . 2008-10-28 17:35 684,032 --a------ c:\windows\system32\DivX.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-20 02:59 103,923,744 --sha-w c:\windows\system32\drivers\fidbox.dat

2008-11-20 02:43 1,219,580 --sha-w c:\windows\system32\drivers\fidbox.idx

2008-11-20 02:39 1,634 ----a-w c:\program files\eSignalMHP - Detail.dtl

2008-11-19 14:30 --------- d-----w c:\program files\eSignal

2008-11-19 14:29 --------- d-----w c:\program files\Mozilla Thunderbird

2008-11-19 02:36 --------- d-----w c:\program files\Common Files\Symantec Shared

2008-11-15 06:18 --------- d-----w c:\program files\Norton SystemWorks

2008-11-15 03:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-11-12 17:56 17,842,963 ----a-w c:\windows\Internet Logs\tvDebug.zip

2008-11-12 02:00 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-11-11 19:27 11,514 ----a-w c:\program files\eSignalMHP,D - AdvCh.ach

2008-11-11 04:01 10,973 ----a-w c:\program files\eSignalMHP,5 - AdvCh.ach

2008-11-10 02:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-11-09 12:40 --------- d-----w c:\program files\eMule

2008-11-09 04:32 --------- d-----w c:\program files\Full Tilt Poker

2008-11-09 02:52 --------- d-----w c:\documents and settings\Bruce\Application Data\Move Networks

2008-11-09 00:18 --------- d-----w c:\program files\Replay AV 8

2008-11-08 21:45 --------- d-----w c:\program files\DivX

2008-11-08 06:32 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-08 04:34 --------- d-----w c:\program files\Common Files\Adobe

2008-11-01 17:20 841,728 ----a-w c:\windows\Internet Logs\xDB21.tmp

2008-10-30 16:35 1,714,688 ----a-w c:\windows\Internet Logs\xDB20.tmp

2008-10-25 22:26 1,679,360 ----a-w c:\windows\Internet Logs\xDB1F.tmp

2008-10-21 13:09 1,512,448 ----a-w c:\windows\Internet Logs\xDB1E.tmp

2008-10-17 17:28 2,697,728 ----a-w c:\windows\Internet Logs\xDB1D.tmp

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll

2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll

2008-10-14 21:35 --------- d-----w c:\program files\DAP

2008-10-14 21:34 50,688 ----a-w c:\windows\system32\wbhelp2.dll

2008-10-14 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\SpeedBit

2008-10-14 02:43 737,280 ----a-w c:\windows\iun6002.exe

2008-10-08 07:03 43,872 ------w c:\windows\system32\drivers\PxHelp20.sys

2008-10-08 07:03 129,520 ------w c:\windows\system32\pxafs.dll

2008-10-08 07:03 120,568 ------w c:\windows\system32\pxcpyi64.exe

2008-10-08 07:03 118,256 ------w c:\windows\system32\pxinsi64.exe

2008-10-04 19:54 --------- d-----w c:\documents and settings\Bruce\Application Data\BitTorrent

2008-10-03 21:24 --------- d-----w c:\documents and settings\Bruce\Application Data\Imagenomic

2008-10-03 21:20 --------- d-----w c:\program files\Instant JPEG From RAW

2008-09-29 03:41 4,988 ----a-w c:\windows\system32\tmp.reg

2008-09-29 03:15 --------- d-----w c:\documents and settings\Bruce\Application Data\Malwarebytes

2008-09-29 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-09-27 22:13 --------- d-----w c:\documents and settings\Bruce\Application Data\OpenOffice.org2

2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll

2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll

2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll

2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll

2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe

2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll

2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll

2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll

2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll

2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe

2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll

2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll

2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll

2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-14 17:32 98,304 ----a-w c:\windows\DUMP5ae1.tmp

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-23 02:40 61,224 ----a-w c:\documents and settings\Bruce\GoToAssistDownloadHelper.exe

2008-01-05 00:30 1,681 ----a-w c:\program files\eSignalPortfolio1.por

2003-08-27 18:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll

2008-10-17 00:04 27,976 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-10-17 00:04 125,848 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-10-17 00:04 98,712 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll

2005-07-14 18:31 27,648 --sha-w c:\windows\system32\AVSredirect.dll

2005-06-26 21:32 616,448 --sha-r c:\windows\system32\cygwin1.dll

2005-06-22 04:37 45,568 --sha-r c:\windows\system32\cygz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F56C5FD6-A52C-4E65-A54A-31FE0DC87E06}]

2008-11-13 17:45 116480 --a------ c:\windows\system32\ombha.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Norton SystemWorks"="c:\program files\Norton SystemWorks\cfgwiz.exe" [2004-09-09 132248]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2006-03-02 684032]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

"Launch Ai Booster"="c:\program files\ASUS\Ai Booster\OverClk.exe" [2004-01-19 1892864]

"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]

"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-06-07 100056]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-06-07 185896]

"HostManager"="c:\program files\Common Files\AOL\1181333827\ee\AOLSoftware.exe" [2006-09-25 50736]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"EPSON Stylus C88 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE" [2005-01-27 98304]

"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Bruce\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-06-09 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-02 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]

--a------ 2008-05-16 18:08 289088 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1181333827\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 johknkyd;johknkyd;c:\windows\system32\drivers\johknkyd.sys [2003-03-31 23424]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-11-14 28544]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};\??\c:\program files\CyberLink\PowerDVD\000.fcl [2007-06-24 14:24:47 13560]

R3 G200;G200;c:\windows\system32\DRIVERS\g200mini.sys [2007-06-07 261120]

S3 APLMp50;APLMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\APLMp50.sys [2006-07-31 18816]

*Newly Created Service* - CATCHME

*Newly Created Service* - PROCEXP90

.

Contents of the 'Scheduled Tasks' folder

2008-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Bruce.job

- c:\progra~1\NORTON~1\NORTON~3\Navw32.exe [2005-01-10 11:20]

2008-11-15 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job

- c:\program files\Norton SystemWorks\OBC.exe [2004-11-04 00:19]

2008-11-19 c:\windows\Tasks\Symantec Drmc.job

- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2004-10-27 13:48]

.

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\Bruce\Application Data\Mozilla\Firefox\Profiles\rps2e06z.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.investors.com/

FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll

FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npaxctrl.dll

FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-19 21:58:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-11-19 22:01:50

ComboFix-quarantined-files.txt 2008-11-20 03:01:10

Pre-Run: 34,314,190,848 bytes free

Post-Run: 34,340,724,736 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

266 --- E O F --- 2008-11-08 23:49:49

Share this post


Link to post
Share on other sites

Well first off you need to uninstall ALL the Peer2Peer software like emule, bit torrent, etc...

Are you still running any Norton products or AV on your system ?

Are you using AOL (America Online) ?

Share this post


Link to post
Share on other sites

Hmmm. I didn't know the P2P stuff was on here. But, they've now been uninstalled. I do have Norton as the AV and ZoneAlarm as the firewall, currently. AOL gets used on occasion.

Share this post


Link to post
Share on other sites

Okay thanks for the information. It looks like you have at least one modified Microsoft file on your system which is not good.

Please run this tool which will hopefully help us locate Microsoft files that are not digitally signed.

Click on
START - RUN
and type in
SIGVERIF
and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Can you also start REGEDIT and browse to the location where ombha.dll is located and check the Permissions on it. See if you can delete that entry or not directly in Regedit. If you can, then wait about 60 seconds and refresh Regedit or quit and restart Regedit and see if the entry is back in or not.

Thanks.

Share this post


Link to post
Share on other sites

Also please try running this. Close ALL applications first, including the Browser, so that no program is running.

Click on START - RUN and copy / paste this entry into the box and click OK (after closing the browser).

CMD /C netstat -a -b -o -v >C:\MYSERVICES.TXT

This will open a black DOS window for a minute or so while it gathers the information.

When it closes please browse to this location and open the file with Notepad and post here if not too big, if it's big then just attach the file please.

C:\MYSERVICES.TXT

Share this post


Link to post
Share on other sites

I tried to attach the SIGVERIF.TXT file, but it said it was too big. So, I've zipped it up and attached that.

I found an entry for a REG_SZ C:\WINDOWS\system32\ombha.dll under

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll

I was able to delete that one. It hasn't come back so far.

I found one under

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F56C5FD6-A52C-4E65-A54A-31FE0DC87E06}\InprocServer32

But, it wouldn't delete.

When I go to Edit>Permissions it looks like it applies to the \InprocServer32 folder. Allow Full Control and Read are checked. I can click on Deny, but I'm not sure if I should or not. Is that the permission you are talking about? If so, what should I do?

Thanks again for your help.

SIGVERIF.zip

SIGVERIF.zip

Share this post


Link to post
Share on other sites

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy the following text from the code box below into the main window of Avenger.

Files to delete:
C:\WINDOWS\system32\ombha.dll
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f56c5fd6-a52c-4e65-a54a-31fe0dc87e06}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F56C5FD6-A52C-4E65-A54A-31FE0DC87E06}
  • Place a check mark on the "Scan for rootkits" but do not check any other boxes.
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done, run MB go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer.

Then run a new Hijackthis scan only and post back all the logs, including this file: c:\avenger.txt

Share this post


Link to post
Share on other sites

Ran into a problem, I think.

I downloaded Avenger, entered the script and only checked Scan for rootkits. I shut down the browser and other apps and then hit execute. It said something and then rebooted. When the system came back up, Notepad was open and the following error message was in a window. "The process cannot access the file because it is being used by another process"

I also noticed my hard drive light was on steady and my fans went to high. There were no other windows indicating any activity. I let this go on for about 15 minutes. I then checked my drive and saw that avenger.txt was 5GB (yes gigabytes) big and growing. I decided to reboot since I couldn't find a way to shut down avenger.

Did I do something wrong? Should I have let this continue longer?

I haven't done any other scans, either. Should I try MB again?

Share this post


Link to post
Share on other sites

Hi Bruce,

I've chatted with a couple others on this as well as one of the Developers and there definitely is something hidden that is calling and holding that DLL file open. We might be able to find a method or tool to kill the DLL file off but that wouldn't resolve the file that is calling it.

At this point you really need to make sure you have good backups of all your data including email, pictures, movies, documents, etc... and possibly be prepared to reinstall Windows. This is what they call a Browser Helper Object and any legitimate BHO would allow you to turn it off or disable it, which is not the case with this one. Currently your computer just can not be trusted and you should not be using it for any type of Banking, or confidential work.

It's up to you if you want us to continue trying to locate and terminate this file or if you want to just re-install Windows. Let me know which direction you want to proceed and I'll try to assist you further in either direction.

Share this post


Link to post
Share on other sites

Okay, well if you need assitance let us know. Remember to delete the partition as part of a new install. There are some viruses that can live through just a disk format.

I'll be closing this thread then probably later tonight or tomorrow.

Good luck.

Share this post


Link to post
Share on other sites

Okay. Thanks. I did not know that. Right now I'm backing up and looking for the drivers for my motherboard.

Share this post


Link to post
Share on other sites

I think I've gotten rid of C:\WINDOWS\system32\ombha.dll

While searching for the motherboard drivers, I continued to surf this board. I saw a post about http://www.virustotal.com/ and I uploaded the file there. It said that Avira had a solution for it. So, I downloaded their AV and ran it. It seemed to have found it. It's no longer in the win\sys32 directory.

I just ran MBAM and now it is just showing the same 4 registry values infected. But, it didn't reboot after the scan. Any thoughts? Should I still plan on re-installing windows?

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.30

Database version: 1414

Windows 5.1.2600 Service Pack 3

11/21/2008 12:02:14 AM

mbam-log-2008-11-21 (00-02-14).txt

Scan type: Quick Scan

Objects scanned: 49241

Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.