Jump to content

Recommended Posts

Hello,

My windows xp got infected with "windows antivirus 2011" after I clicked a fake email from ups.org.

And then I used the updated Malwarebytes to full scan my computer and deleted 6 infections. After

a reboot, the computer seems to be normal. But eventually, one of the svchost process appearing in

the windows task manager will take up all the cpu resource and my computer end up with too busy to

response. Then I used the Hijackthis to scan it again. It seems like the virus is not eradicated

completely and I clicked the fix in Hijackthis. But this does not solve the problem. After each reboot,

the svchost process will eventually take a lot of cpu resource and throw up some "memory cannot be written"

errors. Now I turn it off.

Please help me, and what can I try? Another Malwarebytes full scan.

Thanks,

Ryan

Link to post
Share on other sites

I just read the thread on "I'm infected - What do I do now? "

I will follow the instruction and post it again tomorrow.

Ryan

Hello,

My windows xp got infected with "windows antivirus 2011" after I clicked a fake email from ups.org.

And then I used the updated Malwarebytes to full scan my computer and deleted 6 infections. After

a reboot, the computer seems to be normal. But eventually, one of the svchost process appearing in

the windows task manager will take up all the cpu resource and my computer end up with too busy to

response. Then I used the Hijackthis to scan it again. It seems like the virus is not eradicated

completely and I clicked the fix in Hijackthis. But this does not solve the problem. After each reboot,

the svchost process will eventually take a lot of cpu resource and throw up some "memory cannot be written"

errors. Now I turn it off.

Please help me, and what can I try? Another Malwarebytes full scan.

Thanks,

Ryan

Link to post
Share on other sites

Thanks for the reply. elise025

Already got a question, I tried to run dds.scr, but it seems not runnable.

The system shows it is a AutoCAD script. For AutoCAD, I have uninstalled it

a while ago. But anyway, I still tried to run it, then it pops up a windows notepad

with all strange characters.

Should I use DeFogger - Disable first, and then dds.scr?

Ryan

Hello and :welcome:

Please post the DDS and GMER log as instructed in that topic and I'll reply to you once posted.

Link to post
Share on other sites

No need for Defogger. Instead of DDS, run OTL, see below.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

Thanks elise025.

Ryan

1111111111111111

OTL logfile created on: 2011-3-29 12:34:31 - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\??

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000804 | Country: ??????? | Language: CHS | Date Format: yyyy-M-d

1,013.00 Mb Total Physical Memory | 93.00 Mb Available Physical Memory | 9.00% Memory free

2.00 Gb Paging File | 1.00 Gb Available in Paging File | 44.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 29.30 Gb Total Space | 5.09 Gb Free Space | 17.36% Space Free | Partition Type: NTFS

Drive D: | 191.95 Gb Total Space | 107.85 Gb Free Space | 56.19% Space Free | Partition Type: FAT32

Drive E: | 39.06 Gb Total Space | 32.87 Gb Free Space | 84.16% Space Free | Partition Type: FAT32

Computer Name: CHINA-E6FF197E0 | User Name: Administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-03-29 12:32:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\??\OTL.exe

PRC - [2010-12-10 16:02:50 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2010-12-10 16:02:50 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

PRC - [2010-12-10 16:02:48 | 001,893,728 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

PRC - [2010-12-10 16:02:48 | 001,459,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

PRC - [2010-12-10 16:02:46 | 001,839,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

PRC - [2010-09-18 22:16:22 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010-02-18 11:43:20 | 000,490,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe

PRC - [2009-03-26 21:20:06 | 000,308,720 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe

PRC - [2008-04-14 08:00:00 | 000,978,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011-03-29 12:32:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\??\OTL.exe

MOD - [2008-04-14 08:00:00 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (srv6B8)

SRV - File not found [On_Demand | Stopped] -- -- (LPDSVC)

SRV - [2010-12-21 06:52:26 | 000,038,704 | ---- | M] (?????????????) [Disabled | Stopped] -- C:\Program Files\Thunder Network\Thunder\Program\DctSer.exe -- (XLDoctor Services)

SRV - [2010-12-10 16:02:50 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2010-12-10 16:02:50 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2010-12-10 16:02:48 | 001,893,728 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)

SRV - [2010-12-10 16:02:48 | 000,357,744 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)

SRV - [2010-12-10 16:02:46 | 001,839,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2010-09-21 06:34:39 | 000,085,096 | ---- | M] (Autodesk) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)

SRV - [2010-09-07 16:05:51 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)

SRV - [2010-03-03 03:10:33 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009-12-30 19:24:34 | 000,703,488 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- C:\Program Files\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)

========== Driver Services (SafeList) ==========

DRV - [2011-03-26 21:22:28 | 000,125,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2011-03-15 04:00:00 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110328.038\NAVEX15.SYS -- (NAVEX15)

DRV - [2011-03-15 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110328.038\NAVENG.SYS -- (NAVENG)

DRV - [2010-12-10 16:02:50 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)

DRV - [2010-12-10 16:02:50 | 000,284,720 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)

DRV - [2010-12-10 16:02:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)

DRV - [2010-12-10 16:02:44 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2010-12-10 16:02:44 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)

DRV - [2010-12-10 16:02:44 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)

DRV - [2010-10-18 02:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010-10-18 02:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010-04-21 22:49:02 | 000,060,008 | ---- | M] (Kingsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\KAVSafe.sys -- (KAVSafe)

DRV - [2008-06-10 23:54:56 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)

DRV - [2008-01-15 07:17:58 | 004,652,544 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4'>http://start.facemoods.com/?a=ddr&s={searchTerms}&f=4

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.facemoods.com/?a=ddr

IE - HKU\S-1-5-21-854245398-1580818891-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Facemoods Search"

FF - prefs.js..browser.search.selectedEngine: "Facemoods Search"

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-09-18 22:16:25 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-12-17 22:06:18 | 000,000,000 | ---D | M]

[2010-09-15 01:10:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2011-03-26 22:14:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\znuw72ni.default\extensions

[2011-03-29 10:47:58 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2010-10-07 15:06:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010-10-07 15:06:26 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

[2010-10-07 15:06:26 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

[2011-03-26 21:31:08 | 000,002,046 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrchddr.xml

O1 HOSTS File: ([2008-04-30 03:13:00 | 000,001,091 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 858656.com

O1 - Hosts: 127.0.0.1 my123.com

O1 - Hosts: 127.0.0.1 8749.com

O1 - Hosts: 127.0.0.1 4199.com

O1 - Hosts: 127.0.0.1 7379.com

O1 - Hosts: 127.0.0.1 7255.com

O1 - Hosts: 127.0.0.1 3448.com

O1 - Hosts: 127.0.0.1 7939.com

O1 - Hosts: 127.0.0.1 8009.com

O1 - Hosts: 127.0.0.1 piaoxue.com

O1 - Hosts: 127.0.0.1 kzdh.com

O1 - Hosts: 127.0.0.1 about.blank.la

O1 - Hosts: 127.0.0.1 6781.com

O1 - Hosts: 127.0.0.1 7322.com

O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (?????????????)

O2 - BHO: (??????) - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\BHO\XunleiBHO7.1.4.2104.dll (?????????????)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [Google IME Autoupdater] C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe (Google Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 223

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O7 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0

O8 - Extra context menu item: ???????? Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: ??????????? PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: ???????? - C:\Program Files\Thunder Network\Thunder\Program\repairimage.htm ()

O8 - Extra context menu item: ?????? - C:\Program Files\Thunder Network\Thunder\BHO\geturl.htm ()

O8 - Extra context menu item: ?????????? - C:\Program Files\Thunder Network\Thunder\BHO\getAllurl.htm ()

O8 - Extra context menu item: ??? Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: ?????? PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 128.59.62.10 128.59.59.70

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop Components:0 (????) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010-03-03 00:24:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKU\S-1-5-21-854245398-1580818891-1801674531-500\...exe [@ = exefile] -- Reg Error: Value error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011-03-29 12:32:32 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\??\OTL.exe

[2011-03-26 21:24:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\??\siam08

[2011-03-26 21:22:15 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2011-03-26 21:22:14 | 000,125,488 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2011-03-26 21:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec

[2011-03-26 20:54:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia

[2011-03-26 20:54:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe

[2011-03-26 17:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2011-03-26 16:09:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities

[2011-03-26 16:09:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities

[2011-03-26 14:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2011-03-26 13:40:21 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2011-03-26 13:40:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2011-03-25 18:35:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2011-03-25 18:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2011-03-22 23:21:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2011-03-21 15:59:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\.globus

[2011-03-21 15:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\.sshterm

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011-03-29 12:32:33 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\??\OTL.exe

[2011-03-29 12:23:28 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6EA1C328-ADB0-4D9D-86DC-05314EDF1650}.job

[2011-03-29 12:18:00 | 000,000,674 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1580818891-1801674531-500UA.job

[2011-03-29 10:36:58 | 000,000,326 | -HS- | M] () -- C:\WINDOWS\tasks\Xffpfuyjvq.job

[2011-03-29 10:36:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011-03-27 21:24:41 | 000,110,080 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011-03-26 23:18:02 | 000,000,622 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1580818891-1801674531-500Core.job

[2011-03-26 21:22:28 | 000,125,488 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2011-03-26 21:22:28 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2011-03-26 21:22:28 | 000,007,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2011-03-26 21:22:28 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2011-03-26 17:27:18 | 000,000,211 | -HS- | M] () -- C:\boot.ini

[2011-03-26 14:21:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011-03-25 18:37:22 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND

[2011-03-25 18:33:09 | 000,002,191 | ---- | M] () -- C:\Documents and Settings\Administrator\??\Cunix.lnk

[2011-03-25 18:11:02 | 000,011,020 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\68g3r7qe203rajstw6v1c8j8w5ew5qupemu7b

[2011-03-25 18:11:02 | 000,011,020 | -HS- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\68g3r7qe203rajstw6v1c8j8w5ew5qupemu7b

[2011-03-24 21:37:01 | 000,002,184 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011-03-22 10:22:52 | 000,018,653 | ---- | M] () -- C:\Documents and Settings\Administrator\_viminfo

[2011-03-20 16:26:09 | 000,429,982 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2011-03-20 16:26:09 | 000,245,540 | ---- | M] () -- C:\WINDOWS\System32\prfh0804.dat

[2011-03-20 16:26:09 | 000,078,986 | ---- | M] () -- C:\WINDOWS\System32\prfc0804.dat

[2011-03-20 16:26:09 | 000,066,178 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2011-03-16 23:53:07 | 000,000,025 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\TXCUserDictionary.dic

[2011-03-06 16:30:04 | 000,001,898 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\??7.lnk

[2011-03-06 16:30:04 | 000,001,880 | ---- | M] () -- C:\Documents and Settings\All Users\??\??7.lnk

[2011-03-05 21:52:06 | 000,271,096 | ---- | M] () -- C:\Documents and Settings\Administrator\??\10.1.1.2.4152.pdf

[2011-03-04 16:21:07 | 000,011,497 | ---- | M] () -- C:\Documents and Settings\Administrator\gsview32.ini

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011-03-26 21:22:14 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2011-03-26 21:22:14 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2011-03-25 16:38:08 | 000,011,020 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\68g3r7qe203rajstw6v1c8j8w5ew5qupemu7b

[2011-03-25 16:38:08 | 000,011,020 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\68g3r7qe203rajstw6v1c8j8w5ew5qupemu7b

[2011-03-06 16:30:04 | 000,001,898 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\??7.lnk

[2011-03-06 16:30:04 | 000,001,880 | ---- | C] () -- C:\Documents and Settings\All Users\??\??7.lnk

[2011-03-05 21:51:53 | 000,271,096 | ---- | C] () -- C:\Documents and Settings\Administrator\??\10.1.1.2.4152.pdf

[2011-03-04 00:44:04 | 000,000,025 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\TXCUserDictionary.dic

[2010-09-27 03:12:41 | 000,001,316 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2010-09-21 08:53:51 | 000,155,648 | RHS- | C] () -- C:\WINDOWS\System32\odbcconf2.dll

[2010-08-26 16:52:26 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

[2010-08-10 02:55:05 | 000,057,344 | R--- | C] () -- C:\WINDOWS\System32\drivers\WDelMgr20.exe

[2010-06-03 11:56:45 | 000,000,010 | ---- | C] () -- C:\WINDOWS\popcinfo.dat

[2010-05-17 21:31:15 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010-03-22 04:11:24 | 000,110,080 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010-03-19 09:17:45 | 000,000,048 | ---- | C] () -- C:\WINDOWS\System32\ils.ini

[2010-03-19 08:20:30 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe

[2010-03-03 09:26:43 | 000,000,201 | ---- | C] () -- C:\WINDOWS\System32\cid_store.dat

[2010-03-03 09:26:41 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\pub_store.dat

[2010-03-03 02:08:58 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll

[2010-03-03 01:51:08 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND

[2010-03-03 00:25:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2010-03-03 00:23:00 | 000,021,464 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2010-03-03 00:18:52 | 000,004,117 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2010-03-03 00:17:44 | 000,292,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008-06-10 23:51:08 | 000,064,228 | ---- | C] () -- C:\WINDOWS\System32\wupdmgr.exe

[2008-06-10 23:50:50 | 000,000,489 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2008-04-14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2008-04-14 08:00:00 | 000,429,982 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2008-04-14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2008-04-14 08:00:00 | 000,245,540 | ---- | C] () -- C:\WINDOWS\System32\prfh0804.dat

[2008-04-14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2008-04-14 08:00:00 | 000,104,412 | ---- | C] () -- C:\WINDOWS\System32\prfi0804.dat

[2008-04-14 08:00:00 | 000,078,986 | ---- | C] () -- C:\WINDOWS\System32\prfc0804.dat

[2008-04-14 08:00:00 | 000,066,178 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2008-04-14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2008-04-14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\prfd0804.dat

[2008-04-14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2008-04-14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2008-04-14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

========== LOP Check ==========

[2010-04-18 17:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\.emacs.d

[2010-09-21 10:32:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Autodesk

[2010-05-23 06:29:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitComet

[2010-03-03 00:43:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools

[2010-03-03 02:04:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MYMPC

[2010-09-21 11:51:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinMount

[2011-03-27 14:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk

[2010-05-02 10:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kingsoft

[2011-03-06 16:37:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thunder Network

[2011-03-26 22:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TSLOG

[2010-10-31 14:05:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xunlei

[2011-03-29 12:23:28 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6EA1C328-ADB0-4D9D-86DC-05314EDF1650}.job

[2011-03-29 10:36:58 | 000,000,326 | -HS- | M] () -- C:\WINDOWS\Tasks\Xffpfuyjvq.job

========== Purity Check ==========

< End of report >

Link to post
Share on other sites

I am unable to attach the Extras.txt.

So I zipped it.

No need for Defogger. Instead of DDS, run OTL, see below.

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

log.zip

Link to post
Share on other sites

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Thanks for the help and here is the log for combfix:

ComboFix 11-03-29.03 - Administrator -03-29 ??? 20:34:08.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.570 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_1112hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_11617hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_11647hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_11648hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_12752hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_12753hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_13292hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_13475hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_13655hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_13656hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_14113hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_14114hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_14553hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_15976hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_15977hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_2917hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_340hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_359hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_362hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_371hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_9244hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_9245hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_9249hhb.jpg

c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\xlfx_video_9252hhb.jpg

c:\program files\Maxthon2\Modules\MxKWS

c:\program files\Maxthon2\Modules\MxKWS\updateEv.log

c:\windows\system32\msconfig.exe

.

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((( 2011-02-28 ? 2011-03-30 ????? )))))))))))))))))))))))))))))))

.

.

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14147:TCP"= 14147:TCP:127.0.0.1

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

Link to post
Share on other sites

Here is the log. It looks like the system is clean now, since the

resource taken by svchost has been released.

Ryan

______________________________________________

ComboFix 11-03-29.06 - Administrator -03-30 ??? 11:09:47.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.423 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((( 2011-02-28 ? 2011-03-30 ????? )))))))))))))))))))))))))))))))

.

.

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-06-11 . 030DC4D48CC2B894FEE2F390D8E66AD5 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14147:TCP"= 14147:TCP:127.0.0.1

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

Link to post
Share on other sites

Hi, we still have a few things to do here.

FCopCF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

SRPeak::
c:\windows\system32\winlogon.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Thanks a lot for the help elise.

Here is the new log generated by the combofix:

ComboFix 11-03-29.06 - Administrator -03-30 ??? 13:26:35.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.559 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\??\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

--------------- FCopy ---------------

.

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys

.

((((((((((((((((((((((((( 2011-02-28 ? 2011-03-30 ????? )))))))))))))))))))))))))))))))

.

.

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14147:TCP"= 14147:TCP:127.0.0.1

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

Link to post
Share on other sites

Hi, do you have an XP CD at hand we can use to copy a file from or another computer with XP Service Pack 3 installed?

Please run the following as CFScript (instructions remain the same) and post me the new log.

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14147:TCP"=-

Link to post
Share on other sites

I do have another machine with xp sp3.

Here is the log for CFscript :

Thanks a lot,

Ryan

ComboFix 11-03-30.01 - Administrator -03-30 ??? 22:03:01.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.541 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\??\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\WinRAR\rarext.dll

.

.

((((((((((((((((((((((((( 2011-02-28 ? 2011-03-31 ????? )))))))))))))))))))))))))))))))

.

.

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

Link to post
Share on other sites

Hi again,

Please navigate on your clean computer to c:\windows\system32 and locate winlogon.exe. Right click this file and select Copy.

Insert an usb drive, open it and right click in an empty space, select Paste. This will copy winlogon.exe to your flashdrive.

Put the usb drive in your infected computer, open it, right click on Winlogon.exe and select Copy.

Navigate to c:\windows, right click in an empty space and select Paste.

Your infected computer should now have the following file: c:\windows\winlogon.exe

If so, continue.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


FCopy::
c:\windows\winlogon.exe | c:\windows\system32\winlogon.exe

SkipFix::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi elise, thanks for the help.

Here is log for CF-script.

Ryan

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ComboFix 11-03-30.03 - Administrator -03-31 ??? 12:15:04.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.936.86.2052.18.1013.558 [GMT -4:00]

????: c:\documents and settings\Administrator\??\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\??\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

* ????????

.

- ?????? -

.

.

((((((((((((((((((((((((((((((((((((((( ?????? )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\winlogon.exe

.

.

--------------- FCopy ---------------

.

c:\windows\winlogon.exe --> c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((( 2011-02-28 ? 2011-03-31 ????? )))))))))))))))))))))))))))))))

.

.

2011-03-29 17:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-29 17:13 . 2011-03-29 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-29 17:13 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-27 01:22 . 2011-03-27 01:22 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-03-27 01:22 . 2011-03-27 01:22 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-03-27 01:20 . 2011-03-27 01:22 -------- d-----w- c:\program files\Symantec

2011-03-27 00:54 . 2011-03-27 00:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-03-26 20:09 . 2011-03-26 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities

2011-03-26 18:02 . 2011-03-26 18:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-03-26 17:40 . 2011-03-26 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-25 22:12 . 2011-03-25 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-03-23 03:21 . 2011-03-23 03:21 -------- d--h--w- c:\windows\PIF

2011-03-21 19:59 . 2011-03-21 19:59 -------- d-----w- c:\documents and settings\Administrator\.globus

2011-03-21 19:59 . 2011-03-21 20:00 -------- d-----w- c:\documents and settings\Administrator\.sshterm

.

.

(((((((((((((((((((((((((((((((((((((((( ??????????? ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-20 20:26 . 2010-11-09 23:04 3956 ----a-w- c:\windows\system32\PerfStringBackup.TMP

.

.

------- Sigcheck -------

.

[-] 2008-05-09 . 440EDA2420CFA1B3B2AB4725FC33825D . 493056 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

.

((((((((((((((((((((((((((((((((((((( ????? ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*??* ???????????????

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-03 33128]

"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2009-03-27 308720]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-12-10 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-07 128512]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

"NoResolveTrack"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0220804]

Ime File REG_SZ GOOGLEPINYIN.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv6B8]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2008-06-11 14:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2008-06-11 18:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]

2009-12-30 23:25 1208832 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-03-03 14:55 135664 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"XLDoctor Services"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"c:\\Program Files\\Xming\\Xming.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderService.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\DS\\Ver1\\1.0.2.69\\XLBugReport.exe"=

"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=

"c:\\Program Files\\MATLAB\\R2008a\\bin\\win32\\MATLAB.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.0.1962_1\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\Thunder.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\XLDoctor\\7.1.4.2104_2\\Program\\XLDoctorUI.exe"=

"c:\\Program Files\\Thunder Network\\Thunder\\Program\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderPlatform.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\ThunderLiveUD.exe"=

"c:\\Program Files\\Common Files\\Thunder Network\\TP\\Ver1\\1.1.2.46_1111\\XLBugReport.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"14717:TCP"= 14717:TCP:BitComet 14717 TCP

"14717:UDP"= 14717:UDP:BitComet 14717 UDP

.

R2 KAVSafe;KAVSafe;c:\windows\system32\drivers\KAVSafe.sys [2010-5-1 19:18 60008]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-3-26 21:27 102448]

S2 srv6B8;srv6B8;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 8:00 14336]

S4 XLDoctor Services;XLDoctor Services;c:\program files\Thunder Network\Thunder\Program\DctSer.exe [2011-3-6 16:30 38704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - HELPSVC

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv6B8

.

Link to post
Share on other sites

Unfortunately that didn't work as it should. Lets try it a little different.

First repeat the steps below.

Please navigate on your clean computer to c:\windows\system32 and locate winlogon.exe. Right click this file and select Copy.

Insert an usb drive, open it and right click in an empty space, select Paste. This will copy winlogon.exe to your flashdrive.

Put the usb drive in your infected computer, open it, right click on Winlogon.exe and select Copy.

Navigate to c:\windows, right click in an empty space and select Paste.

Your infected computer should now have the following file: c:\windows\winlogon.exe

If so, continue.

  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:
    copy winlogon.exe system32\winlogon.exe
    When asked to overwrite, type Y and press enter.
  6. The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
  7. At the next prompt type the following bolded text, and press Enter:
    exit

Windows will now begin loading.

Please rerun Combofix and post me the new log.

Link to post
Share on other sites

I will post that ASAP.

Thanks,

Ryan

Unfortunately that didn't work as it should. Lets try it a little different.

First repeat the steps below.

  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:
    copy winlogon.exe system32\winlogon.exe
    When asked to overwrite, type Y and press enter.
  6. The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
  7. At the next prompt type the following bolded text, and press Enter:
    exit

Windows will now begin loading.

Please rerun Combofix and post me the new log.

Link to post
Share on other sites

Hi Elise,

Is there a possibility that the window xp on the "clean" one is not clean

so that the winlogon.exe on the "clean" machine has been compromised already?

Do I need to check that on the "clean" machine

Thanks,

Yan

Unfortunately that didn't work as it should. Lets try it a little different.

First repeat the steps below.

  1. Restart your computer
  2. Before Windows loads, you will be prompted to choose which Operating System to start
  3. Use the up and down arrow key to select Microsoft Windows Recovery Console
  4. You must enter which Windows installation to log onto. Type 1 and press enter.
  5. At the C:\Windows prompt, type the following bolded text, and press Enter:
    copy winlogon.exe system32\winlogon.exe
    When asked to overwrite, type Y and press enter.
  6. The command should then show 1 file(s) copied. At the next prompt type the following bolded text, and press Enter:
  7. At the next prompt type the following bolded text, and press Enter:
    exit

Windows will now begin loading.

Please rerun Combofix and post me the new log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.