Jump to content

Malware Trace and Trojan.BHO problem


Recommended Posts

Hi,

I've been infected by these files for a few days now and I would appreciate any help. Also, a file with filename eltfzvjpqh.tmp is always created on my desktop no matter how many times I've deleted it. Hope someone can help.. Thanks

*** mbam log ***

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6763

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

6/3/2011 3:20:48 PM

mbam-log-2011-06-03 (15-20-48).txt

Scan type: Quick scan

Objects scanned: 198779

Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\020000004226c8fb1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\020000004226c8fb1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\020000004226c8fb1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\Windows\System32\020000004226c8fb1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

*** DDS log ***

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Run by 14102 at 15:23:17 on 2011-06-03

Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3070.1465 [GMT -5:00]

.

AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\wininit.exe

C:\WINDOWS\system32\lsm.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\nvvsvc.exe

C:\WINDOWS\system32\svchost.exe -k RPCSS

C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\WINDOWS\system32\nvvsvc.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\System32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\WINDOWS\system32\svchost.exe -k WbioSvcGroup

C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SafeBoot\SbClientManager.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe

C:\WINDOWS\system32\AEADISRV.EXE

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe

C:\ProgramData\WudfUpdate_0100932.exe

C:\Program Files\Lotus\Notes\nsd.exe

C:\Program Files\Lotus\Notes\nslsvice.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\Program Files\Lotus\Notes\ntmulti.exe

C:\Program Files\Nortel\Nortel VPN Client\NvcSvcMgr.exe

C:\WINDOWS\system32\svchost.exe -k regsvc

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Lenovo\Access Connections\AcSvc.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

C:\WINDOWS\system32\conhost.exe

C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe

C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\taskhost.exe

C:\WINDOWS\system32\Dwm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\SafeBoot\SbTokWatch.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Lenovo\Access Connections\ACTray.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\ZoneTick\zonetick.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Lenovo\System Update\SUService.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\EMC SourceOne\Offline Access\ExOAAgent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\winethc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\14102\Desktop\Ultra\uedit32.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\WINDOWS\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

uDefault_Page_URL = hxxp://www.lawson.com/

mDefault_Page_URL = hxxp://my.yahoo.com/linksys

mStart Page = hxxp://my.yahoo.com/linksys

uURLSearchHooks: H - No File

uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll

mURLSearchHooks: H - No File

BHO: {015776db-6008-40b2-9d01-fd2754d89d82} - c:\windows\system32\api-ms-win-core-errorhandling-l1-1-032.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: 4e6aa47e: {271c2136-ab82-8e72-5750-55a8f9d3d263} - c:\programdata\api-ms-win-core-errorhandling-l1-1-032.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll

TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ZoneTick] c:\program files\zonetick\zonetick.exe

uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /silentRetrials /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [nwiz] nwiz.exe /install

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [TpShocks] TpShocks.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe

mRun: [safeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"

mRun: [safeBootTokenWatcher] "c:\program files\safeboot\SbTokWatch.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash

mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ACTray] c:\program files\lenovo\access connections\ACTray.exe

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [<NO NAME>]

mRun: [NVC] "c:\program files\nortel\nortel vpn client\Nvc.exe" -autostart

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{90120000-0011-0000-0000-0000000ff1ce}\outicon.exe

uPolicies-explorer: DisallowCpl = 2 (0x2)

uPolicies-explorer: HideSCAHealth = 1 (0x1)

uPolicies-explorer: NoWindowsUpdate = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableInstallerDetection = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableSecureUIAPaths = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: EnableVirtualization = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: DisableCAD = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

Trusted Zone: force.com

Trusted Zone: lawson.com\password

Trusted Zone: salesforce.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - file://C:/Program Files/F5 VPN/F5_TMP/cachecleaner.cab

DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxvpn.cab#version=6031,2010,1215,1100

DPF: {38135E75-34A9-49EC-B83D-9F9A31877CA0} - hxxps://community.intentia.com/Lawson/StepWise/28372/US28372.nsf/DLIUploaderV2.CAB

DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.us.lawson.com/vdesk/terminal/f5tunsrv.cab#version=6031,2010,1215,1053

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://vpn.us.lawson.com/vdesk/terminal/InstallerControl.cab#version=6031,2010,0617,2017

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.ccsd.k12.co.us/CACHE/stc/2/binaries/vpnweb.cab

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://C:/Program Files/F5 VPN/F5_TMP/f5InspectionHost.cab

DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://sslvpn.ccsd.k12.co.us/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {759FD3DE-F0EF-4A76-909C-88CF840D4173} - hxxp://isdocumentum02.lawson.com:8080/webtop/wdk/native/WdkPluginCab.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxshost.cab#version=6031,2010,617,2010

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://lawson.webex.com/client/T27L10NSP11EP14/webex/ieatgpc1.cab

DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.us.lawson.com/vdesk/terminal/urxhost.cab#version=6031,2010,902,806

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://sg.jhsmiami.org/dana-cached/sc/JuniperSetupClient.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC}\3496479702F66602D496E6E6561607F6C6963702055726C696360275966496 : DhcpNameServer = 206.55.176.52 206.55.176.53

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC}\679607375796475623830323 : DhcpNameServer = 192.168.2.1

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC}\7416469616 : DhcpNameServer = 10.0.0.60 68.87.77.134 68.87.72.134

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC}\A425F4D425F657475627 : DhcpNameServer = 192.168.11.1

TCP: Interfaces\{1C15B1CB-C3D9-481E-B1E8-60EEA7917DEC}\C475640313 : DhcpNameServer = 10.0.0.60 10.0.0.61

TCP: Interfaces\{31AD24DE-F3F6-4CDD-B661-60EF751E4DE4} : NameServer = 162.96.6.12,162.96.6.15

TCP: Interfaces\{AB096D68-F5C5-4D48-8201-8A160D66B4FD} : DhcpNameServer = 10.0.0.60 10.0.0.61

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll

AppInit_DLLs: c:\programdata\api-ms-win-core-errorhandling-l1-1-032.dll

LSA: Notification Packages = SbNp scecli ACGina c:\program files\thinkvantage fingerprint software\psqlpwd.dll

mASetup: >{Z-DesktopBackground} - reg add "HKCU\Control Panel\Desktop" /v Wallpaper /d "c:\windows\web\wallpaper\windows\background.jpg" /f

Hosts: 10.13.20.104 gscdev.pssc.org

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\14102\appdata\roaming\mozilla\firefox\profiles\mt3wmfsy.default\

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\mcafee\siteadvisor enterprise\components\McFFPlg.dll

FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\users\14102\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\14102\appdata\roaming\mozilla\firefox\profiles\mt3wmfsy.default\extensions\{dbbb3167-6e81-400f-bbfd-bd8921726f52}\plugins\NPuroamHost.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: McAfee SiteAdvisor Enterprise: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor Enterprise

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: F5 Networks Host Plugin: {DBBB3167-6E81-400f-BBFD-BD8921726F52} - %profile%\extensions\{DBBB3167-6E81-400f-BBFD-BD8921726F52}

FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com

FF - Ext: XUL Cache: {675b9c1c-b28f-453f-8ef4-d3e7fec14969} - %profile%\extensions\{675b9c1c-b28f-453f-8ef4-d3e7fec14969}

FF - Ext: XUL Cache: {16362805-e4c7-48e4-8a84-090ee9a45ac4} - %profile%\extensions\{16362805-e4c7-48e4-8a84-090ee9a45ac4}

FF - Ext: XUL Cache: {678f3d58-fd57-4554-9950-4b3c7298ad54} - %profile%\extensions\{678f3d58-fd57-4554-9950-4b3c7298ad54}

FF - Ext: XUL Cache: {7a87c9db-8d8a-4ef9-9700-86581cbc067e} - %profile%\extensions\{7a87c9db-8d8a-4ef9-9700-86581cbc067e}

FF - Ext: XUL Cache: {cf90b3c3-2ed9-4dee-80f2-152db8b708d7} - %profile%\extensions\{cf90b3c3-2ed9-4dee-80f2-152db8b708d7}

FF - Ext: XUL Cache: {2858b894-c86c-4d53-bcc8-61767d53c3e3} - %profile%\extensions\{2858b894-c86c-4d53-bcc8-61767d53c3e3}

FF - Ext: XUL Cache: {6050394d-27cc-43f3-a439-b62371ad9cec} - %profile%\extensions\{6050394d-27cc-43f3-a439-b62371ad9cec}

FF - Ext: XUL Cache: {b1cab3d4-65d9-40dc-bcc4-ff06d3826cc6} - %profile%\extensions\{b1cab3d4-65d9-40dc-bcc4-ff06d3826cc6}

.

============= SERVICES / DRIVERS ===============

.

R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-1-2 24304]

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-7-28 343920]

R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2008-8-13 44976]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2009-11-24 6496]

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-6-29 20520]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-9-14 13480]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2009-11-24 33328]

R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2009-11-24 34480]

R1 SbRegFlt;SbRegFlt;c:\windows\system32\drivers\SbRegFlt.sys [2009-11-24 14664]

R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-1-2 132456]

R2 nvcwfpco;nvcwfpco;c:\windows\system32\drivers\nvcwfpco.sys [2009-8-6 68176]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-4 22712]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-28 91832]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-28 43288]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]

R3 NT_NvcA;Nortel VPN Adapter;c:\windows\system32\drivers\ntnvca.sys [2009-8-6 40016]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]

R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpnwlh.sys [2009-10-9 34944]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-2 29736]

S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltwlh.sys [2010-7-28 13952]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-4 39984]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-28 66600]

.

=============== File Associations ===============

.

.txt=UltraEdit.txt

.

=============== Created Last 30 ================

.

2011-06-03 20:20:50 54016 ----a-w- c:\windows\system32\drivers\ymltji.sys

2011-06-03 14:59:32 54016 ----a-w- c:\windows\system32\drivers\chnyl.sys

2011-06-03 02:36:01 -------- d--h--w- c:\windows\PIF

2011-06-01 05:48:49 -------- d-----w- c:\program files\Trend Micro

2011-05-31 23:38:14 -------- d-----w- c:\program files\PC Tools Security

2011-05-31 23:36:47 -------- d-----w- c:\programdata\PC Tools

2011-05-29 23:07:13 776704 ----a-w- c:\programdata\WudfUpdate_0100932.exe

2011-05-29 23:07:12 167936 ----a-w- c:\programdata\api-ms-win-core-errorhandling-l1-1-032.dll

2011-05-29 23:07:09 776704 ----a-w- c:\windows\system32\winethc32.exe

2011-05-29 23:06:59 365568 ----a-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-032.dll

2011-05-20 15:00:54 -------- d-----w- c:\users\14102\Calibre Library

2011-05-18 00:08:00 -------- d-----w- c:\program files\Minilyrics

2011-05-18 00:00:09 -------- d-----w- c:\program files\Yontoo Layers

2011-05-18 00:00:08 -------- d-----w- c:\programdata\Tarma Installer

2011-05-06 01:03:26 1034240 ----a-w- c:\windows\system32\mstsc.exe

2011-05-06 01:03:25 2690560 ----a-w- c:\windows\system32\mstscax.dll

2011-05-06 01:01:21 534528 ----a-w- c:\windows\system32\EncDec.dll

2011-05-06 01:01:20 850432 ----a-w- c:\windows\system32\sbe.dll

2011-05-06 01:01:20 642048 ----a-w- c:\windows\system32\CPFilters.dll

2011-05-06 01:01:19 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2011-05-06 00:57:08 69632 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-05-06 00:57:07 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-05-06 00:57:06 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-05-06 00:57:06 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-05-06 00:56:47 311296 ----a-w- c:\windows\system32\drivers\srv.sys

2011-05-06 00:56:46 309760 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-05-06 00:56:46 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-05-06 00:56:30 541184 ----a-w- c:\windows\system32\kerberos.dll

2011-05-06 00:56:10 2331136 ----a-w- c:\windows\system32\win32k.sys

2011-05-06 00:49:33 1164288 ----a-w- c:\windows\system32\mfc42u.dll

2011-05-06 00:49:32 1137664 ----a-w- c:\windows\system32\mfc42.dll

2011-05-06 00:46:46 28672 ----a-w- c:\windows\system32\dnscacheugc.exe

2011-05-06 00:46:45 132608 ----a-w- c:\windows\system32\dnsrslvr.dll

2011-05-06 00:46:35 191488 ----a-w- c:\windows\system32\FXSCOVER.exe

2011-05-06 00:46:23 428032 ----a-w- c:\windows\system32\vbscript.dll

2011-05-06 00:46:12 34304 ----a-w- c:\windows\system32\atmlib.dll

2011-05-06 00:46:12 294912 ----a-w- c:\windows\system32\atmfd.dll

2011-05-06 00:46:00 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-05-06 00:44:32 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-06 00:44:32 1289536 ----a-w- c:\windows\system32\ntdll.dll

2011-05-06 00:44:31 3957120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-05-06 00:21:48 -------- d-----w- C:\SMSTAG

2011-05-06 00:21:47 -------- d-----w- c:\program files\BGInfo

2011-05-06 00:19:52 -------- d-----w- c:\windows\ms

.

==================== Find3M ====================

.

2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 6.1.7600 Disk: FUJITSU_MHW2080BH_PL rev.0084001E -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: >>UNKNOWN [0x82C1C000]<< >>UNKNOWN [0x8BABA000]<< >>UNKNOWN [0x8BAA9000]<< >>UNKNOWN [0x8B282000]<< >>UNKNOWN [0x8302C000]<< >>UNKNOWN [0x833AE000]<< >>UNKNOWN [0x8B38F000]<< >>UNKNOWN [0x8B396000]<< >>UNKNOWN [0x8B3E8000]<<

_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }

1 ntkrnlpa!IofCallDriver[0x82C58448] -> \Device\Harddisk0\DR0[0x865DAAC8]

\Driver\Disk[0x865D8130] -> IRP_MJ_CREATE -> 0x8BABE39F

3 [0x8BABE59E] -> ntkrnlpa!IofCallDriver[0x82C58448] -> [0x8648B918]

\Driver\ACPI[0x85747780] -> IRP_MJ_CREATE -> 0x8B28B4AA

5 [0x8B28B3B2] -> ntkrnlpa!IofCallDriver[0x82C58448] -> \Device\Ide\IdeDeviceP0T0L0-0[0x857F1580]

\Driver\atapi[0x864CC370] -> IRP_MJ_CREATE -> 0x833C88C4

kernel: MBR read successfully

_asm { CLI ; JMP 0x26; }

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 15:25:01.68 ===============

*** Attach.txt ***

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-03.01)

.

Microsoft Windows 7 Enterprise

Boot Device: \Device\HarddiskVolume1

Install Date: 1/2/2011 10:08:25 PM

System Uptime: 6/3/2011 9:33:24 AM (6 hours ago)

.

Motherboard: LENOVO | | 64574UA

Processor: Intel® Core2 Duo CPU T7300 @ 2.00GHz | None | 1180/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 22.456 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

Device ID: ROOT\NET\0002

Manufacturer: Cisco Systems

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows

PNP Device ID: ROOT\NET\0002

Service: vpnva

.

==== System Restore Points ===================

.

RP587: 5/20/2011 9:55:59 AM - Installed calibre

RP588: 5/27/2011 5:24:11 PM - Scheduled Checkpoint

RP589: 5/31/2011 7:21:50 PM - Removed calibre

RP590: 6/1/2011 12:48:26 AM - Installed HiJackThis

RP591: 6/1/2011 5:10:44 PM - Removed HiJackThis

.

==== Installed Programs ======================

.

2007 Microsoft Office Suite Service Pack 2 (SP2)

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.4

AviSynth 2.5

CCleaner

Cisco AnyConnect VPN Client

Cisco Network Magic

Citrix online plug-in - web

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

Computer Information Tool

Conduit Engine

Configuration Manager Client

DirectXInstallService

Drag-to-Disc

EMC SourceOne Offline Access

F5 Networks VPN Client for Windows

FileZilla Client 3.3.5.1

iPassConnect

J2SE Runtime Environment 5.0 Update 16

Java 6 Update 20

Juniper Networks Cache Cleaner 6.5.0

Juniper Networks Network Connect 6.5.0

Juniper Networks Setup Client

Juniper Terminal Services Client

K-Lite Codec Pack 6.5.0 (Basic)

Lawson Document Wizard 1.1.0

Lawson Interface Desktop (200805) 9.0.1.2

Lawson PowerPoint Wizard 1.0.5.7

Lawson ProcessFlow Designer 9.0.0.3

Lenovo System Interface Driver

Lotus Notes 8.5

Malwarebytes' Anti-Malware version 1.51.0.1200

McAfee Agent

McAfee SiteAdvisor Enterprise Plus

McAfee VirusScan Enterprise

Microsoft .NET Framework 4 Client Profile

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Communicator 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office IME (Chinese (Simplified)) 2007

Microsoft Office IME (Chinese (Traditional)) 2007

Microsoft Office IME (Japanese) 2007

Microsoft Office IME (Korean) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (Arabic) 2007

Microsoft Office Proof (Basque) 2007

Microsoft Office Proof (Bulgarian) 2007

Microsoft Office Proof (Catalan) 2007

Microsoft Office Proof (Chinese (Simplified)) 2007

Microsoft Office Proof (Chinese (Traditional)) 2007

Microsoft Office Proof (Croatian) 2007

Microsoft Office Proof (Czech) 2007

Microsoft Office Proof (Danish) 2007

Microsoft Office Proof (Dutch) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (Estonian) 2007

Microsoft Office Proof (Finnish) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Galician) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Greek) 2007

Microsoft Office Proof (Gujarati) 2007

Microsoft Office Proof (Hebrew) 2007

Microsoft Office Proof (Hindi) 2007

Microsoft Office Proof (Hungarian) 2007

Microsoft Office Proof (Italian) 2007

Microsoft Office Proof (Japanese) 2007

Microsoft Office Proof (Kannada) 2007

Microsoft Office Proof (Korean) 2007

Microsoft Office Proof (Latvian) 2007

Microsoft Office Proof (Lithuanian) 2007

Microsoft Office Proof (Marathi) 2007

Microsoft Office Proof (Norwegian (Bokm

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.