Jump to content

PC with XP SP 3 infected


Recommended Posts

Symantec Enterprise 10 flagged a virus on networked PC.

At the PC, I found no icons on desktop, no task manager, and the local drive appeared empty.

Ran:

ATF-Cleaner

CWSHREDDER

HijackThis!

15 Kaspersky tools

ESET online scanner

Malwarebytes

Unhide

D.D.S.

GMER Rootkit

The DDS log follows and attach.txt and ark.txt are attached.

Thanks for any and all assistance.

Stephen

.

DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by guest1 at 13:43:01 on 2011-06-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.716 [GMT -4:00]

.

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\slagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\05g79o7n.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [KL AntiFunLove] c:\windows\system32\flcss.exe

mRunOnce: [uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259768391859

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 10.168.1.17 10.168.1.16

TCP: Interfaces\{35338D0A-9600-4A7B-A838-F0D02A68630C} : DhcpNameServer = 10.168.1.17 10.168.1.16

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]

S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 136176]

S2 ImcGeneral46;IMC General 4.6;c:\windows\system32\ImcGen46.exe [2006-3-8 311296]

S2 KLAntiFL;KLAntiFL;c:\windows\system32\flcss.sys [2011-6-8 12714]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-27 374152]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]

S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-1 47640]

S2 PEVSystemStart;PEVSystemStart;"c:\sdr\pev.cfxxe" exec /i "c:\sdr\regt.cfxxe" /s "c:\sdr\cregb.dat" --> c:\sdr\PEV.cfxxe [?]

S2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 136176]

S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2011-6-8 12552]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-8 39984]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110606.002\naveng.sys [2011-6-6 86008]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110606.002\navex15.sys [2011-6-6 1542392]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-06-08 17:42:52 607222 ------r- C:\dds.scr

2011-06-08 17:41:14 50477 ----a-w- C:\Defogger.exe

2011-06-08 17:36:33 302592 ----a-w- C:\05g79o7n.exe

2011-06-08 17:07:27 606105 ----a-w- C:\unhide.exe

2011-06-08 16:53:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-08 16:51:06 135232 ----a-w- c:\windows\system32\flcss.exe

2011-06-08 16:51:06 0 ----a-w- c:\windows\system32\bride.exe

2011-06-08 16:51:06 0 ----a-w- c:\windows\system32\aavar.pif

2011-06-08 16:51:06 0 ----a-w- c:\windows\srv32.exe

2011-06-08 16:51:06 0 ----a-w- c:\windows\scrsvr.exe

2011-06-08 16:51:06 0 ----a-w- c:\windows\marco!.scr

2011-06-08 16:51:06 0 ----a-w- c:\windows\instit.bat

2011-06-08 16:51:06 0 ----a-w- c:\windows\brasil.pif

2011-06-08 16:51:06 0 ----a-w- c:\windows\brasil.exe

2011-06-08 16:51:06 0 ----a-w- c:\windows\alevir.exe

2011-06-08 15:28:17 -------- d-----w- c:\program files\ESET

2011-06-08 15:00:22 -------- d-----w- c:\documents and settings\guest1.warehampolice\application data\Malwarebytes

2011-06-08 15:00:17 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-08 15:00:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-08 15:00:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-08 15:00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-08 14:59:27 9435312 ----a-w- C:\mbam-setup-1.51.0.1200.exe

2011-06-08 14:57:36 -------- d-----w- C:\xoristdecryptor

2011-06-08 14:36:19 -------- d-----w- c:\windows\pss

2011-06-08 14:29:13 -------- d-----w- C:\tdsskiller

2011-06-08 13:50:51 -------- d-----w- C:\rectordecryptor

2011-06-08 13:29:52 135232 --sha-r- c:\windows\system32\flcss.bkp

2011-06-08 13:29:52 12714 ----a-w- c:\windows\system32\flcss.sys

2011-06-08 13:20:42 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys

2011-06-08 13:20:23 -------- d-----w- C:\kasp

.

==================== Find3M ====================

.

.

============= FINISH: 13:43:48.87 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please go to VirusTotal, and upload the following file for analysis:

C:\05g79o7n.exe

Post the results in your reply.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

The Malwarebytes, ComboFix, and DDS logs follow.

I renamed 05g79o7n.exe as a .zip in order to attach.

Stephen

=========================================

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6847

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/13/2011 9:29:56 AM

mbam-log-2011-06-13 (09-29-56).txt

Scan type: Quick scan

Objects scanned: 192637

Time elapsed: 10 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=========================================

ComboFix 11-06-12.04 - guest1 06/13/2011 9:43.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.253 [GMT -4:00]

Running from: c:\documents and settings\guest1.WAREHAMPOLICE\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\rectordecryptor\rectordecryptor.exe

c:\tdsskiller\tdsskiller.exe

c:\windows\alevir.exe

c:\windows\brasil.exe

c:\windows\scrsvr.exe

c:\windows\srv32.exe

c:\windows\system32\bride.exe

c:\xoristdecryptor\xoristdecryptor.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_KLANTIFL

-------\Service_KLAntiFL

.

.

((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))

.

.

2011-06-08 17:42 . 2011-06-08 17:42 607222 ------r- C:\dds.scr

2011-06-08 17:41 . 2011-06-08 17:41 50477 ----a-w- C:\Defogger.exe

2011-06-08 17:36 . 2011-06-08 17:36 302592 ----a-w- C:\05g79o7n.exe

2011-06-08 17:07 . 2011-06-08 17:07 606105 ----a-w- C:\unhide.exe

2011-06-08 16:53 . 2011-06-08 16:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-08 16:51 . 2011-06-13 13:05 0 ----a-w- c:\windows\system32\aavar.pif

2011-06-08 16:51 . 2011-06-13 13:05 0 ----a-w- c:\windows\marco!.scr

2011-06-08 16:51 . 2011-06-13 13:05 0 ----a-w- c:\windows\instit.bat

2011-06-08 16:51 . 2011-06-13 13:05 0 ----a-w- c:\windows\brasil.pif

2011-06-08 15:28 . 2011-06-08 15:28 -------- d-----w- c:\program files\ESET

2011-06-08 15:00 . 2011-06-08 15:00 -------- d-----w- c:\documents and settings\guest1.WAREHAMPOLICE\Application Data\Malwarebytes

2011-06-08 15:00 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-08 15:00 . 2011-06-08 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-06-08 15:00 . 2011-06-08 15:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-08 15:00 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-08 14:59 . 2011-06-08 13:26 9435312 ----a-w- C:\mbam-setup-1.51.0.1200.exe

2011-06-08 14:57 . 2011-06-13 13:51 -------- d-----w- C:\xoristdecryptor

2011-06-08 14:29 . 2011-06-13 13:51 -------- d-----w- C:\tdsskiller

2011-06-08 13:50 . 2011-06-13 13:51 -------- d-----w- C:\rectordecryptor

2011-06-08 13:29 . 2011-06-08 13:29 135232 --sha-r- c:\windows\system32\flcss.bkp

2011-06-08 13:29 . 2011-06-08 13:29 12714 ----a-w- c:\windows\system32\flcss.sys

2011-06-08 13:20 . 2011-06-08 13:20 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys

2011-06-08 13:20 . 2011-06-08 14:57 -------- d-----w- C:\kasp

2011-06-07 19:40 . 2011-06-07 19:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-08 18:33 . 2011-06-08 18:33 5284 ----a-w- C:\attach.zip

2011-06-08 14:57 . 2011-06-08 14:57 236086 ----a-w- C:\xoristdecryptor.zip

2011-06-08 14:29 . 2011-06-08 14:29 1305136 ----a-w- C:\tdsskiller.zip

2011-06-08 13:50 . 2011-06-08 13:50 215321 ----a-w- C:\rectordecryptor.zip

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]

"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-12-27 20:42 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]

"170.154.128.0,255.255.128.0,10.168.1.13,1"=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\IMCMSGC3.EXE"=

.

R2 ImcGeneral46;IMC General 4.6;c:\windows\system32\ImcGen46.exe [3/8/2006 7:10 PM 311296]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/27/2010 4:45 PM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 7:34 AM 115952]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/16/2011 2:23 PM 105592]

S2 CWShredder Service;CWShredder Service;c:\wpd-malware\cwshredder.exe service --> c:\wpd-malware\cwshredder.exe service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 11:37 AM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 11:37 AM 136176]

S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [6/8/2011 9:20 AM 12552]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 15:37]

.

2011-06-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 15:37]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 10.168.1.17 10.168.1.16

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-KL AntiFunLove - c:\windows\system32\flcss.exe

SafeBoot-HDDirect

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-13 09:58

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(748)

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(3596)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\LSI SoftModem\agrsmsvc.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\slagent.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

Completion time: 2011-06-13 10:01:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-13 14:01

ComboFix2.txt 2010-05-25 13:29

.

Pre-Run: 134,631,424,000 bytes free

Post-Run: 134,582,947,840 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E00BC9CD6727337532F510521E261D6D

============================================

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by guest1 at 10:40:28 on 2011-06-13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.275 [GMT -4:00]

.

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\ImcGen46.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\slagent.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1259768391859

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 10.168.1.17 10.168.1.16

TCP: Interfaces\{35338D0A-9600-4A7B-A838-F0D02A68630C} : DhcpNameServer = 10.168.1.17 10.168.1.16

Notify: igfxcui - igfxdev.dll

Notify: LMIinit - LMIinit.dll

.

============= SERVICES / DRIVERS ===============

.

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]

R2 ImcGeneral46;IMC General 4.6;c:\windows\system32\ImcGen46.exe [2006-3-8 311296]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-27 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-1 47640]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\naveng.sys [2011-6-13 86008]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\navex15.sys [2011-6-13 1542392]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 136176]

S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [2011-6-8 12552]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

.

=============== Created Last 30 ================

.

2011-06-13 14:38:39 -------- d-----w- C:\sdr0613

2011-06-13 13:42:05 -------- d-sha-r- C:\cmdcons

2011-06-08 17:42:52 607222 ------r- C:\dds.scr

2011-06-08 17:41:14 50477 ----a-w- C:\Defogger.exe

2011-06-08 17:36:33 302592 ----a-w- C:\05g79o7n.exe

2011-06-08 17:07:27 606105 ----a-w- C:\unhide.exe

2011-06-08 16:53:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-08 16:51:06 0 ----a-w- c:\windows\system32\aavar.pif

2011-06-08 16:51:06 0 ----a-w- c:\windows\marco!.scr

2011-06-08 16:51:06 0 ----a-w- c:\windows\instit.bat

2011-06-08 16:51:06 0 ----a-w- c:\windows\brasil.pif

2011-06-08 15:28:17 -------- d-----w- c:\program files\ESET

2011-06-08 15:00:22 -------- d-----w- c:\documents and settings\guest1.warehampolice\application data\Malwarebytes

2011-06-08 15:00:17 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-08 15:00:16 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-06-08 15:00:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-08 15:00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-06-08 14:59:27 9435312 ----a-w- C:\mbam-setup-1.51.0.1200.exe

2011-06-08 14:57:36 -------- d-----w- C:\xoristdecryptor

2011-06-08 14:36:19 -------- d-----w- c:\windows\pss

2011-06-08 14:29:13 -------- d-----w- C:\tdsskiller

2011-06-08 13:50:51 -------- d-----w- C:\rectordecryptor

2011-06-08 13:29:52 135232 --sha-r- c:\windows\system32\flcss.bkp

2011-06-08 13:29:52 12714 ----a-w- c:\windows\system32\flcss.sys

2011-06-08 13:20:42 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys

2011-06-08 13:20:23 -------- d-----w- C:\kasp

.

==================== Find3M ====================

.

.

============= FINISH: 10:41:27.29 ===============

05g79o7n.zip

Link to post
Share on other sites

  • Staff

Hi,

Okay that file was just GMER renamed.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

I haven't done anything much on this machine other than run

the anti-malware tools after the PC was flagged by Symantec, so

I'm not sure how it's behaving. (I don't want to risk a reinfect.)

One thing I do see is that some of the submenus on Start, Programs

are empty even though the programs are there. I don't know if

that indicates an active infection or not. I have run the Unhide tool

several times, which brought most of the items back.

(Once we're done, I'll run System Works 2006 to try to repair

broken links.)

Following are ESET and SecurityCheck logs.

Thanks for all your help.

Stephen

==========

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=09692c92fe7ad3469ae175cc54e7135b

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-08 04:47:51

# local_time=2011-06-08 12:47:51 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=51017

# found=0

# cleaned=0

# scan_time=4609

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=09692c92fe7ad3469ae175cc54e7135b

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-15 07:08:56

# local_time=2011-06-15 03:08:56 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=932

# found=0

# cleaned=0

# scan_time=167

esets_scanner_update returned -1 esets_gle=53251

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=09692c92fe7ad3469ae175cc54e7135b

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-15 08:19:19

# local_time=2011-06-15 04:19:19 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=59505

# found=0

# cleaned=0

# scan_time=4137

===========

Results of screen317's Security Check version 0.99.13

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

ESET Online Scanner v3

Symantec AntiVirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Out of date HijackThis installed!

Malwarebytes' Anti-Malware

HijackThis 1.99.1

Java 6 Update 21

Out of date Java installed!

Adobe Flash Player

Adobe Reader 9.4.4

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus SavRoam.exe

Symantec AntiVirus Rtvscan.exe

``````````End of Log````````````

Link to post
Share on other sites

Checked PM and updated there. Still not seeing all Program shortcuts (including Control Panel, Administrative Tools).

Updated and reran Malwarebytes. Log follows.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6902

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

6/20/2011 11:20:10 AM

mbam-log-2011-06-20 (11-20-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 246007

Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.