IE8 Browser Redirect/Hijack Issue

[toddt6234]

Per LDTate have reposted log.

A new MBAM scan was run and the log text is included below the text. No actions were taken on the noted issues.

My home computer recently exhibited signs of running slow and internet explorer search results going to advertisements instead of the correct page. The computer currently has SuperAntiSpyware Free Edition, Malwarebytes Anti-Malware, and HiJack this. The logs are posted below.

It is running AVG Anti-Virus Free which was installed 2 days ago after the issues were noted. Previously running Symantec Antivirus and replaced with AVG after noticing computer issues.

AVG is indicating multiple Threat detections in C:\windows\system32\drivers\cdfs.sys - Trojan horse BackDoor.Generic13.BKVZ and Trojan horse Generic22.BLTM. AVG has been unable to clean.

I also installed TDSSKiller.exe and it identified an issue with C:\windows\system32\drivers\cdfs.sys. In trying to clean it indicated an error processing file. The log file is also attached.

The computer is a Dell Latitude D830 that was purchased used.

It is running Windows XP SP3

Intell 2 Dou CPU

T8300 @ 2.4GHZ

789MHZ 1.99 RAM

MBAM LOG TEXT:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6897

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/19/2011 4:32:58 PM

mbam-log-2011-06-19 (16-32-45).txt

Scan type: Full scan (C:\|)

Objects scanned: 270594

Time elapsed: 1 hour(s), 27 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat (Backdoor.ZAccess) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NIC1394 (Backdoor.ZAccess) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serial (Backdoor.ZAccess) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\drivers\ipnat.sys (Backdoor.ZAccess) -> No action taken.

c:\WINDOWS\system32\drivers\nic1394.sys (Backdoor.ZAccess) -> No action taken.

c:\WINDOWS\system32\drivers\serial.sys (Backdoor.ZAccess) -> No action taken.

c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Backdoor.ZAccess) -> No action taken.

c:\WINDOWS\system32\drivers\cdfs.sys (Backdoor.ZAccess) -> No action taken.

[LDTate]

Backdoor

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  
• Consider what other private information could possibly have been taken from your computer and take appropriate steps
  

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

[toddt6234]

Backdoor

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  
• Consider what other private information could possibly have been taken from your computer and take appropriate steps
  

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

[toddt6234]

I would like to proceed forward with cleaning the system without having to reformat the machine.

Thank you

[LDTate]

Run a new MBAM scan and fix the bad guys it finds

[toddt6234]

I have run a full scan of MBAM and selected to fix the noted issues. A reboot was also conducted. After rebooting, I ran another scan of MBAM. No other issues were noted.

The MBAM scans are contained below:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6897

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/20/2011 12:50:57 PM

mbam-log-2011-06-20 (12-50-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 274622

Time elapsed: 1 hour(s), 33 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat (Backdoor.ZAccess) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NIC1394 (Backdoor.ZAccess) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serial (Backdoor.ZAccess) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\drivers\ipnat.sys (Backdoor.ZAccess) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\drivers\nic1394.sys (Backdoor.ZAccess) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\drivers\serial.sys (Backdoor.ZAccess) -> Quarantined and deleted successfully.

c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Backdoor.ZAccess) -> Delete on reboot.

c:\WINDOWS\system32\drivers\cdfs.sys (Backdoor.ZAccess) -> Quarantined and deleted successfully.

2nd scan after action taken.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6897

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/20/2011 2:17:18 PM

mbam-log-2011-06-20 (14-17-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 273646

Time elapsed: 1 hour(s), 17 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Are other actions required?

Thank you.

[LDTate]

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  Note: If you have XP SP3, use the XP SP2 package.
  If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[toddt6234]

Combofix was installed on Desktop and ran. All antiviruses were disabled.

Combofix downloaded and installed Microsoft Recover Console.

Scan of Software was initiated.

I returned to computer after 30 minutes or so and the computer had rebooted and was at the login screen. When selecting CNTRL + Alt + Delete to logon, I recieved an error message. Authenication manager - A specified authenication package is unknown. An Ok button is displayed on error prompt. When selecting Ok the computer reboots without starting up. Same flow exists after rebooting.

Please advise next steps.

Thank you

[LDTate]

Try restarting in Safe Mode

[toddt6234]

Tried to restart in safe mode with networking and received the same issue.

[LDTate]

Note To start the computer from the Windows XP CD-ROM, you must configure the basic input/output system (BIOS) of the computer to start from your CD-ROM.

To run the Recovery Console from the Windows XP startup disks or the Windows XP CD-ROM, follow these steps:

Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD drive, and then restart the computer.

Click to select any options that are required to start the computer from the CD drive if you are prompted.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.

When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

At the command prompt, type the appropriate commands to diagnose and repair your Windows XP installation.

At the Command prompt type in: Fixboot and tap enter key

Type in Exit and try to reboot normal.

If that doesn't work, go through the same steps but use: FIXMBR and tap enter key

Type in Exit and try to reboot normal.

[toddt6234]

Are you referring to the Windows XP Professional Reinstallation CD that came with the computer?

Also when I reboot the computer one of the options on Start up is for the Microsoft Windows Recovery Console that was installed by ComboFix. Not sure if this is the same as what you described above but want to make sure you were aware this appears to also be an option.

Thanks

[LDTate]

Yes, use Microsoft Windows Recovery Console that was installed by ComboFix

[toddt6234]

I have started recovery console.

At the prompt Which Windows installation would you like to log onto, I selected C:\windows which was the only option. At the command prompt c:\windows> I entered fixboot and hit the Enter key.

I'm receiving a confirmation message. "The target partition is C: Are you sure you want to write a new bootsector to the partition C:?"

Should I say Yes?

I've never used recovery console before and want to make certain I can still retain the data on the computer.

Thanks

[LDTate]

Select Yes

[toddt6234]

Issue is still present.

Via Recovery Console, I ran Fixboot. It indicated the new boot sector was writtedn.

I rebooted the computer and the problem still occurs when selecting CTRL+ALT+DELETE to logon.

I then ran FixMBR. It indicated a new master boot record was successfully created.

I rebooted the computer and the problem still occurs when selecting CTRL+ALT+DELETE to logon.

Thanks

[LDTate]

Will it boot in Safe Mode / Lastknow Good

[toddt6234]

Yes! I selected Last know good configuration and am now able to get past the CRTL+ALT+DELETE prompt and logon.

The ComboFix screen displayed immediately and the text in the combofix screen states"

"Preparing Log Report"

Do not run any programs until ComboFix has finsished"

Thanks

[toddt6234]

ComboFix closed and displayed the following log file.

See Text below:

ComboFix 11-06-19.0r1 - toddthompson 06/20/2011 19:53:23.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1441 [GMT -5:00]

Running from: c:\documents and settings\toddthompson\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\toddthompson\g2mdlhlpx.exe

c:\windows\system32\W020T32W.dll

c:\windows\system32\W021T32W.dll

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\wuauclt.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_USNJSVC

-------\Service_usnjsvc

.

.

((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))

.

.

2011-06-21 00:43 . 2011-06-21 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-05-31 19:57 . 2011-05-31 19:57 -------- d-----w- C:\$AVG

2011-05-31 16:09 . 2011-05-31 16:09 -------- d-----w- C:\TDSSKiller_Quarantine

2011-05-29 18:28 . 2011-05-29 18:28 -------- d-----w- c:\documents and settings\toddthompson\%APPDATA%

2011-05-29 17:59 . 2011-05-29 17:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files

2011-05-29 02:34 . 2011-06-21 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2011-05-29 02:34 . 2011-06-21 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2011-05-29 02:33 . 2011-05-29 02:33 -------- d-----w- c:\windows\SxsCaPendDel

2011-05-28 21:15 . 2011-05-28 21:15 -------- d-----w- c:\windows\system32\%APPDATA%

2011-05-28 21:15 . 2011-05-28 21:15 -------- d-----w- c:\documents and settings\toddthompson\Application Data\Uniblue

2011-05-28 21:14 . 2011-05-28 21:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}

2011-05-28 21:14 . 2011-05-28 21:32 -------- d-----w- c:\program files\Uniblue

2011-05-28 21:13 . 2011-05-28 21:13 -------- d-----w- c:\documents and settings\toddthompson\Local Settings\Application Data\PackageAware

2011-05-28 21:09 . 2011-05-28 21:09 -------- d-----w- c:\program files\Quick Web Player

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-21 21:19 . 2008-09-05 17:26 0 ----a-w- c:\documents and settings\toddthompson\Local Settings\Application Data\WavXMapDrive.bat

2011-05-31 22:07 . 2004-08-03 23:08 59520 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-31 16:00 . 1980-01-01 00:00 143744 ----a-w- c:\windows\system32\drivers\fastfat.sys

2011-05-31 12:16 . 1980-01-01 00:00 91520 ----a-w- c:\windows\system32\drivers\ndiswan.sys

2011-05-29 14:11 . 2010-09-13 04:17 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 14:11 . 2010-09-13 04:17 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-17 01:32 . 2011-05-17 01:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]

"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]

"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-26 2209224]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-10-14 25214]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

Task Manager.lnk - c:\windows\system32\taskmgr.exe [1979-12-31 135680]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]

2006-11-16 22:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start OracleDS1012 Report Server-Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start OracleDS1012 Report Server-Startup.lnk

backup=c:\windows\pss\Start OracleDS1012 Report Server-Startup.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start OracleDS904 Report Server-Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start OracleDS904 Report Server-Startup.lnk

backup=c:\windows\pss\Start OracleDS904 Report Server-Startup.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2008-02-22 18:43 1245184 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2008-07-31 23:40 95744 -c--a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 23:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]

2007-08-01 04:10 65536 -c--a-w- c:\program files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2007-11-17 10:03 1626112 -c--a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]

2007-05-10 17:22 405504 -c--a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-10-09 19:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-01-16 14:32 136600 -c--a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"OracleServiceslot9"=3 (0x3)

"OracleServiceslot8"=3 (0x3)

"OracleServiceslot7"=3 (0x3)

"OracleServiceslot6"=3 (0x3)

"OracleServiceslot5"=3 (0x3)

"OracleServiceslot4"=3 (0x3)

"OracleServiceslot3"=3 (0x3)

"OracleServiceslot2"=3 (0x3)

"OracleServiceslot10"=3 (0x3)

"OracleServiceslot1"=3 (0x3)

"OracleReportServer-REP_tthompson"=3 (0x3)

"OracleOracleDS904_OC4J"=2 (0x2)

"OracleOracleDS904ClientCache"=3 (0x3)

"OracleOracleDS1012_OC4J"=2 (0x2)

"OracleOracle920SNMPPeerMasterAgent"=3 (0x3)

"OracleOracle920SNMPPeerEncapsulator"=3 (0x3)

"OracleOracle817TNSListenerListener817"=3 (0x3)

"OracleOracle817HTTPServer"=2 (0x2)

"OracleOracle817DataGatherer"=3 (0x3)

"OracleOracle817ClientCache"=3 (0x3)

"OracleOracle817Agent"=3 (0x3)

"OracleMTSRecoveryService"=2 (0x2)

"OracleClientCache80"=3 (0x3)

"Bonjour Service"=2 (0x2)

"OracleOracle920PagingServer"=3 (0x3)

"OracleOracle920ClientCache"=3 (0x3)

"OracleOracle920Agent"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\OracleDS1012\\BIN\\rwserver.exe"=

.

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [12/31/1979 6:00 PM 5120]

S2 OracleOracle817HTTPServer;OracleOracle817HTTPServer;c:\oracle817\Apache\Apache\Apache.exe --> c:\oracle817\Apache\Apache\Apache.exe [?]

S2 OracleOracle920HTTPServer;OracleOracle920HTTPServer;"c:\oracle920\Apache\Apache\apache.exe" --ntservice --> c:\oracle920\Apache\Apache\apache.exe [?]

S2 OracleOracle920TNSListenerListener920;OracleOracle920TNSListenerListener920;c:\oracle920\BIN\TNSLSNR --> c:\oracle920\BIN\TNSLSNR [?]

S2 OracleOracleDS1012_OC4J;OracleOracleDS1012_OC4J;c:\program files\EJS_OC4J_Service\srvany.exe --> c:\program files\EJS_OC4J_Service\srvany.exe [?]

S2 OracleOracleDS904_OC4J;OracleOracleDS904_OC4J;c:\program files\EJS_OC4J_Service\srvany.exe --> c:\program files\EJS_OC4J_Service\srvany.exe [?]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]

S3 OracleClientCache80;OracleClientCache80;c:\orant2\BIN\ONRSD80.EXE [4/12/2007 9:13 AM 101136]

S3 OracleOracle817Agent;OracleOracle817Agent;c:\oracle817\bin\dbsnmp.exe --> c:\oracle817\bin\dbsnmp.exe [?]

S3 OracleOracle817ClientCache;OracleOracle817ClientCache;c:\oracle817\BIN\ONRSD.EXE --> c:\oracle817\BIN\ONRSD.EXE [?]

S3 OracleOracle817DataGatherer;OracleOracle817DataGatherer;c:\oracle817\bin\vppdc.exe --> c:\oracle817\bin\vppdc.exe [?]

S3 OracleOracle817TNSListenerListener817;OracleOracle817TNSListenerListener817;c:\oracle817\BIN\TNSLSNR --> c:\oracle817\BIN\TNSLSNR [?]

S3 OracleOracle920Agent;OracleOracle920Agent;c:\oracle920\bin\agntsrvc.exe --> c:\oracle920\bin\agntsrvc.exe [?]

S3 OracleOracle920ClientCache;OracleOracle920ClientCache;c:\oracle920\BIN\ONRSD.EXE --> c:\oracle920\BIN\ONRSD.EXE [?]

S3 OracleOracle920PagingServer;OracleOracle920PagingServer;c:\oracle920/bin/pagntsrv.exe --> c:\Oracle920/bin/pagntsrv.exe [?]

S3 OracleOracle920SNMPPeerEncapsulator;OracleOracle920SNMPPeerEncapsulator;c:\oracle920\BIN\ENCSVC.EXE --> c:\oracle920\BIN\ENCSVC.EXE [?]

S3 OracleOracle920SNMPPeerMasterAgent;OracleOracle920SNMPPeerMasterAgent;c:\oracle920\BIN\AGNTSVC.EXE --> c:\oracle920\BIN\AGNTSVC.EXE [?]

S3 OracleOracleDS904ClientCache;OracleOracleDS904ClientCache;c:\oracleds904\BIN\ONRSD.EXE --> c:\oracleds904\BIN\ONRSD.EXE [?]

S3 OracleReportServer-REP_tthompson;OracleOracleDS904Reports [REP_tthompson];c:\oracleds904\bin\rwserver.exe --> c:\oracleds904\bin\rwserver.exe [?]

S3 OracleServiceslot1;OracleServiceslot1;c:\oracle817\bin\ORACLE.EXE slot1 --> c:\oracle817\bin\ORACLE.EXE slot1 [?]

S3 OracleServiceslot10;OracleServiceslot10;c:\oracle920\bin\ORACLE.EXE slot10 --> c:\oracle920\bin\ORACLE.EXE slot10 [?]

S3 OracleServiceslot2;OracleServiceslot2;c:\oracle817\bin\ORACLE.EXE slot2 --> c:\oracle817\bin\ORACLE.EXE slot2 [?]

S3 OracleServiceslot3;OracleServiceslot3;c:\oracle817\bin\ORACLE.EXE slot3 --> c:\oracle817\bin\ORACLE.EXE slot3 [?]

S3 OracleServiceslot4;OracleServiceslot4;c:\oracle817\bin\ORACLE.EXE slot4 --> c:\oracle817\bin\ORACLE.EXE slot4 [?]

S3 OracleServiceslot5;OracleServiceslot5;c:\oracle817\bin\ORACLE.EXE slot5 --> c:\oracle817\bin\ORACLE.EXE slot5 [?]

S3 OracleServiceslot6;OracleServiceslot6;c:\oracle920\bin\ORACLE.EXE slot6 --> c:\oracle920\bin\ORACLE.EXE slot6 [?]

S3 OracleServiceslot7;OracleServiceslot7;c:\oracle920\bin\ORACLE.EXE slot7 --> c:\oracle920\bin\ORACLE.EXE slot7 [?]

S3 OracleServiceslot8;OracleServiceslot8;c:\oracle920\bin\ORACLE.EXE slot8 --> c:\oracle920\bin\ORACLE.EXE slot8 [?]

S3 OracleServiceslot9;OracleServiceslot9;c:\oracle920\bin\ORACLE.EXE slot9 --> c:\oracle920\bin\ORACLE.EXE slot9 [?]

S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:27]

.

2011-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:27]

.

2011-06-21 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-03-14 15:31]

.

2011-06-21 c:\windows\Tasks\SpeedUpMyPC.job

- c:\program files\Uniblue\SpeedUpMyPC\spmonitor.exe [2011-05-28 22:27]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Settings,ProxyOverride = <local>;*.local

uInternet Settings,ProxyServer = http=127.0.0.1:6092

Trusted Zone: crimecog.net\user

Trusted Zone: ejustice-systems.net\www

TCP: DhcpNameServer = 192.168.1.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.ejustice-systems.com/CACHE/stc/6/binaries/vpnweb.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-ykibtbts - c:\documents and settings\toddthompson\Local Settings\Application Data\ecytxmqno\hjmagwvuqiw.exe

Notify-avgrsstarter - avgrsstx.dll

Notify-NavLogon - (no file)

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

AddRemove-WZCLINE - c:\program files\WinZip\winzip32

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-21 15:19

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOracle817TNSListenerListener817]

"ImagePath"="c:\oracle817\BIN\TNSLSNR "

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOracle920PagingServer]

"ImagePath"="C:\Oracle920/bin/pagntsrv.exe"

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\OracleOracle920TNSListenerListener920]

"ImagePath"="c:\oracle920\BIN\TNSLSNR "

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(924)

c:\windows\system32\waveGina.dll

c:\windows\system32\AmRes_en.dll

c:\windows\system32\OEM_Resources.dll

c:\program files\Wave Systems Corp\Dell Preboot Manager\PrebootBiosManager.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\Wave Systems Corp\Authentication Manager\AuthControl2.dll

c:\program files\Wave Systems Corp\Authentication Manager\AuthentecPlugin.dll

c:\windows\system32\ATSC70.dll

c:\program files\Wave Systems Corp\Authentication Manager\upek.dll

c:\windows\system32\BioAPI100.dll

c:\windows\system32\BIOAPI_MDS300.dll

c:\windows\system\tfmessbsp.dll

.

- - - - - - - > 'lsass.exe'(980)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

c:\program files\Wave Systems Corp\Common\CryptoManager.dll

c:\windows\system32\tcg15.dll

c:\windows\system32\Tsp1.dll

c:\windows\system32\wclient14.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'Explorer.exe'(252)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe

c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\windows\system32\SearchIndexer.exe

c:\windows\system32\msdtc.exe

c:\windows\system32\rundll32.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\SearchProtocolHost.exe

c:\windows\system32\SearchFilterHost.exe

.

**************************************************************************

.

Completion time: 2011-06-21 15:30:23 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-21 21:30

.

Pre-Run: 123,368,008,192 bytes free

Post-Run: 124,673,987,072 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 8159947F486E3CABF9868B52603BF46A

[LDTate]

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

[toddt6234]

After dragging and dropping the CFScript file onto ComboFix it started to run and issued an Update prompt that there is a newer version of ComboFix available.

Should I update or proceed with running the current version?

[LDTate]

Update

[toddt6234]

Updated to the new version and then it continue to run.

I tried to watch the progress of the ComboFix. I got to step 26 (I believe somewhere it that number) and the computer blue screened.

I had to restart using the last known good configuration again as trying to restart normal was giving the authenication package error when selecting CTRL+ALT+DELETE when trying to login.

The CFScript is no longer on the desktop. In addition, I can find no output log. Should I try to repeat the instructions for the CFScript.

Thanks

[LDTate]

Try this instead.

Next:

Launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Save this as fixme.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot and describe how your computer behaves at the moment.

[toddt6234]

Followed directions, merged file, and rebooted computer.

The computer rebooted and I was able to sign-on without any issues.

I also performed a couple of search using google and the redirect issue appears to be resolved.