Thread: Ron tool netupbanner infection, cont.
View Single Post
Old 12-05-2008, 01:22 PM   #1 (permalink)
twobsolo
Registered User
 
Join Date: Nov 2008
Posts: 5
OS: xp service pack 3 5.1.2600


Ron tool netupbanner infection, cont.
I was caught up in dead week and couldn't get back to my computer. I apologise. Here is the link to the original thread.

http://www.techsupportforum.com/secu...ml#post1839132

I ran combofix and attached the log file.

Thank you for your time and help,

David

ComboFix 08-12-05.01 - Owner 2008-12-05 12:05:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.791 [GMT -8:00]
Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\gadcom
c:\documents and settings\Owner\Application Data\IUpd721
c:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Owner\Application Data\NI.GSCNS
c:\documents and settings\Owner\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Owner\Application Data\NI.GSCNS\settings.ini
c:\windows\IA
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\TDSSmxoe.sys
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\MSVolume.dll
c:\windows\system32\r2
c:\windows\system32\TDSScfub.log
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSktpa.dll
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSoeqh.log
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSpaxt.dat
c:\windows\system32\TDSSpqxt.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\X5
c:\windows\Tasks\xrwwdsmq.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 14:06 . 2008-11-28 14:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-28 14:06 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-28 14:06 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-28 14:04 . 2008-11-28 14:04 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:19 . 2008-11-28 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 10:10 . 2008-11-28 10:11 <DIR> d-------- C:\095656869fa05163197b
2008-11-24 18:48 . 2008-11-24 18:48 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 14:31 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 14:31 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 17:28 . 2008-11-28 10:47 <DIR> d-------- c:\program files\AdwarePro
2008-11-09 10:37 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-09 10:36 . 2008-04-13 17:11 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-09 10:36 . 2008-04-13 11:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-09 10:36 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-06 22:31 . 2008-11-06 22:31 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!
2008-11-06 22:26 . 2008-11-09 12:12 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-06 22:26 . 2008-11-06 22:26 63,488 --a------ c:\windows\system32\rgv.xl
2008-11-06 22:26 . 2008-11-06 22:26 32,768 --a------ c:\windows\system32\fes.ra
2008-11-06 22:26 . 2008-11-06 22:26 32,768 --a------ c:\windows\system32\fe.sp
2008-11-06 22:26 . 2008-11-06 22:26 28,672 --a------ c:\windows\system32\def.help
2008-11-06 22:26 . 2008-11-06 22:26 28,672 --a------ c:\windows\system32\ceg.sdr
2008-11-06 22:26 . 2008-11-06 22:26 20,480 --a------ C:\pqggin.exe
2008-11-06 22:26 . 2008-11-06 22:26 7,680 --a------ C:\sydp.exe
2008-11-06 22:25 . 2008-11-06 22:25 <DIR> d-------- c:\windows\system32\vm
2008-11-06 22:25 . 2008-11-09 12:13 <DIR> d-------- c:\windows\system32\QI19
2008-11-06 22:25 . 2008-11-06 22:25 <DIR> d-------- c:\windows\system32\ert
2008-11-06 22:25 . 2008-11-06 22:26 <DIR> d-------- c:\windows\system32\bb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 22:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 18:54 --------- d-----w c:\program files\Google
2008-11-28 18:53 --------- d--h--r c:\documents and settings\Owner\Application Data\yahoo!
2008-11-28 18:53 --------- d-----w c:\program files\Yahoo!
2008-11-28 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-28 18:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-28 18:52 --------- d-----w c:\program files\epson
2008-11-25 06:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-25 02:48 --------- d-----w c:\program files\Java
2008-11-09 20:58 --------- d-----w c:\program files\support.com
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 04:26 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-10-09 02:15 --------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2006-04-18 04:30 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
2003-08-27 22:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
2005-01-29 03:20 0 --sha-w c:\windows\SMINST\HPCD.sys
2007-07-02 23:13 5 --sha-w c:\windows\system32\cafbdbbee_s.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-24 136600]
"SoundMan"="SOUNDMAN.EXE" [2004-08-24 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-08-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Enable Wireless Keyboard Driver.lnk - c:\program files\Wireless Device\Wireless Keyboard\Magickey.exe [2005-01-28 172032]
Enable Wireless Optical Mouse Driver.lnk - c:\program files\Wireless Device\Wireless Mouse\MouseAp.exe [2005-01-28 217088]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 15:18 135168 c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Automatic LiveUpdate Scheduler"=2 (0x2)
"gusvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"PrismXL"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 kbfilter;Keyboard Filter Driver;c:\windows\system32\drivers\kbfilter.sys [2005-01-28 12964]
R3 HPFXBULK;HPFXBULK;c:\windows\system32\drivers\hpfxbulk.sys [2007-11-11 9344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2005-01-29 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 16:12]

2008-12-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-AdwareProMFCT - c:\program files\AdwarePro\AdwarePro.exe
Notify-MRI_DISABLED - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://webmail.peacehealth.org/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

- c:\windows\Downloaded Program Files\RhapX.inf
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vemimigj.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 12:09:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Wireless Device\Wireless Keyboard\OSD.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-05 12:10:33 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-12-05 20:10:30

Pre-Run: 143,545,372,672 bytes free
Post-Run: 143,465,824,256 bytes free

192 --- E O F --- 2008-11-28 18:11:18
Attached Files
File Type: txt combofix.txt (11.1 KB, 1 views)
twobsolo is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here