Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

Virus/Spyware Help

This is a discussion on Virus/Spyware Help within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. I seem to have picked up a virus or spyware or something. The primary problem is when I'm using Firefox


Reply
 
Thread Tools Search this Thread
Old 05-27-2011, 08:54 PM   #1
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



I seem to have picked up a virus or spyware or something. The primary problem is when I'm using Firefox and I get additional tabs being opened and popups. The tabs are typically "mens health base", "womens health base", and I've also seen some tabs about allergy and Google hiring. The popups say I've won/qualified for a Walmart gift card.

Secondary issue is that sometimes on startup svchost.exe takes a lot of CPU %. When this happens I kill the process and things seem to work fine.

dds info below. Other info in attached zip file. I do not have access to a windows install or boot CD.

Any help greatly appreciated! Thanks in advance.

-Steve

DDS (Ver_2011-05-26.01) - NTFS_x86
Internet Explorer: 7.0.5730.13
Run by Administrator at 19:52:17 on 2011-05-26
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.349 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\NavNT\rtvscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7
uRun: [Malware Protection] c:\documents and settings\all users\application data\defender.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TrackPointSrv] tp4mon.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY .exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON .exe
mRun: [TP4EX] tp4ex.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Tgcmd] "c:\program files\support.com\bin\tgcmd.exe /server"
mRun: [UC_SMB]
mRun: [vptray] c:\progra~1\navnt\vptray.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Pure Networks Port Magic] "c:\progra~1\purene~1\portma~1\PortAOL.exe" -Run
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HostManager] c:\program files\common files\aol\1127543071\ee\AOLSoftware.exe
mRun: [ISLP2STA.EXE] ISLP2STA.EXE START
mRun: [Audit Wizard] \\madriver\awizard\ScanWS_SD.bat
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [AIRPLUS] "c:\program files\d-link\AIRPLUS.exe" -nogui
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 6\SnagIt32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218830946680
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38099.5881944444
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_01-win.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aol124.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://claritas.webex.com/client/v_mywebex/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxsrvc.dll
Notify: itlntfy - itlnfw32.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
mASetup: {8A3D586A-C7FE-456E-A9E2-F96EEAF0C7B6} - rundll32.exe "c:\documents and settings\administrator\application data\sun\kfb0.dll", UnregisterDll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 10.10.103.44 ezsys # EASY ARCHIVE SYSTEM
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\pzvzcuuj.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-7 64512]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2002-11-20 12288]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2003-8-11 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\navnt\rtvscan.exe [2003-10-7 647168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2005-10-26 17456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-7 24652]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2005-10-26 670128]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [2002-11-20 20023]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2005-10-26 2041904]
R3 NAVAP;NAVAP;c:\progra~1\navnt\NAVAP.sys [2003-8-11 224768]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060413.007\NAVENG.sys [2006-4-14 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060413.007\NAVEX15.sys [2006-4-14 799208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2006-4-14 14336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2151128]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [2002-10-3 611840]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys [2008-8-14 19104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-29 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-5-22 38224]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-5-7 50704]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2005-10-26 14924]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 14096]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [2002-3-27 51072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-25 05:35:09 -------- d-----w- c:\program files\iPod
2011-05-25 05:33:32 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-25 05:33:32 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-25 05:32:51 -------- d-----w- c:\program files\Bonjour
2011-05-25 05:18:40 42496 ----a-w- c:\windows\system32\tp4res.dll
2011-05-25 05:18:40 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2011-05-25 05:18:40 31744 ----a-w- c:\windows\system32\tp4.dll
2011-05-25 05:18:40 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2011-05-25 05:18:40 11520 ----a-w- c:\windows\system32\drivers\TwoTrack.sys
2011-05-25 05:18:40 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-25 05:18:37 82432 ----a-w- c:\windows\system32\tp4mon.exe
2011-05-25 05:18:37 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-05-25 04:43:29 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-24 15:26:39 -------- d-----w- c:\documents and settings\all users\application data\Security Essentials Ultimate Pack
2011-05-23 00:40:56 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-05-23 00:40:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 00:40:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-23 00:40:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-23 00:40:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-22 00:52:13 -------- d-----w- c:\documents and settings\all users\application data\WSTB
2011-05-13 03:35:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-13 03:35:22 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-13 03:35:22 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-13 03:35:21 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-13 03:35:21 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-13 03:35:21 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-13 03:35:21 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-13 03:35:21 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-11 08:07:54 -------- d--h--w- C:\$AVG
2011-05-11 04:05:59 -------- d-----w- c:\documents and settings\administrator\application data\AVG10
2011-05-11 04:03:27 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-11 03:48:43 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-11 03:45:47 -------- d-----w- c:\program files\AVG
2011-05-10 19:11:39 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-05-10 14:45:01 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-08 03:19:58 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-08 03:09:12 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-05-08 03:09:12 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-05-08 03:09:12 100880 ----a-w- c:\windows\system32\Packet.dll
2011-05-08 01:21:18 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-08 01:16:58 -------- d-----w- c:\program files\Lavasoft
2011-05-07 17:34:32 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2011-04-06 23:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: HTS548080M9AT00 rev.MG4OA53A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F3A4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f407f0]; MOV EAX, [0x82f4086c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x82FCE688]
3 CLASSPNP[0xF872305B] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000088[0x82FCF650]
5 ACPI[0xF8679620] -> nt!IofCallDriver[0x804E37C5] -> [0x82FCF030]
\Driver\atapi[0x82F37500] -> IRP_MJ_CREATE -> 0x82F3A4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV ES, AX; MOV DS, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; MOV AX, 0x6df; PUSH AX; RET ; ADD [BX], CL; ADD [BX+DI], AL; OR AL, [DI+0x72]; JB 0x95; JB 0x48; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F3A31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:55:17.37 ===============
Attached Files
File Type: zip attach.zip (6.5 KB, 17 views)

__________________
stocktsi is offline   Reply With Quote
Old 05-27-2011, 08:56 PM   #2
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Additional info: I was unable to post this thread from the infected computer - I get a connection reset error. Needed to use a different computer to post.

__________________
stocktsi is offline   Reply With Quote
Old 05-28-2011, 04:33 PM   #3
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.
__________________
Vick is offline   Reply With Quote
Old 05-28-2011, 09:16 PM   #4
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

Thank you for reviewing my logs. I am subscribed to the thread and look forward to hearing from you.

-Steve
__________________
stocktsi is offline   Reply With Quote
Old 05-28-2011, 09:33 PM   #5
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi stocktsi,

Thank you for your patience.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------

One or more of the identified infections is a backdoor trojan/rootkit.
This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

--------

Do you have any info regarding the entries below? Did you intentionally installed any programs with similar name?
[Audit Wizard] \\madriver\awizard\ScanWS_SD.bat
Hosts: 10.10.103.44 ezsys # EASY ARCHIVE SYSTEM


--------

1. Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop

2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here

3. Double click on combofix.exe & follow the prompts.
Note: Windows Vista users will have to right-click on the file and select "Run as Administrator"

4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Click on Yes, to continue scanning for malware.
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
6. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


---------------------------------------------------------------------------------------------
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------
__________________
Vick is offline   Reply With Quote
Old 05-28-2011, 09:42 PM   #6
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

I'll run the recommended apps. I think the files you asked about:

[Audit Wizard] \\madriver\awizard\ScanWS_SD.bat
Hosts: 10.10.103.44 ezsys # EASY ARCHIVE SYSTEM

Might have been things installed by corporate IT when this was a company computer. Either way, I don't need it any more.
__________________
stocktsi is offline   Reply With Quote
Old 05-28-2011, 11:16 PM   #7
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

I ran ComboFix, and it installed the Recovery Console. It ran through all steps, and found and deleted some item. It said it was going to reboot the system, but unfortunately it blue screened at that point. Once I was able to get it rebooted (see below), it did not give me a log file.

Something new that's come up over the last day or so is when I try to boot, it blue screens. If I boot in safe mode, it will finish the boot, but I can't do a standard boot any more. This was occasional, and now is more consistent - I haven't been able to do a clean standard boot since I posted (I don't reboot very often). To run ComboFix, I had to boot in Safe Mode.

Please let me know what you'd like me to proceed. Thanks again for your help.
-Steve
__________________
stocktsi is offline   Reply With Quote
Old 05-29-2011, 01:05 PM   #8
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

* Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
* Execute TDSSKiller.exe by doubleclicking on it.
* Press Start Scan
* If Malicious objects are found, ensure Cure is selected (it should be by default)
NOTE: If Cure is not an option, select Skip
* Click Continue then click Reboot now
* Once complete, a log will be produced at the root drive which is typically C:\

TDSSKiller.2.5.3.0_29.05.2011_15.45.57_log.txt
* Attach that log, please.

---------

Next, double click Combofix and follow the prompts.

Post the logs on your next reply.
__________________
Vick is offline   Reply With Quote
Old 05-29-2011, 04:41 PM   #9
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

I appreciate your help! Good progress - my system both booted and ran ComboFix without bluescreen (so far - knock on wood :).

Combofix log below. TDSKiller log attached.


ComboFix 11-05-29.01 - Administrator 05/29/2011 15:55:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.174 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\data
c:\documents and settings\Administrator\Application Data\Sun\kfb0.dll
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\ungars\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Legacy_NPF
-------\Service_itlperf
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-29 )))))))))))))))))))))))))))))))
.
.
2011-05-29 17:10 . 2011-05-29 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-25 05:39 . 2011-05-25 05:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-25 05:35 . 2011-05-25 05:35 -------- d-----w- c:\program files\iPod
2011-05-25 05:33 . 2011-05-25 05:33 -------- d-----w- c:\program files\Apple Software Update
2011-05-25 05:33 . 2011-02-18 23:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-25 05:33 . 2011-02-18 23:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-25 05:32 . 2011-05-25 05:32 -------- d-----w- c:\program files\Bonjour
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\tp4res.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\drivers\TwoTrack.sys
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\tp4mon.exe
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-05-25 04:43 . 2011-05-25 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-24 15:26 . 2011-05-24 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Security Essentials Ultimate Pack
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-05-23 00:40 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-23 00:40 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-22 00:52 . 2011-05-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-05-15 05:48 . 2011-05-15 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-13 03:35 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-13 03:35 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-13 03:35 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-13 03:35 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-13 03:35 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-13 03:35 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-13 03:35 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-13 03:35 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-11 08:07 . 2011-05-11 08:07 -------- d-----w- C:\$AVG
2011-05-11 04:05 . 2011-05-11 04:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-05-11 04:03 . 2011-05-11 04:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-11 03:48 . 2011-05-17 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-11 03:45 . 2011-05-11 03:45 -------- d-----w- c:\program files\AVG
2011-05-10 19:11 . 2011-05-17 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-05-10 14:45 . 2011-05-08 03:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-09 00:42 . 2011-05-09 00:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-08 03:19 . 2011-05-08 03:19 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-08 03:09 . 2011-05-08 03:09 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-05-08 01:21 . 2011-04-29 19:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-08 01:16 . 2011-05-08 01:16 -------- d-----w- c:\program files\Lavasoft
2011-05-08 01:16 . 2011-05-08 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-07 17:34 . 2011-05-07 17:34 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-14 16:26 . 2011-05-13 03:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
Code:
<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
c:\program files\Common Files\AOL\1127543071\ee\AOLSoftware .exe
c:\program files\Common Files\AOL\ACS\AOLDial .exe
c:\program files\Common Files\AOL\IPHSend\IPHSend .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\D-Link\AIRPLUS .exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre1.5.0_06\bin\jusched .exe
c:\program files\Messenger\MSMSGS .exe
c:\program files\Microsoft Hardware\Keyboard\type32 .exe
c:\program files\NavNT\vptray .exe
c:\program files\pure networks\port magic\PortAOL .exe
c:\program files\QuickTime\QTTask         .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\ThinkPad\ConnectUtilities\QCTRAY     .exe
c:\program files\ThinkPad\ConnectUtilities\QCWLICON    .exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe
c:\windows\system32\tp4ex .exe
c:\windows\system32\tp4serv .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"Malware Protection"="c:\documents and settings\All Users\Application Data\defender.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISLP2STA.EXE"="ISLP2STA.EXE START" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY .exe" [N/A]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON .exe" [N/A]
"TP4EX"="tp4ex.exe" [N/A]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [N/A]
"AGRSMMSG"="AGRSMMSG.exe" [2002-02-23 87037]
"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]
"UC_SMB"="" [N/A]
"vptray"="c:\progra~1\NavNT\vptray.exe" [N/A]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [N/A]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [N/A]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [N/A]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"HostManager"="c:\program files\Common Files\AOL\1127543071\ee\AOLSoftware.exe" [N/A]
"Audit Wizard"="\\madriver\awizard\ScanWS_SD.bat" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [N/A]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [N/A]
"AIRPLUS"="c:\program files\D-Link\AIRPLUS.exe" [N/A]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 6.lnk - c:\program files\TechSmith\SnagIt 6\SnagIt32.exe [2004-7-15 1777664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-11 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-14 05:14 24673 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard 8.1\\hpjsi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/7/2011 6:21 PM 64512]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [11/20/2002 10:29 PM 12288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2151128]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/26/2005 8:11 AM 17456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2008 9:15 PM 24652]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/26/2005 8:11 AM 670128]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [11/20/2002 10:32 PM 20023]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/26/2005 8:11 AM 2041904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys [8/14/2008 8:28 PM 19104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/22/2011 5:40 PM 38224]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/26/2005 8:11 AM 14924]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 14096]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [3/27/2002 11:14 PM 51072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 09:11]
.
2011-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-05-26 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2002-11-21 09:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pzvzcuuj.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-itlntfy - itlnfw32.dll
AddRemove-Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-29 16:18
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\system32\acs.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\NavNT\DefWatch.exe
c:\progra~1\NavNT\rtvscan.exe
c:\oracle\ora92\bin\omtsreco.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\tp4mon.exe
c:\windows\AGRSMMSG.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-29 16:33:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-29 23:33
.
Pre-Run: 35,484,971,008 bytes free
Post-Run: 35,588,337,664 bytes free
.
- - End Of File - - 70097793E1C9FAB037B711CA55BB2532
Attached Files
File Type: txt TDSSKiller.2.5.3.0_29.05.2011_15.28.16_log.txt (42.5 KB, 8 views)
__________________
stocktsi is offline   Reply With Quote
Old 05-30-2011, 01:37 PM   #10
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

----

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
c:\program files\Common Files\AOL\1127543071\ee\AOLSoftware .exe
c:\program files\Common Files\AOL\ACS\AOLDial .exe
c:\program files\Common Files\AOL\IPHSend\IPHSend .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\D-Link\AIRPLUS .exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre1.5.0_06\bin\jusched .exe
c:\program files\Messenger\MSMSGS .exe
c:\program files\Microsoft Hardware\Keyboard\type32 .exe
c:\program files\NavNT\vptray .exe
c:\program files\pure networks\port magic\PortAOL .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\ThinkPad\ConnectUtilities\QCTRAY .exe
c:\program files\ThinkPad\ConnectUtilities\QCWLICON .exe
c:\program files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe
c:\windows\system32\tp4ex .exe
c:\windows\system32\tp4serv .exe

file::
c:\documents and settings\All Users\Application Data\defender.exe
Save this as CFScript.txt, in the same location as ComboFix.exe




ComboFix may request an update; please allow it.
Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
Vick is offline   Reply With Quote
Old 05-30-2011, 07:39 PM   #11
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

New log attached. Combofix keeps telling me that AdAware is running. I did a right click-exit before starting Combofix. I also checked task manager and didn't see it running. Did I miss something?

Thanks,
-Steve

ComboFix 11-05-30.06 - Administrator 05/30/2011 19:09:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.332 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\documents and settings\All Users\Application Data\defender.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))
.
.
2011-05-29 17:10 . 2011-05-29 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-25 05:39 . 2011-05-25 05:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-25 05:35 . 2011-05-25 05:35 -------- d-----w- c:\program files\iPod
2011-05-25 05:33 . 2011-05-25 05:33 -------- d-----w- c:\program files\Apple Software Update
2011-05-25 05:33 . 2011-02-18 23:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-25 05:33 . 2011-02-18 23:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-25 05:32 . 2011-05-25 05:32 -------- d-----w- c:\program files\Bonjour
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\tp4res.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\drivers\TwoTrack.sys
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\tp4mon.exe
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-05-25 04:43 . 2011-05-25 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-24 15:26 . 2011-05-24 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Security Essentials Ultimate Pack
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-05-23 00:40 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-23 00:40 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-22 00:52 . 2011-05-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-05-15 05:48 . 2011-05-15 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-13 03:35 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-13 03:35 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-13 03:35 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-13 03:35 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-13 03:35 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-13 03:35 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-13 03:35 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-13 03:35 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-11 08:07 . 2011-05-11 08:07 -------- d-----w- C:\$AVG
2011-05-11 04:05 . 2011-05-11 04:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-05-11 04:03 . 2011-05-11 04:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-11 03:48 . 2011-05-17 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-11 03:45 . 2011-05-11 03:45 -------- d-----w- c:\program files\AVG
2011-05-10 19:11 . 2011-05-17 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-05-10 14:45 . 2011-05-08 03:19 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-09 00:42 . 2011-05-09 00:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-08 03:19 . 2011-05-08 03:19 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-08 03:09 . 2011-05-08 03:09 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-05-08 01:21 . 2011-04-29 19:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-08 01:16 . 2011-05-08 01:16 -------- d-----w- c:\program files\Lavasoft
2011-05-08 01:16 . 2011-05-08 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-07 17:34 . 2011-05-07 17:34 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-14 16:26 . 2011-05-13 03:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
Code:
<pre>
c:\program files\QuickTime\QTTask         .exe
c:\program files\ThinkPad\ConnectUtilities\QCTRAY     .exe
c:\program files\ThinkPad\ConnectUtilities\QCWLICON    .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
"Malware Protection"="c:\documents and settings\All Users\Application Data\defender.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISLP2STA.EXE"="ISLP2STA.EXE START" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]
"QCTRAY"="c:\program files\ThinkPad\ConnectUtilities\QCTRAY .exe" [N/A]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON .exe" [N/A]
"TP4EX"="tp4ex.exe" [2002-02-22 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-06-28 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2002-02-23 87037]
"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]
"UC_SMB"="" [N/A]
"vptray"="c:\progra~1\NavNT\vptray.exe" [2003-10-07 90112]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 71256]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-27 180269]
"HostManager"="c:\program files\Common Files\AOL\1127543071\ee\AOLSoftware.exe" [2006-03-08 48280]
"Audit Wizard"="\\madriver\awizard\ScanWS_SD.bat" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 126104]
"AIRPLUS"="c:\program files\D-Link\AIRPLUS.exe" [2005-08-13 733184]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 6.lnk - c:\program files\TechSmith\SnagIt 6\SnagIt32.exe [2004-7-15 1777664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-11 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-14 05:14 24673 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard 8.1\\hpjsi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/7/2011 6:21 PM 64512]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [11/20/2002 10:29 PM 12288]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/26/2005 8:11 AM 17456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2008 9:15 PM 24652]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/26/2005 8:11 AM 670128]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [11/20/2002 10:32 PM 20023]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/26/2005 8:11 AM 2041904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/29/2011 12:11 PM 2151128]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys [8/14/2008 8:28 PM 19104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/29/2011 12:11 PM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/22/2011 5:40 PM 38224]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/26/2005 8:11 AM 14924]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 14096]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [3/27/2002 11:14 PM 51072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 09:11]
.
2011-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-05-30 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2002-11-21 09:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pzvzcuuj.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-30 19:24
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\ieframe.dll
.
Completion time: 2011-05-30 19:30:23
ComboFix-quarantined-files.txt 2011-05-31 02:30
ComboFix2.txt 2011-05-29 23:33
.
Pre-Run: 35,670,339,584 bytes free
Post-Run: 35,655,708,672 bytes free
.
- - End Of File - - 26B2DB1C968878AF164EB2A63E124B9B
__________________
stocktsi is offline   Reply With Quote
Old 05-31-2011, 12:47 PM   #12
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

-------

1. Close any open browsers.

2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Protection"=-

RenV::
c:\program files\QuickTime\QTTask         .exe
c:\program files\ThinkPad\ConnectUtilities\QCTRAY     .exe
c:\program files\ThinkPad\ConnectUtilities\QCWLICON    .exe
Save this as CFScript.txt, in the same location as ComboFix.exe




ComboFix may request an update; please allow it.
Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
Vick is offline   Reply With Quote
Old 05-31-2011, 08:08 PM   #13
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



ComboFix run. Log below.

-Steve

ComboFix 11-05-31.01 - Administrator 05/31/2011 19:17:12.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.200 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-05-01 to 2011-06-01 )))))))))))))))))))))))))))))))
.
.
2011-05-29 17:10 . 2011-05-29 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-25 05:39 . 2011-05-25 05:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-25 05:35 . 2011-05-25 05:35 -------- d-----w- c:\program files\iPod
2011-05-25 05:33 . 2011-05-25 05:33 -------- d-----w- c:\program files\Apple Software Update
2011-05-25 05:33 . 2011-02-18 23:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-25 05:33 . 2011-02-18 23:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-25 05:32 . 2011-05-25 05:32 -------- d-----w- c:\program files\Bonjour
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:36 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\tp4res.dll
2011-05-25 05:18 . 2001-08-18 05:35 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\drivers\TwoTrack.sys
2011-05-25 05:18 . 2001-08-17 20:48 11520 ----a-w- c:\windows\system32\dllcache\twotrack.sys
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\tp4mon.exe
2011-05-25 05:18 . 2004-08-04 07:56 82432 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2011-05-25 04:43 . 2011-05-25 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-24 15:26 . 2011-05-24 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Security Essentials Ultimate Pack
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-05-23 00:40 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-23 00:40 . 2011-05-23 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-23 00:40 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-22 00:52 . 2011-05-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-05-15 05:48 . 2011-05-15 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-13 03:35 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-13 03:35 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-13 03:35 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-13 03:35 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-13 03:35 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-13 03:35 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-13 03:35 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-13 03:35 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-11 08:07 . 2011-05-11 08:07 -------- d-----w- C:\$AVG
2011-05-11 04:05 . 2011-05-11 04:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG10
2011-05-11 04:03 . 2011-05-11 04:03 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-05-11 03:48 . 2011-05-17 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-05-11 03:45 . 2011-05-11 03:45 -------- d-----w- c:\program files\AVG
2011-05-10 19:11 . 2011-05-17 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-05-09 00:42 . 2011-05-09 00:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\Share-to-Web Upload Folder
2011-05-08 03:19 . 2011-05-08 03:19 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-08 03:09 . 2011-05-08 03:09 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-05-08 01:16 . 2011-06-01 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-05-07 17:34 . 2011-05-07 17:34 -------- d-----w- c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-14 16:26 . 2011-05-13 03:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 307200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISLP2STA.EXE"="ISLP2STA.EXE START" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-06-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-06-20 114688]
"TrackPointSrv"="tp4mon.exe" [2004-08-04 82432]
"TP4EX"="tp4ex.exe" [2002-02-22 40960]
"TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2002-06-28 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2002-02-23 87037]
"Tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2001-11-07 1519616]
"vptray"="c:\progra~1\NavNT\vptray.exe" [2003-10-07 90112]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 71256]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-05-07 99480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-27 180269]
"HostManager"="c:\program files\Common Files\AOL\1127543071\ee\AOLSoftware.exe" [2006-03-08 48280]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-03-27 126104]
"AIRPLUS"="c:\program files\D-Link\AIRPLUS.exe" [2005-08-13 733184]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 6.lnk - c:\program files\TechSmith\SnagIt 6\SnagIt32.exe [2004-7-15 1777664]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-11 106560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-07-14 05:14 24673 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard 8.1\\hpjsi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [11/20/2002 10:29 PM 12288]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [10/26/2005 8:11 AM 17456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2008 9:15 PM 24652]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [10/26/2005 8:11 AM 670128]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;c:\windows\system32\drivers\Vch.sys [11/20/2002 10:32 PM 20023]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [10/26/2005 8:11 AM 2041904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;c:\windows\system32\drivers\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 jswimd;jswimd Service;c:\windows\system32\drivers\jswimd.sys [8/14/2008 8:28 PM 19104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/22/2011 5:40 PM 38224]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [10/26/2005 8:11 AM 14924]
S3 Tp4Track;IBM PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 1:00 AM 14096]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [3/27/2002 11:14 PM 51072]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-06-01 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2002-11-21 09:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pzvzcuuj.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QCTRAY - c:\program files\ThinkPad\ConnectUtilities\QCTRAY .exe
HKLM-Run-QCWLICON - c:\program files\ThinkPad\ConnectUtilities\QCWLICON .exe
HKLM-Run-UC_SMB - (no file)
HKLM-Run-Audit Wizard - \\madriver\awizard\ScanWS_SD.bat
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-05-31 19:34
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\ieframe.dll
.
Completion time: 2011-05-31 19:40:48
ComboFix-quarantined-files.txt 2011-06-01 02:40
ComboFix2.txt 2011-05-31 02:30
ComboFix3.txt 2011-05-29 23:33
.
Pre-Run: 36,083,122,176 bytes free
Post-Run: 36,069,232,640 bytes free
.
- - End Of File - - 16B107CBEAC16FB1256988AF260F6487
__________________
stocktsi is offline   Reply With Quote
Old 06-01-2011, 12:48 PM   #14
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

We will need to run MBAM, it is a quick scanner which scan for active infection.
  • Please double click Malwarebytes' Anti-Malware icon and launch the program. Go to Update tab, check for updates and download it.
  • Once the updates is completed, go to scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

--------

It's important to run an online scan to search for remnants. It can take some time to complete, so please be patient and allow it to run the full course.
Ensure your external and/or USB drives are inserted during the scan.
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

--------

Open the file below and post the contents of it:
c:\qoobox\ComboFix-quarantined-files.txt
__________________
Vick is offline   Reply With Quote
Old 06-02-2011, 08:35 PM   #15
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

Here are the requested files.

Anti-Malware
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6752
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
6/1/2011 9:38:28 PM
mbam-log-2011-06-01 (21-38-27).txt
Scan type: Quick scan
Objects scanned: 198544
Time elapsed: 37 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0a
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

ESET
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4224bc7cb1dada418d33e7abbf1a65ea
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-07 07:27:44
# local_time=2011-05-07 12:27:44 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3586 16764926 40 17 0 383878545 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=175574
# found=4
# cleaned=4
# scan_time=6182
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP161.tmp\aspapp\setup.exe probably a variant of Win32/Agent.JHVCYJA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\aol.xxx\Installers\ASP 2.0\setup.exe probably a variant of Win32/Agent.MWCCTSP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DED89458-4664-4E9E-A06C-E79B8636A708}\RP1024\A0342757.exe probably a variant of Win32/Agent.JHVCYJA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{DED89458-4664-4E9E-A06C-E79B8636A708}\RP1024\A0342758.exe probably a variant of Win32/Agent.MWCCTSP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4224bc7cb1dada418d33e7abbf1a65ea
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-22 06:54:28
# local_time=2011-05-21 11:54:28 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 28432 28432 0 0
# compatibility_mode=3586 16764926 40 17 452933 385123839 0 0
# compatibility_mode=8192 67108863 100 0 1159507 1159507 0 0
# scanned=176954
# found=3
# cleaned=3
# scan_time=11722
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AEQZ8O0H\index[1].htm JS/Kryptik.AI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\$XNTUninstall643$\uolrq.dll a variant of Win32/Adware.Lifze.R application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\mqkh\int5sd.exe a variant of Win32/Adware.Lifze.R application (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=7.00.5730.13 (longhorn(wmbla).070711-1130)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4224bc7cb1dada418d33e7abbf1a65ea
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-02 11:47:07
# local_time=2011-06-02 04:47:07 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 984056 984056 0 0
# compatibility_mode=3586 16764926 40 17 0 386079463 0 0
# compatibility_mode=8192 67108863 100 0 2115131 2115131 0 0
# scanned=169521
# found=4
# cleaned=0
# scan_time=24256
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Sun\kfb0.dll.vir a variant of Win32/AutoRun.Spy.Ambler.CR worm (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DED89458-4664-4E9E-A06C-E79B8636A708}\RP1034\A0365980.exe a variant of Win32/Kryptik.OAU trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DED89458-4664-4E9E-A06C-E79B8636A708}\RP1034\A0366989.dll a variant of Win32/Koblu.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DED89458-4664-4E9E-A06C-E79B8636A708}\RP1039\A0373782.dll a variant of Win32/AutoRun.Spy.Ambler.CR worm (unable to clean) 00000000000000000000000000000000 I

ComboFix
2011-06-01 02:37:33 . 2011-06-01 02:37:33 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Audit Wizard.reg.dat
2011-06-01 02:37:27 . 2011-06-01 02:37:27 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-UC_SMB.reg.dat
2011-06-01 02:37:27 . 2011-06-01 02:37:27 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-QCWLICON.reg.dat
2011-06-01 02:37:27 . 2011-06-01 02:37:27 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-QCTRAY.reg.dat
2011-05-31 02:09:28 . 2011-06-01 02:17:00 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-05-29 23:29:47 . 2011-05-29 23:29:47 948 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Port Magic.reg.dat
2011-05-29 23:27:23 . 2011-05-29 23:27:23 598 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-itlntfy.reg.dat
2011-05-29 05:48:19 . 2011-05-29 05:48:19 2,350 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2011-05-29 05:48:18 . 2011-05-29 05:48:18 3,346 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_itlperf.reg.dat
2011-05-29 05:48:17 . 2011-05-29 05:48:17 1,208 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2011-05-29 05:48:17 . 2011-05-29 05:48:17 802 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_ITLPERF.reg.dat
2011-05-29 05:47:43 . 2011-06-01 02:28:57 17,180 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-05-29 05:15:18 . 2011-05-29 05:15:18 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2011-05-29 05:03:09 . 2011-06-01 02:13:45 459 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-05-26 21:37:48 . 2011-05-26 21:37:48 112,128 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Sun\kfb0.dll.vir
2011-05-08 03:09:12 . 2011-05-08 03:09:12 281,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2011-05-08 03:09:12 . 2011-05-08 03:09:12 100,880 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Packet.dll.vir
2004-07-01 17:00:22 . 2010-12-30 04:35:26 4,232 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2004-07-01 17:00:22 . 2010-12-30 04:35:26 5,874 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
__________________
stocktsi is offline   Reply With Quote
Old 06-03-2011, 04:55 PM   #16
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

Qoobox is ComboFix's quarantine folder. System Volume Information is where Windows keeps old system restore points. Both will get deleted when we uninstall ComboFix.

Your log looks much better now. You were infected with variant called Unruy. This infection patches itself to legit files and runs on every startup. During our fix, we manage to restore almost all files except the followings due to no clean copies available on your system:
c:\program files\ThinkPad\ConnectUtilities\QCTRAY.exe
c:\program files\ThinkPad\ConnectUtilities\QCWLICON.exe


QCTRAY.exe - I personally think this file is not essential on your system. However, the choice is yours. Details on this file is located here
QCWLICON.exe - This file is to show the status of the wireless connection. Refer here for details.

If you'd like to replace those, see if you can find them at Lenovo support.

-----------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

------------

Please advise us how your system behaves now.
__________________
Vick is offline   Reply With Quote
Old 06-05-2011, 08:54 PM   #17
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

Things are looking pretty good, thanks. The one thng that's still happening is that I get a couple of PortMagic corrupt errors when I boot up. I don't think I really need it any more and might try to uninstall it. I don't see it on Add/remove programs, but it must be there somewhere. I'm not seeing any of the other issues I was originally getting.

As for the 2 lenovo files you mentioned, I don't think I need either one. Can they just be deleted?

Thanks again for your help!!!!
Steve
__________________
stocktsi is offline   Reply With Quote
Old 06-06-2011, 12:40 PM   #18
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

Please provide us with more info on the error.
Something like screenshot of the error or type the error message on here.
__________________
Vick is offline   Reply With Quote
Old 06-07-2011, 10:43 PM   #19
Registered Member
 
Join Date: May 2011
Posts: 16
OS: windows xp



Vick,

Screenshot of error attached.

-Steve
Attached Images
 
__________________
stocktsi is offline   Reply With Quote
Old 06-08-2011, 12:38 PM   #20
Security Team
Analyst
 
Join Date: Jan 2008
Location: Queensland, Australia
Posts: 1,479
OS: XP SP3



Hi Steve,

Let's use Revo Uninstaller to remove the Magic Port.

Please download 30days trial version of Revo Uninstaller and save to your desktop. Double click on the saved file to install the program.

Double click the program to run and it will list all the programs from Add/Remove Programs. Select:
Pure Networks Port Magic

Click Uninstall and follow the prompts. Remove all the left over files, folders and registry items.

Reboot to check if you're still receive the error.

__________________
Vick is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows 7 insanity! virus/spyware?
I've had an Inspiron All-in-one for over a month now. Everything was fine. Now, the icons are in the tool tray are popping up as continuos running lines of the icon for Microsoft Pen and Touch Input Component. An MS virus remover keeps popping up and insist I purchase it. I realize this is probably...
Iamthatis137 Windows 7 Support, Windows Vista Support 4 04-05-2011 09:58 PM
Virus/Spyware redirection??
Hi, I hope you might be able to help - I'm not sure if my computer has a virus for sure, but when accessing some websites I'm redirected either to some google page or most often the gateway search page. Also, internet explorer will often lock up and become non-responsive. I have run Norton...
willymatt Resolved HJT Threads 13 02-06-2011 07:50 PM
Virus/Spyware help
Unfortunately I'm a little in-the-dark as to what the problem on my PC actually is, or what the cause of it is. My computer, though several years old and likely suffering from natural slow-down (it hasn't been formatted in a while, as we cannot find the XP disk or driver disks that came with...
TomasOMeachair Resolved HJT Threads 28 01-04-2011 02:05 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 08:46 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts